11 matches found
EUVD-2021-34193
Malicious code in bioql PyPI...
CVE-2024-7759
The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-7759 PWA For WP & AMP < 1.7.72 Administrator+ Stored XSS
The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-7759 PWA For WP & AMP < 1.7.72 Administrator+ Stored XSS
The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-7759
The CVE-2024-7759 entry applies to the WordPress plugin “PWA for WP” (WordPress plugin) versions prior to 1.7.72. The issue is due to insufficient sanitisation/escaping of some settings, enabling Stored Cross-Site Scripting (Stored XSS) by high-privilege users (e.g., admins) even when unfiltered_...
PT-2025-21501 · WordPress · Pwa For Wp
Name of the Vulnerable Software and Affected Versions: The PWA for WP WordPress plugin versions prior to 1.7.72 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised and...
Authorization
The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwpupdatefeaturesoptions function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings...
Input validation
The PWA for WP & AMP for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pwaforwpsplashscreenuploader function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to upload arbitrary files on the affected sites...
CVE-2021-4366 PWA for WP & AMP < = 1.7.32 - Missing Authorization
The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwpupdatefeaturesoptions function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings...
CVE-2021-4366
The CVE-2021-4366 entry concerns the WordPress PWA for WP & AMP plugin. Affected component: pwaforwp_update_features_options function. Root cause: missing capability check leads to an authorization bypass in versions up to and including 1.7.32, allowing authenticated attackers to alter restricted...
PWA for WP <= 1.0.8 - XSS
The PWA for WP & AMP WordPress plugin was affected by a XSS security vulnerability...