9 matches found
CVE-2025-2780
CVE-2025-2780 affects the WordPress Woffice Core plugin (versions up to and including 5.4.21). The issue is an arbitrary file upload vulnerability caused by missing file type validation in the saveFeaturedImage function, enabling authenticated users with Subscriber-level access or higher to uploa...
CVE-2024-37472
CVE-2024-37472 is a reflected XSS in Woffice Core / Woffice CRM affecting Woffice versions up to 5.4.8. The issue allows injection of script in victims’ browsers and requires user interaction. Patch availability: latest fixed version stated as 5.4.8; CVSS base score and details vary by source.
CVE-2025-2798
The CVE-2025-2798 entry concerns the Woffice CRM theme for WordPress. Affected: all versions up to and including 5.4.21. Root cause: misconfiguration of excluded roles during user registration in the Woffice CRM theme, allowing unauthenticated attackers to register with Administrator privileges w...
CVE-2024-43153
CVE-2024-43153 affects Woffice (Woffice CRM) in WordPress. The vulnerability is an Improper Privilege Management that enables Privilege Escalation in Woffice versions up to 5.4.10 (no earlier-verified details provided). CVSS v3.1 base score is 9.8 (CRITICAL) with network attack vector, no user in...
CVE-2025-2797
CVE-2025-2797 affects the Woffice Core WordPress plugin up to version 5.4.21. The issue is a CSRF vulnerability due to missing nonce validation in woffice_handle_user_approval_actions, allowing unauthenticated attackers to approve user registrations if an admin visits a forged link. CVSS 3.1 base...
CVE-2024-37471
CVE-2024-37471 is a reflected XSS vulnerability in Woffice Core (WordPress plugin) affecting Woffice Core versions up to 5.4.8. The CVE entry, including references, notes the issue as Reflected XSS and indicates it has been patched. In practice, exploited input could affect users visiting a craft...
CVE-2024-43234
The CVE-2024-43234 entry concerns WordPress Woffice theme versions through 5.4.14 that expose an Authentication Bypass Using an Alternate Path or Channel vulnerability. The root cause is an authentication bypass mechanism in Woffice that allows an unauthenticated user to take over accounts, with ...
CVE-2024-37470
CVE-2024-37470 describes a Missing Authorization vulnerability in Woffice Core (WordPress plugin) up to version 5.4.8. The issue allows accessing functionality not properly constrained by ACLs due to missing authorization checks, as documented in multiple sources. The impact is stated as high for...
CVE-2025-7694
Summary (CVE-2025-7694): The Woffice Core plugin for WordPress is vulnerable to Authenticated (Contributor+) Arbitrary File Deletion due to insufficient file path validation in the woffice_file_manager_delete() function. Affected versions are all up to and including 5.4.26. Exploitation requires ...