cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches foradministrator-z administrator-z

Direction: ascending
Jun 07, 2024

Administrator Z # 658bc68d240cbff2bb311b2eece6e3a3beefea33

CVE, Research URL

658bc68d240cbff2bb311b2eece6e3a3beefea33

Home page URL

Security reports for Administrator Z

Application

Administrator Z

Date
Nov 02, 2022
Research Description
Administrator Z [administrator-z] < 2022.9.29 Administrator Z <= 2022.9.28 - Unauthorized File Upload via ACF The Administrator Z plugin for WordPress uses Advanced Custom Fields which has a file upload vulnerability in versions up to, and including, 5.12.2. This makes it possible for users without the upload_files capability, such as contributors, or unauthenticated users in cases where a frontend form is added to the site, to upload allowed file types. The upload is handled by WordPress so file type and extension checks still occur, though this could potentially be used by high-privileged users in certain locked-down configurations to bypass other security mechanisms and upload dangerous file types. This affects versions up to, and including, 2022.9.28 in the Administrator Z plugin.
Affected versions
Min -, max -.
Status
vulnerable
Nov 03, 2024

Administrator Z # CVE-2024-50524

CVE, Research URL

CVE-2024-50524

Home page URL

Security reports for Administrator Z

Application

Administrator Z

Date
Nov 09, 2024
Research Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quyle91 Administrator Z allows Blind SQL Injection.This issue affects Administrator Z: from n/a through 2024.11.04.
Affected versions
Min -, max -.
Status
vulnerable
Apr 03, 2025

Administrator Z # CVE-2025-2815

CVE, Research URL

CVE-2025-2815

Home page URL

Security reports for Administrator Z

Application

Administrator Z

Date
Mar 28, 2025
Research Description
The Administrator Z plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the adminz_import_backup() function in all versions up to, and including, 2025.03.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Affected versions
Min -, max -.
Status
vulnerable