cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forfavorites favorites

Direction: descending
Nov 11, 2025

Favorites # CVE-2025-60202

CVE, Research URL

CVE-2025-60202

Home page URL

Security reports for Favorites

Application

Favorites

Date
Nov 06, 2025
Research Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kyle Phillips Favorites favorites allows PHP Local File Inclusion.This issue affects Favorites: from n/a through <= 2.3.6.
Affected versions
max 2.3.6.
Status
vulnerable
Mar 27, 2025

Favorites # CVE-2025-1452

CVE, Research URL

CVE-2025-1452

Home page URL

Security reports for Favorites

Application

Favorites

Date
Mar 25, 2025
Research Description
The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions
max 2.3.5.
Status
vulnerable
Jun 06, 2024

Favorites # CVE-2023-2304

CVE, Research URL

CVE-2023-2304

Home page URL

Security reports for Favorites

Application

Favorites

Date
May 31, 2023
Research Description
The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_favorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.3.3.
Status
vulnerable

Favorites # CVE-2024-2948

CVE, Research URL

CVE-2024-2948

Home page URL

Security reports for Favorites

Application

Favorites

Date
Mar 30, 2024
Research Description
The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user_favorites' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes such as 'no_favorites'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.3.4.
Status
vulnerable