Refine your search
12 vulnerabilities found for by codesolz
CVE-2026-3369 (GCVE-0-2026-3369)
Vulnerability from cvelistv5
Published
2026-04-16 11:21
Modified
2026-04-16 14:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codesolz | Better Find and Replace – AI-Powered Suggestions |
Version: 0 ≤ 1.7.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T14:04:12.740798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T14:04:23.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Find and Replace \u2013 AI-Powered Suggestions",
"vendor": "codesolz",
"versions": [
{
"lessThanOrEqual": "1.7.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supanat Konprom"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Find and Replace \u2013 AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T11:21:21.822Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/497c2f5f-ed7d-486e-baf2-aefbe3dc412f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3477632/real-time-auto-find-and-replace"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-27T21:31:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-15T22:04:39.000Z",
"value": "Disclosed"
}
],
"title": "Better Find and Replace \u2013 AI-Powered Suggestions \u003c= 1.7.9 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Title"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3369",
"datePublished": "2026-04-16T11:21:21.822Z",
"dateReserved": "2026-02-27T21:16:05.738Z",
"dateUpdated": "2026-04-16T14:04:23.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9334 (GCVE-0-2025-9334)
Vulnerability from cvelistv5
Published
2025-11-08 05:52
Modified
2026-04-08 16:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codesolz | Better Find and Replace – AI-Powered Suggestions |
Version: 0 ≤ 1.7.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T18:45:28.646757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:12:37.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Find and Replace \u2013 AI-Powered Suggestions",
"vendor": "codesolz",
"versions": [
{
"lessThanOrEqual": "1.7.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ISMAILSHADOW"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Find and Replace \u2013 AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the \u0027rtafar_ajax\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:41:53.286Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/232f3a15-3bd3-44fa-aa07-f055e8fcda88?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/lib/Util.php#L233"
},
{
"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/admin/functions/DbReplacer.php#L507"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3389979/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-28T04:23:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-07T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Better Find and Replace \u003c= 1.7.7 - Authenticated (Subscriber+) Limited Code Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9334",
"datePublished": "2025-11-08T05:52:43.249Z",
"dateReserved": "2025-08-21T23:29:44.529Z",
"dateUpdated": "2026-04-08T16:41:53.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12360 (GCVE-0-2025-12360)
Vulnerability from cvelistv5
Published
2025-11-06 07:27
Modified
2026-04-08 17:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codesolz | Better Find and Replace – AI-Powered Suggestions |
Version: 0 ≤ 1.7.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12360",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T14:51:27.013683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T14:51:40.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Better Find and Replace \u2013 AI-Powered Suggestions",
"vendor": "codesolz",
"versions": [
{
"lessThanOrEqual": "1.7.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adrian Lukita"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Better Find and Replace \u2013 AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:20.588Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3389979/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php?contextall=1\u0026old=3343531\u0026old_path=%2Freal-time-auto-find-and-replace%2Ftrunk%2Fcore%2Factions%2FRTAFAR_CustomAjax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-28T04:23:43.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-05T19:08:46.000Z",
"value": "Disclosed"
}
],
"title": "Better Find and Replace \u003c= 1.7.7 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12360",
"datePublished": "2025-11-06T07:27:05.431Z",
"dateReserved": "2025-10-27T16:20:33.609Z",
"dateUpdated": "2026-04-08T17:01:20.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53466 (GCVE-0-2025-53466)
Vulnerability from cvelistv5
Published
2025-09-22 18:25
Modified
2026-04-01 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Stored XSS.This issue affects Better Find and Replace: from n/a through <= 1.7.6.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Better Find and Replace |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T13:44:39.590721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T13:44:47.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "real-time-auto-find-and-replace",
"product": "Better Find and Replace",
"vendor": "CodeSolz",
"versions": [
{
"changes": [
{
"at": "1.7.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:55.176Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Stored XSS.\u003cp\u003eThis issue affects Better Find and Replace: from n/a through \u003c= 1.7.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Stored XSS.This issue affects Better Find and Replace: from n/a through \u003c= 1.7.6."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:56:56.873Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/real-time-auto-find-and-replace/vulnerability/wordpress-better-find-and-replace-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Better Find and Replace Plugin \u003c= 1.7.6 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-53466",
"datePublished": "2025-09-22T18:25:33.335Z",
"dateReserved": "2025-06-30T10:46:37.789Z",
"dateUpdated": "2026-04-01T15:56:56.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-50028 (GCVE-0-2025-50028)
Vulnerability from cvelistv5
Published
2025-07-16 11:27
Modified
2026-04-01 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Push Notifications: from n/a through <= 1.2.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Ultimate Push Notifications |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-50028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T20:22:24.726492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T20:22:36.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ultimate-push-notifications",
"product": "Ultimate Push Notifications",
"vendor": "CodeSolz",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Martino Spagnuolo (r3verii) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:29.203Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Ultimate Push Notifications: from n/a through \u003c= 1.2.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Push Notifications: from n/a through \u003c= 1.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:56:00.948Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-push-notifications/vulnerability/wordpress-ultimate-push-notifications-1-1-9-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Ultimate Push Notifications plugin \u003c= 1.2.0 - Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-50028",
"datePublished": "2025-07-16T11:27:57.237Z",
"dateReserved": "2025-06-11T16:08:32.805Z",
"dateUpdated": "2026-04-01T15:56:00.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31561 (GCVE-0-2025-31561)
Vulnerability from cvelistv5
Published
2025-04-01 20:58
Modified
2026-04-01 15:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows SQL Injection.This issue affects Ultimate Push Notifications: from n/a through <= 1.2.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Ultimate Push Notifications |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T14:12:06.316679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T14:20:44.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ultimate-push-notifications",
"product": "Ultimate Push Notifications",
"vendor": "CodeSolz",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:37:20.391Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows SQL Injection.\u003cp\u003eThis issue affects Ultimate Push Notifications: from n/a through \u003c= 1.2.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows SQL Injection.This issue affects Ultimate Push Notifications: from n/a through \u003c= 1.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:49:05.496Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-push-notifications/vulnerability/wordpress-ultimate-push-notifications-plugin-1-1-8-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Ultimate Push Notifications plugin \u003c= 1.2.0 - SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31561",
"datePublished": "2025-04-01T20:58:13.000Z",
"dateReserved": "2025-03-31T10:05:35.681Z",
"dateUpdated": "2026-04-01T15:49:05.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31548 (GCVE-0-2025-31548)
Vulnerability from cvelistv5
Published
2025-04-01 20:58
Modified
2026-04-01 15:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Reflected XSS.This issue affects Ultimate Push Notifications: from n/a through <= 1.2.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Ultimate Push Notifications |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T13:23:18.253750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T13:23:25.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ultimate-push-notifications",
"product": "Ultimate Push Notifications",
"vendor": "CodeSolz",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:37:16.938Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Reflected XSS.\u003cp\u003eThis issue affects Ultimate Push Notifications: from n/a through \u003c= 1.2.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows Reflected XSS.This issue affects Ultimate Push Notifications: from n/a through \u003c= 1.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:49:01.896Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-push-notifications/vulnerability/wordpress-ultimate-push-notifications-plugin-1-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Ultimate Push Notifications plugin \u003c= 1.2.0 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31548",
"datePublished": "2025-04-01T20:58:11.990Z",
"dateReserved": "2025-03-31T10:05:28.896Z",
"dateUpdated": "2026-04-01T15:49:01.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26541 (GCVE-0-2025-26541)
Vulnerability from cvelistv5
Published
2025-03-26 14:24
Modified
2026-04-01 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Reflected XSS.This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through <= 1.7.6.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Bitcoin / AltCoin Payment Gateway for WooCommerce |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T17:06:46.441151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T17:22:42.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woo-altcoin-payment-gateway",
"product": "Bitcoin / AltCoin Payment Gateway for WooCommerce",
"vendor": "CodeSolz",
"versions": [
{
"lessThanOrEqual": "1.7.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:35:03.456Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Reflected XSS.\u003cp\u003eThis issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through \u003c= 1.7.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Reflected XSS.This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through \u003c= 1.7.6."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:45:15.001Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/woo-altcoin-payment-gateway/vulnerability/wordpress-bitcoin-altcoin-payment-gateway-for-woocommerce-plugin-1-7-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Bitcoin / AltCoin Payment Gateway for WooCommerce plugin \u003c= 1.7.6 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26541",
"datePublished": "2025-03-26T14:24:18.426Z",
"dateReserved": "2025-02-12T13:58:16.936Z",
"dateUpdated": "2026-04-01T15:45:15.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26535 (GCVE-0-2025-26535)
Vulnerability from cvelistv5
Published
2025-03-03 13:30
Modified
2026-04-01 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Blind SQL Injection.This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through <= 1.7.6.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Bitcoin / AltCoin Payment Gateway for WooCommerce |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T15:48:21.689648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T15:48:35.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woo-altcoin-payment-gateway",
"product": "Bitcoin / AltCoin Payment Gateway for WooCommerce",
"vendor": "CodeSolz",
"versions": [
{
"lessThanOrEqual": "1.7.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:35:01.873Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Blind SQL Injection.\u003cp\u003eThis issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through \u003c= 1.7.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce woo-altcoin-payment-gateway allows Blind SQL Injection.This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through \u003c= 1.7.6."
}
],
"impacts": [
{
"capecId": "CAPEC-7",
"descriptions": [
{
"lang": "en",
"value": "Blind SQL Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:45:13.903Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/woo-altcoin-payment-gateway/vulnerability/wordpress-bitcoin-altcoin-payment-gateway-for-woocommerce-multivendor-store-shop-plugin-1-7-6-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Bitcoin / AltCoin Payment Gateway for WooCommerce \u0026 Multivendor store / shop plugin \u003c= 1.7.6 - SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26535",
"datePublished": "2025-03-03T13:30:27.941Z",
"dateReserved": "2025-02-12T13:58:16.935Z",
"dateUpdated": "2026-04-01T15:45:13.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24734 (GCVE-0-2025-24734)
Vulnerability from cvelistv5
Published
2025-01-27 14:22
Modified
2026-04-01 15:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Privilege Escalation.This issue affects Better Find and Replace: from n/a through <= 1.6.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Better Find and Replace |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24734",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:57:02.126710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:33.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "real-time-auto-find-and-replace",
"product": "Better Find and Replace",
"vendor": "CodeSolz",
"versions": [
{
"changes": [
{
"at": "1.6.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ananda Dhakal (Patchstack)"
}
],
"datePublic": "2026-04-01T16:34:43.292Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Privilege Escalation.\u003cp\u003eThis issue affects Better Find and Replace: from n/a through \u003c= 1.6.7.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Privilege Escalation.This issue affects Better Find and Replace: from n/a through \u003c= 1.6.7."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:44:39.269Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/real-time-auto-find-and-replace/vulnerability/wordpress-better-find-and-replace-plugin-1-6-7-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Better Find and Replace plugin \u003c= 1.6.7 - Privilege Escalation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24734",
"datePublished": "2025-01-27T14:22:18.175Z",
"dateReserved": "2025-01-23T14:52:51.691Z",
"dateUpdated": "2026-04-01T15:44:39.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-39636 (GCVE-0-2024-39636)
Vulnerability from cvelistv5
Published
2024-08-01 21:24
Modified
2024-08-07 14:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Deserialization of Untrusted Data vulnerability in CodeSolz Better Find and Replace.This issue affects Better Find and Replace: from n/a through 1.6.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Better Find and Replace |
Version: n/a < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:codesolz:better_find_and_replace:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "better_find_and_replace",
"vendor": "codesolz",
"versions": [
{
"lessThanOrEqual": "1.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T14:45:00.977745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T14:50:01.547Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "real-time-auto-find-and-replace",
"product": "Better Find and Replace",
"vendor": "CodeSolz",
"versions": [
{
"changes": [
{
"at": "1.6.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.6.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tr\u00ecnh V\u0169 / Sonicrrrr_ from VNPT-VCI (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in CodeSolz Better Find and Replace.\u003cp\u003eThis issue affects Better Find and Replace: from n/a through 1.6.1.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in CodeSolz Better Find and Replace.This issue affects Better Find and Replace: from n/a through 1.6.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T21:24:14.595Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/real-time-auto-find-and-replace/wordpress-better-find-and-replace-plugin-1-6-1-php-object-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.6.2 or a higher version."
}
],
"value": "Update to 1.6.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Better Find and Replace plugin \u003c= 1.6.1 - PHP Object Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-39636",
"datePublished": "2024-08-01T21:24:14.595Z",
"dateReserved": "2024-06-26T21:18:36.160Z",
"dateUpdated": "2024-08-07T14:50:01.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25460 (GCVE-0-2023-25460)
Vulnerability from cvelistv5
Published
2023-05-12 15:19
Modified
2025-01-09 15:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CodeSolz Easy Ad Manager plugin <= 1.0.0 versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CodeSolz | Easy Ad Manager |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:18.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/easy-ad-manager/wordpress-easy-ad-manager-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T14:23:29.291148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T15:16:49.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "easy-ad-manager",
"product": "Easy Ad Manager",
"vendor": "CodeSolz",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lokesh Dachepalli (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CodeSolz Easy Ad Manager plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;1.0.0 versions.\u003c/span\u003e"
}
],
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CodeSolz Easy Ad Manager plugin \u003c=\u00a01.0.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T15:19:32.051Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/easy-ad-manager/wordpress-easy-ad-manager-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Ad Manager Plugin \u003c= 1.0.0 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-25460",
"datePublished": "2023-05-12T15:19:32.051Z",
"dateReserved": "2023-02-06T12:38:05.561Z",
"dateUpdated": "2025-01-09T15:16:49.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}