Lucene search
K
XtendifyWoffice

9 matches found

CVE
CVE
added 2025/04/04 7:0 a.m.95 views

CVE-2025-2780

CVE-2025-2780 affects the WordPress Woffice Core plugin (versions up to and including 5.4.21). The issue is an arbitrary file upload vulnerability caused by missing file type validation in the saveFeaturedImage function, enabling authenticated users with Subscriber-level access or higher to uploa...

8.8CVSS8AI score0.00759EPSS
CVE
CVE
added 2024/07/04 6:48 p.m.76 views

CVE-2024-37472

CVE-2024-37472 is a reflected XSS in Woffice Core / Woffice CRM affecting Woffice versions up to 5.4.8. The issue allows injection of script in victims’ browsers and requires user interaction. Patch availability: latest fixed version stated as 5.4.8; CVSS base score and details vary by source.

7.1CVSS5.9AI score0.00333EPSS
CVE
CVE
added 2025/04/04 1:44 p.m.76 views

CVE-2025-2798

The CVE-2025-2798 entry concerns the Woffice CRM theme for WordPress. Affected: all versions up to and including 5.4.21. Root cause: misconfiguration of excluded roles during user registration in the Woffice CRM theme, allowing unauthenticated attackers to register with Administrator privileges w...

9.8CVSS5.8AI score0.00623EPSS
CVE
CVE
added 2024/08/13 11:39 a.m.75 views

CVE-2024-43153

CVE-2024-43153 affects Woffice (Woffice CRM) in WordPress. The vulnerability is an Improper Privilege Management that enables Privilege Escalation in Woffice versions up to 5.4.10 (no earlier-verified details provided). CVSS v3.1 base score is 9.8 (CRITICAL) with network attack vector, no user in...

9.8CVSS7.4AI score0.00624EPSS
CVE
CVE
added 2025/04/04 7:0 a.m.75 views

CVE-2025-2797

CVE-2025-2797 affects the Woffice Core WordPress plugin up to version 5.4.21. The issue is a CSRF vulnerability due to missing nonce validation in woffice_handle_user_approval_actions, allowing unauthenticated attackers to approve user registrations if an admin visits a forged link. CVSS 3.1 base...

5.4CVSS6.7AI score0.00137EPSS
CVE
CVE
added 2024/07/04 6:57 p.m.64 views

CVE-2024-37471

CVE-2024-37471 is a reflected XSS vulnerability in Woffice Core (WordPress plugin) affecting Woffice Core versions up to 5.4.8. The CVE entry, including references, notes the issue as Reflected XSS and indicates it has been patched. In practice, exploited input could affect users visiting a craft...

7.1CVSS6.3AI score0.00288EPSS
CVE
CVE
added 2024/12/16 3:36 p.m.57 views

CVE-2024-43234

The CVE-2024-43234 entry concerns WordPress Woffice theme versions through 5.4.14 that expose an Authentication Bypass Using an Alternate Path or Channel vulnerability. The root cause is an authentication bypass mechanism in Woffice that allows an unauthenticated user to take over accounts, with ...

9.8CVSS7.4AI score0.00647EPSS
CVE
CVE
added 2024/11/01 2:18 p.m.53 views

CVE-2024-37470

CVE-2024-37470 describes a Missing Authorization vulnerability in Woffice Core (WordPress plugin) up to version 5.4.8. The issue allows accessing functionality not properly constrained by ACLs due to missing authorization checks, as documented in multiple sources. The impact is stated as high for...

9.8CVSS8.3AI score0.00487EPSS
CVE
CVE
added 2025/08/02 3:28 a.m.26 views

CVE-2025-7694

Summary (CVE-2025-7694): The Woffice Core plugin for WordPress is vulnerable to Authenticated (Contributor+) Arbitrary File Deletion due to insufficient file path validation in the woffice_file_manager_delete() function. Affected versions are all up to and including 5.4.26. Exploitation requires ...

7.5CVSS7.9AI score0.00881EPSS