Publishpress

publishpress

3 CVEs • 2 products

Products (2)

Click to collapse

Toggle

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-3366 1Publishpress 1Capabilities May 6, 2025 Oct 31, 2022 N/A· v4 7.2 HIGH· v3 N/A· v2 The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by adm...Show more The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.Show less
CVE-2021-25032 1Publishpress 1Capabilities Nov 21, 2024 Jan 10, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook,...Show more The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.Show less
CVE-2021-24783 1Publishpress 1Post Expirator Nov 21, 2024 Nov 8, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts.