CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39538 – WordPress WP-Advanced-Search <= 3.3.9.3 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-39538
16 Apr 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in Mathieu Chartier WP-Advanced-Search allows Upload a Web Shell to a Web Server. This issue affects WP-Advanced-Search: from n/a through 3.3.9.3. The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on th... • https://patchstack.com/database/wordpress/plugin/wp-advanced-search/vulnerability/wordpress-wp-advanced-search-3-3-9-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47447 – WordPress WP-Advanced-Search Plugin <= 3.3.8 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47447
14 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Mathieu Chartier WordPress WP-Advanced-Search plugin <= 3.3.8 versions. The WP-Advanced-Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.8. This is due to missing or incorrect nonce validation on the 'WP_Advanced_Search_update_pagination', 'WP_Advanced_Search_update_styles', 'WP_Advanced_Search_Autocomplete_Action, and possibly other functions. This makes it possible for unauthenticated attackers ... • https://patchstack.com/database/vulnerability/wp-advanced-search/wordpress-wp-advanced-search-plugin-3-3-8-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12104 – WordPress WP-Advanced-Search <= 3.3.6 - SQL Injection
https://notcve.org/view.php?id=CVE-2020-12104
28 Apr 2020 — The Import feature in the wp-advanced-search plugin 3.3.6 for WordPress is vulnerable to authenticated SQL injection via an uploaded .sql file. An attacker can use this to execute SQL commands without any validation. La funcionalidad Import del plugin wp-advanced-search versión 3.3.6 para WordPress, es vulnerable a una inyección SQL autenticada por medio de un archivo .sql cargado. Un atacante puede usar esto para ejecutar comandos SQL sin ninguna comprobación. • https://wordpress.org/plugins/wp-advanced-search/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •