CVE-2025-67918 WordPress Woffice theme <= 5.4.30 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through = 5.4.30...

CVE-2025-67918 WordPress Woffice theme <= 5.4.30 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through = 5.4.30...

WordPress Woffice theme <= 5.4.30 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Woffice versions = 5.4.30...

CVE-2025-2798 Woffice <= 5.4.21 - Authentication Bypass via Registration Role

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom...

WordPress Woffice Theme <= 5.4.21 is vulnerable to Privilege Escalation

Software Woffice Type Theme Vulnerable versions = 5.4.21 Fixed in 5.4.22 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2025-2798 Patch priority High CVSS severity High 9.8 Developer EPC PSID bdeb5594d059 Credits Foxyyy Required privilege...

CVE-2024-43234 WordPress Woffice theme <= 5.4.14 - Unauthenticated Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in WofficeIO Woffice woffice allows Authentication Bypass.This issue affects Woffice: from n/a through = 5.4.14...

WordPress Woffice theme <= 5.4.14 - Unauthenticated Account Takeover vulnerability

Unauthenticated Account Takeover vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Woffice versions = 5.4.14...

CVE-2024-43153 WordPress Woffice theme <= 5.4.10 - Unauthenticated Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through = 5.4.10...

CVE-2024-43153 WordPress Woffice theme <= 5.4.10 - Unauthenticated Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through = 5.4.10...

WordPress Woffice theme <= 5.4.10 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Woffice versions = 5.4.10...

WordPress Woffice Theme <= 5.4.10 is vulnerable to Privilege Escalation

Software Woffice Type Theme Vulnerable versions = 5.4.10 Fixed in 5.4.12 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-43153 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID f1d354bce137 Credits Rafie Muhammad...

CVE-2024-37472 WordPress Woffice theme <= 5.4.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through = 5.4.8...

WordPress Woffice theme <= 5.4.8 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Woffice versions = 5.4.8...

WordPress Woffice Theme <= 5.4.8 is vulnerable to Cross Site Scripting (XSS)

Software Woffice Type Theme Vulnerable versions = 5.4.8 Fixed in 5.4.9 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-37472 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 742e892a0fa2 Credits Rafie Muhammad Patchstack Required...

Woffice < 4.0.2 - Unauthenticated Disclosure of Notification Titles

The theme lacks authentication checks before returning the titles of notifications between the site's users. PoC Any request to the wofficeNotificationGet ajax endpoint will return titles of notifications sent between users. Example:...