CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2104 – Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.9 - Missing Authorization to Authenticated (Contributor+) Post Publication
https://notcve.org/view.php?id=CVE-2025-2104
12 Mar 2025 — The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253356%40pagelayer&new=3253356%40pagelayer&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13430 – Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 - Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode
https://notcve.org/view.php?id=CVE-2024-13430
11 Mar 2025 — The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to. • https://plugins.trac.wordpress.org/changeset/3252081/pagelayer • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1926 – Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 - Cross-Site Request Forgery (CSRF) To Post Contents Modification
https://notcve.org/view.php?id=CVE-2025-1926
09 Mar 2025 — The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/pagelayer/tags/1.9.8/init.php#L477 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11010 – FileOrganizer <= 1.1.4 - Authenticated (Administrator+) Local JavaScript File Inclusion
https://notcve.org/view.php?id=CVE-2024-11010
06 Dec 2024 — The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.4 via the 'default_lang' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images a... • https://plugins.trac.wordpress.org/browser/fileorganizer/trunk/init.php#L222 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10097 – Loginizer Security and Loginizer <= 1.9.2 - Authentication Bypass via WordPress.com OAuth provider
https://notcve.org/view.php?id=CVE-2024-10097
04 Nov 2024 — The Loginizer Security and Loginizer plugins for WordPress are vulnerable to authentication bypass in all versions up to, and including, 1.9.2. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. • https://loginizer.com • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 54%CPEs: 1EXPL: 1CVE-2024-7985 – FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7985
29 Oct 2024 — The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: The FileOrganizer Pro pl... • https://github.com/Nxploited/CVE-2024-7985-PoC • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8669 – Backuply – Backup, Restore, Migrate and Clone <= 1.3.4 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-8669
13 Sep 2024 — The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter passed to the backuply_wp_clone_sql() function in all versions up to, and including, 1.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be... • https://plugins.trac.wordpress.org/browser/backuply/trunk/functions.php#L1477 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-24622 – Softaculous Webuzo Password Reset Command Injection
https://notcve.org/view.php?id=CVE-2024-24622
25 Jul 2024 — Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system. • https://blog.exodusintel.com/2024/07/24/softaculous-webuzo-password-reset-command-injection • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 0CVE-2024-24623 – Softaculous Webuzo FTP Management Command Injection
https://notcve.org/view.php?id=CVE-2024-24623
25 Jul 2024 — Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system. • https://blog.exodusintel.com/2024/07/25/softaculous-webuzo-ftp-management-command-injection • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24621 – Softaculous Webuzo Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-24621
25 Jul 2024 — Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user. • https://blog.exodusintel.com/2024/07/25/softaculous-webuzo-authentication-bypass • CWE-697: Incorrect Comparison •