WordPress StoryChief Plugin Unauthenticated RCE

This module exploits an unauthenticated arbitrary file upload vulnerability in the StoryChief WordPress plugin use exploit/multi/http/wppluginstorycheffileupload msf exploitwppluginstorycheffileupload show targets ...targets... msf exploitwppluginstorycheffileupload set TARGET msf...

CVE-2025-12621

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'createrefund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, wit...

CVE-2025-12621 Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'createrefund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, wit...

CVE-2025-12621

Insight (CVE-2025-12621) The WordPress plugin “Flexible Refund and Return Order for WooCommerce” is vulnerable via an incorrect/misconfigured capability check in the create_refund function, allowing any authenticated user with Contributor level or higher to modify refund statuses (approve/deny) i...

PT-2025-45557

Name of the Vulnerable Software and Affected Versions Flexible Refund and Return Order for WooCommerce plugin for WordPress versions through 1.0.42 Description The Flexible Refund and Return Order for WooCommerce plugin for WordPress has a flaw where data can be altered without proper...

EUVD-2024-35227

Malicious code in bioql PyPI...

📄 WordPress StoryChief 1.0.42 Shell Upload

WordPress StoryChief plugin versions 1.0.42 and below suffer from a remote shell upload vulnerability. Exploit Title: StoryChief Wordpress Plugin 1.0.42 - Arbitrary File Upload Exploit Author: xpl0dec Vendor Homepage: https://www.storychief.io/wordpress-content-scheduler Software Link:...

CVE-2025-7441

The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticat...

CVE-2025-7441

The CVE-2025-7441 issue affects WordPress StoryChief/plugin versions up to 1.0.42. It centers on an unauthenticated, arbitrary file upload via the /wp-json/storychief/webhook endpoint, which lacks sufficient file-type validation, enabling an attacker to store attacker-controlled content (e.g., PH...

PT-2025-109: Insufficient authorization in FreeScout

The vulnerability was identified in FreeScout , versions 1.8.182. The discovered vulnerability allows an attacker to bypass access‑control in the Custom Fields module, performing actions not permitted for their role. Vulnerability status: Confirmed by vendor Date of vulnerability remediation:...

CVE-2024-35174

Missing Authorization vulnerability in Flothemes Flo Forms.This issue affects Flo Forms: from n/a through 1.0.42...

VulnCheck KEV: CVE-2023-6925

The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to, and including, 1.0.42. This makes it possible for authenticated attackers with a role that the...

Ikhgur mn.ikhgur.khotoch 安全漏洞

Ikhgur mn.ikhgur.khotoch Ikhgur Video Downloader Pro & Browser is a video downloader from Ikhgur. A security vulnerability exists in Ikhgur mn.ikhgur.khotoch Video Downloader Pro & Browser version 1.0.42 and earlier versions. An attacker can exploit the vulnerability to execute arbitrary JavaScri...

WordPress plugin Flo Forms 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exist...

WordPress Flo Forms plugin <= 1.0.42 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Dhabaleshwar Das Patchstack Alliance in WordPress Plugin Flo Forms versions = 1.0.42...

Insecure Randomness

Overview Affected versions of this package are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in th...