CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23918 – WordPress Smallerik File Browser plugin <= 1.1 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-23918
16 Jan 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Smallerik File Browser allows Upload a Web Shell to a Web Server. This issue affects Smallerik File Browser: from n/a through 1.1. The Smallerik File Browser plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's... • https://patchstack.com/database/wordpress/plugin/smallerik-file-browser/vulnerability/wordpress-smallerik-file-browser-plugin-1-1-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22773 – WordPress Htaccess File Editor <= 1.0.19 - Broken Authentication vulnerability
https://notcve.org/view.php?id=CVE-2025-22773
14 Jan 2025 — Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in WPChill Htaccess File Editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Htaccess File Editor: from n/a through 1.0.19. The Htaccess File Editor – Easily Edit, Backup, Restore .htaccess file plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.19 via the location of .htaccess file backups. This makes it possi... • https://patchstack.com/database/wordpress/plugin/htaccess-file-editor/vulnerability/wordpress-htaccess-file-editor-1-0-19-broken-authentication-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51841 – WordPress File Select Control For Elementor plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-51841
08 Nov 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode File Select Control For Elementor allows DOM-Based XSS.This issue affects File Select Control For Elementor: from n/a through 1.3. The File Select Control For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contribut... • https://patchstack.com/database/vulnerability/file-select-control-for-elementor/wordpress-file-select-control-for-elementor-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51892 – WordPress Sell Media File with Stripe plugin <= 1.0.6 - Stored Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-51892
08 Nov 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in naa986 Sell Media File with Stripe allows Stored XSS.This issue affects Sell Media File with Stripe: from n/a through 1.0.6. The Sell Media File with Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and a... • https://patchstack.com/database/vulnerability/sell-media-file/wordpress-sell-media-file-with-stripe-plugin-1-0-6-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8507 – File Manager Pro <= 8.3.9 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8507
15 Oct 2024 — The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. This is due to missing or incorrect nonce validation on the 'mk_file_folder_manager' ajax action. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://www.wordfence.com/threat-intel/vulnerabilities/id/db70b37c-707a-47b8-a3a2-5a2b7d30de89?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8746 – File Manager Pro <= 8.3.9 - Unauthenticated Backup File Download and Upload
https://notcve.org/view.php?id=CVE-2024-8746
15 Oct 2024 — The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in all versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers, if granted access to the File Manager by an administrator, to download and upload arbitrary backup files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/88f1eb9a-f3bb-4b62-975f-a6cb95850966?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8918 – File Manager Pro <= 8.3.9 - Unauthenticated Limited JavaScript File Upload
https://notcve.org/view.php?id=CVE-2024-8918
15 Oct 2024 — The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting. • https://www.wordfence.com/threat-intel/vulnerabilities/id/01ef62c8-e862-422c-948d-6d376d021c82?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49256 – WordPress Htaccess File Editor plugin <= 1.0.18 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-49256
14 Oct 2024 — Incorrect Authorization vulnerability in WPChill Htaccess File Editor allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Htaccess File Editor: from n/a through 1.0.18. Incorrect Authorization vulnerability in WPChill Htaccess File Editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through 1.0.18. The Htaccess File Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability ... • https://patchstack.com/database/vulnerability/htaccess-file-editor/wordpress-htaccess-file-editor-plugin-1-0-18-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-7559 – File Manager Pro <= 8.3.7 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7559
22 Aug 2024 — The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://filemanagerpro.io/file-manager-pro • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39639 – WordPress File Upload plugin <= 4.24.7 - Broken Access Control + CSRF vulnerability
https://notcve.org/view.php?id=CVE-2024-39639
01 Aug 2024 — Broken Access Control vulnerability in Nickolas Bossinas WordPress File Upload allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress File Upload: from n/a through 4.24.7. The WordPress File Upload plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wfu_ajax_action_save_shortcode() function in versions up to, and including, 4.24.7. This makes it possible for authenticated attackers, with contributor-level access and... • https://patchstack.com/database/vulnerability/wp-file-upload/wordpress-wordpress-file-upload-plugin-4-24-7-broken-access-control-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •