psavage.net

CVE’s

A list of all vulnerabilities I have found which have been disclosed. This list is not up-to-date.

TitleCVE IDCVSSDateVDP
Woostify <= 2.4.2 – Authenticated (Shop manager+) Stored Cross-Site ScriptingCVE-2025-601014.4September 26, 2025WordFence
Colibri Page Builder < 1.0.334 – Authenticated (Shop manager+) Stored Cross-Site ScriptingCVE-2025-595934.4September 22, 2025WordFence
WordPress <= 6.8.2 – Authenticated (Author+) Stored Cross-Site ScriptingCVE-2025-586746.4September 22, 2025HackerOne
Blocksy <= 2.0.97 – Missing AuthorizationCVE-2025-474652.7May 7, 2025Patchstack
Advanced Woo Labels <= 2.15 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2025-321886.4April 4, 2025Patchstack
CMP – Coming Soon & Maintenance <= 4.1.13 – Authenticated (Admin+) Arbitrary File UploadCVE-2025-321187.2April 4, 2025Patchstack
WP Proposals <= 2.3 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2025-318374.4April 1, 2025Patchstack
TablePress – Tables in WordPress made easy <= 3.0.4 – Authenticated (Author+) Stored Cross-Site ScriptingCVE-2025-26856.4March 26, 2025WordFence
WooCommerce <= 9.7.0 – Authenticated (Shop Manager+) Stored Cross-Site ScriptingCVE-2025-267624.4March 12, 2025HackerOne
Document Block – Upload & Embed Docs <= 1.1.0 – Missing AuthorizationCVE-2025-226964.3January 31, 2025Patchstack
PPOM for WooCommerce <= 33.0.8 – Authenticated (Administrator+) Stored Cross-Site ScriptingCVE-2025-246684.4January 24, 2025Patchstack
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.7.1 – Authenticated (Shop Manager+) Stored Cross-Site ScriptingCVE-2025-246444.4January 24, 2025Patchstack
Popup Maker <= 1.20.2 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2025-247466.4January 24, 2025Patchstack
Icegram <= 3.1.31 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2025-245426.4January 24, 2025Patchstack
Flexible PDF Coupons <= 1.10.2 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2025-228256.4January 15, 2025Patchstack
Htaccess File Editor <= 1.0.19 – Unauthenticated Information ExposureCVE-2025-227735.3January 14, 2025Patchstack
WebToffee WP Backup and Migration <= 1.5.3 – Unauthenticated Sensitive Information ExposureCVE-2025-246515.3January 13, 2025Patchstack
Modula Image Gallery <= 2.11.10 – Authenticated (Author+) Arbitrary File UploadCVE-2024-128538.8January 7, 2025WordFence
Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2025-228026.4January 7, 2025Patchstack
Typing Text <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2025-223156.4January 6, 2025Patchstack
New User Approve <= 2.6.2 – Missing AuthorizationCVE-2024-543234.3December 11, 2024Patchstack
Landing Page Cat <= 1.7.4 – Missing AuthorizationCVE-2024-496864.3October 21, 2024Patchstack
Email Template Customizer for WooCommerce <= 1.2.9.1 – Authenticated (Shop manager+) Stored Cross-Site ScriptingCVE-2024-492884.4October 15, 2024Patchstack
Htaccess File Editor <= 1.0.18 – Missing AuthorizationCVE-2024-492564.3October 14, 2024Patchstack
Essential Blocks for Gutenberg <= 4.8.4 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-473856.4September 30, 2024Patchstack
Depicter Slider <= 3.2.2 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-473814.4September 30, 2024Patchstack
Advanced Woo Labels <= 2.01 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-476226.4September 30, 2024Patchstack
WS Form LITE <= 1.9.238 – Unauthenticated Stored Cross-Site ScriptingCVE-2024-473206.1September 25, 2024Patchstack
Icegram <= 3.1.25 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-433446.4August 16, 2024Patchstack
WP Table Builder – WordPress Table Plugin <= 1.4.15 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-431256.4August 7, 2024Patchstack
3D FlipBook – PDF Flipbook Viewer, Flipbook Image Gallery <= 1.15.6 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-431524.4August 7, 2024Patchstack
Depicter Slider <= 3.1.2 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-431614.4August 7, 2024Patchstack
VK All in One Expansion Unit <= 9.99.1.0 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-379566.4July 10, 2024Patchstack
Fusion <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-379626.4July 10, 2024Patchstack
WooCommerce <= 8.9.2 – Authenticated (Shop Manager+) Content InjectionCVE-2024-357772.7June 27, 2024HackerOne
Page Builder Sandwich – Front-End Page Builder <= 5.1.0 – Missing AuthorizationCVE-2024-372184.3June 21, 2024Patchstack
Page Builder Sandwich – Front-End Page Builder <= 5.1.0 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-372196.4June 21, 2024Patchstack
Page Builder: Live Composer <= 1.5.47 – Authenticated (Author+) Stored Cross-Site ScriptingCVE-2024-357686.4June 18, 2024Patchstack
PPOM for WooCommerce <= 32.0.20 – Unauthenticated Content Injection VulnerabilityCVE-2024-357285.3June 6, 2024Patchstack
YITH WooCommerce Product Add-Ons <= 4.9.2 – Unauthenticated Content InjectionCVE-2024-356805.3June 6, 2024Patchstack
Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.4.10 – Authenticated (Admin+) Stored Cross-Site ScriptingCVE-2024-357514.4June 6, 2024Patchstack
YITH WooCommerce Tab Manager <= 1.35.0 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-356984.4June 6, 2024Patchstack
Advanced Woo Labels – Product Labels for WooCommerce <= 1.93 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-356756.4June 5, 2024Patchstack
Visual Composer Website Builder <= 45.8.0 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-356534.4June 3, 2024Patchstack
Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content <= 0.6.9 – Authenticated (Admin+) Stored Cross-Site ScriptingCVE-2024-356554.4June 3, 2024Patchstack
YITH WooCommerce Wishlist <= 3.32.0 – Authenticated (Admin+) Stored Cross-Site ScriptingCVE-2024-343854.4May 30, 2024Patchstack
Pootle Pagebuilder – WordPress Page builder <= 5.7.1 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-345736.4May 7, 2024Patchstack
Page Builder: Live Composer <= 1.5.38 – Missing AuthorizationCVE-2024-329574.3April 23, 2024Patchstack
Fixed HTML Toolbar <= 1.0.7 – Authenticated (Admin+) Stored Cross-Site ScriptingCVE-2024-325404.4April 15, 2024Patchstack
Remove Footer Credit <= 1.0.13 – Authenticated (Administrator+) Stored Cross-Site ScriptingCVE-2024-324294.4April 12, 2024Patchstack
WordPress Page Builder – Zion Builder <= 3.6.9 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-304444.4March 28, 2024Patchstack
Astra <= 4.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting via Theme Header/FooterCVE-2024-297685.5March 25, 2024Patchstack
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Plugin <= 1.26.2 – Authenticated (Contributor+) Stored Cross-Site ScriptingCVE-2024-28886.4March 25, 2024Patchstack
Visual Composer Website Builder <= 45.6.0 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-279974.4March 15, 2024Patchstack
Blocksy <= 2.0.19 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-248714.4February 5, 2024Patchstack
Scroll Triggered Box <= 2.3 – Authenticated (Editor+) Stored Cross-Site ScriptingCVE-2024-248655.5February 2, 2024Patchstack