psavage.net

CVE’s

A list of all vulnerabilities I have found which have been disclosed. This list is not up-to-date.

Title CVE ID CVSS Vector Date VDP
Advanced Woo Labels <= 2.15 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-32188 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N April 4, 2025 Patchstack
CMP โ€“ Coming Soon & Maintenance <= 4.1.13 – Authenticated (Admin+) Arbitrary File Upload CVE-2025-32118 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H April 4, 2025 Patchstack
WP Proposals <= 2.3 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2025-31837 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N April 1, 2025 Patchstack
TablePress โ€“ Tables in WordPress made easy <= 3.0.4 – Authenticated (Author+) Stored Cross-Site Scripting CVE-2025-2685 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N March 26, 2025 WordFence
WooCommerce <= 9.7.0 – Authenticated (Shop Manager+) Stored Cross-Site Scripting CVE-2025-26762 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N March 12, 2025 HackerOne
Document Block โ€“ Upload & Embed Docs <= 1.1.0 – Missing Authorization CVE-2025-22696 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N January 31, 2025 Patchstack
PPOM for WooCommerce <= 33.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2025-24668 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N January 24, 2025 Patchstack
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.7.1 – Authenticated (Shop Manager+) Stored Cross-Site Scripting CVE-2025-24644 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N January 24, 2025 Patchstack
Popup Maker <= 1.20.2 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-24746 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N January 24, 2025 Patchstack
Icegram <= 3.1.31 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-24542 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N January 24, 2025 Patchstack
Flexible PDF Coupons <= 1.10.2 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-22825 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N January 15, 2025 Patchstack
Htaccess File Editor <= 1.0.19 – Unauthenticated Information Exposure CVE-2025-22773 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N January 14, 2025 Patchstack
WebToffee WP Backup and Migration <= 1.5.3 – Unauthenticated Sensitive Information Exposure CVE-2025-24651 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N January 13, 2025 Patchstack
Modula Image Gallery <= 2.11.10 – Authenticated (Author+) Arbitrary File Upload CVE-2024-12853 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H January 7, 2025 WordFence
Email Templates Customizer for WordPress โ€“ Drag And Drop Email Templates Builder โ€“ YeeMail <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-22802 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N January 7, 2025 Patchstack
Typing Text <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-22315 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N January 6, 2025 Patchstack
New User Approve <= 2.6.2 – Missing Authorization CVE-2024-54323 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N December 11, 2024 Patchstack
Landing Page Cat <= 1.7.4 – Missing Authorization CVE-2024-49686 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N October 21, 2024 Patchstack
Email Template Customizer for WooCommerce <= 1.2.9.1 – Authenticated (Shop manager+) Stored Cross-Site Scripting CVE-2024-49288 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N October 15, 2024 Patchstack
Htaccess File Editor <= 1.0.18 – Missing Authorization CVE-2024-49256 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N October 14, 2024 Patchstack
Essential Blocks for Gutenberg <= 4.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-47385 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N September 30, 2024 Patchstack
Depicter Slider <= 3.2.2 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-47381 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N September 30, 2024 Patchstack
Advanced Woo Labels <= 2.01 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-47622 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N September 30, 2024 Patchstack
WS Form LITE <= 1.9.238 – Unauthenticated Stored Cross-Site Scripting CVE-2024-47320 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N September 25, 2024 Patchstack
Icegram <= 3.1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-43344 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N August 16, 2024 Patchstack
WP Table Builder โ€“ WordPress Table Plugin <= 1.4.15 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-43125 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N August 7, 2024 Patchstack
3D FlipBook โ€“ PDF Flipbook Viewer, Flipbook Image Gallery <= 1.15.6 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-43152 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N August 7, 2024 Patchstack
Depicter Slider <= 3.1.2 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-43161 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N August 7, 2024 Patchstack
VK All in One Expansion Unit <= 9.99.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-37956 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N July 10, 2024 Patchstack
Fusion <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-37962 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N July 10, 2024 Patchstack
WooCommerce <= 8.9.2 – Authenticated (Shop Manager+) Content Injection CVE-2024-35777 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N June 27, 2024 HackerOne
Page Builder Sandwich โ€“ Front-End Page Builder <= 5.1.0 – Missing Authorization CVE-2024-37218 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N June 21, 2024 Patchstack
Page Builder Sandwich โ€“ Front-End Page Builder <= 5.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-37219 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N June 21, 2024 Patchstack
Page Builder: Live Composer <= 1.5.47 – Authenticated (Author+) Stored Cross-Site Scripting CVE-2024-35768 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N June 18, 2024 Patchstack
PPOM for WooCommerce <= 32.0.20 – Unauthenticated Content Injection Vulnerability CVE-2024-35728 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N June 6, 2024 Patchstack
YITH WooCommerce Product Add-Ons <= 4.9.2 – Unauthenticated Content Injection CVE-2024-35680 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N June 6, 2024 Patchstack
Woody code snippets โ€“ Insert Header Footer Code, AdSense Ads <= 2.4.10 – Authenticated (Admin+) Stored Cross-Site Scripting CVE-2024-35751 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N June 6, 2024 Patchstack
YITH WooCommerce Tab Manager <= 1.35.0 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-35698 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N June 6, 2024 Patchstack
Advanced Woo Labels โ€“ Product Labels for WooCommerce <= 1.93 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-35675 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N June 5, 2024 Patchstack
Visual Composer Website Builder <= 45.8.0 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-35653 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N June 3, 2024 Patchstack
Brave โ€“ Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content <= 0.6.9 – Authenticated (Admin+) Stored Cross-Site Scripting CVE-2024-35655 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N June 3, 2024 Patchstack
YITH WooCommerce Wishlist <= 3.32.0 – Authenticated (Admin+) Stored Cross-Site Scripting CVE-2024-34385 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N May 30, 2024 Patchstack
Pootle Pagebuilder โ€“ WordPress Page builder <= 5.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-34573 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N May 7, 2024 Patchstack
Page Builder: Live Composer <= 1.5.38 – Missing Authorization CVE-2024-32957 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N April 23, 2024 Patchstack
Fixed HTML Toolbar <= 1.0.7 – Authenticated (Admin+) Stored Cross-Site Scripting CVE-2024-32540 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N April 15, 2024 Patchstack
Remove Footer Credit <= 1.0.13 – Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2024-32429 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N April 12, 2024 Patchstack
WordPress Page Builder โ€“ Zion Builder <= 3.6.9 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-30444 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N March 28, 2024 Patchstack
Astra <= 4.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting via Theme Header/Footer CVE-2024-29768 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N March 25, 2024 Patchstack
Post and Page Builder by BoldGrid โ€“ Visual Drag and Drop Editor Plugin <= 1.26.2 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2888 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N March 25, 2024 Patchstack
Visual Composer Website Builder <= 45.6.0 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-27997 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N March 15, 2024 Patchstack
Blocksy <= 2.0.19 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-24871 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N February 5, 2024 Patchstack
Scroll Triggered Box <= 2.3 – Authenticated (Editor+) Stored Cross-Site Scripting CVE-2024-24865 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N February 2, 2024 Patchstack