CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27964 – WordPress Zippy plugin <= 1.6.9 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-27964
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Gesundheit Bewegt GmbH Zippy. Este problema afecta a Zippy: desde n/a hasta 1.6.9. The Zippy plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ZippyCore.php file in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/zippy/wordpress-zippy-plugin-1-6-9-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34381 – Zippy <= 1.6.2 - Missing Authorization via adminInit
https://notcve.org/view.php?id=CVE-2023-34381
The Zippy plugin for WordPress is vulnerable to unauthorized archiving and unarchiving of pages due to a missing capability check on the adminInit function in versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to archive and unarchive pages. • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36381 – WordPress Zippy Plugin <= 1.6.5 is vulnerable to PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-36381
Deserialization of Untrusted Data vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.5. Vulnerabilidad de deserialización de datos no confiables en Gesundheit Bewegt GmbH Zippy. Este problema afecta a Zippy: desde n/a hasta 1.6.5. The Zippy plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.5 via deserialization of untrusted input in the vulnerable 'unzipPosts' function. This allows authenticated attackers with author-level permissions to inject a PHP Object. • https://patchstack.com/database/vulnerability/zippy/wordpress-zippy-plugin-1-6-3-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26533 – WordPress Zippy Plugin <= 1.6.1 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-26533
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.1. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Gesundheit Bewegt GmbH Zippy. Este problema afecta a Zippy: desde n/a hasta 1.6.1. The Zippy plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.6.1 via the adminInit function. This can allow authenticated attackers with access to the post editor, such as contributors, to create an export that will contain sensitive author information, such as usernames and password hashes. • https://patchstack.com/database/vulnerability/zippy/wordpress-zippy-plugin-1-6-1-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •