Vulnerabilities and security researches forkiotvietsync kiotvietsync

Apr 19, 2025

CVE, Research URL: CVE-2025-32573
Home page URL: Security reports for KiotViet Sync
Application: KiotViet Sync
Date: Apr 17, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync allows SQL Injection. This issue affects KiotViet Sync: from n/a through 1.8.3.
Affected versions: max 1.8.3.
Status: vulnerable

Apr 26, 2025

CVE, Research URL: CVE-2025-39381
Home page URL: Security reports for KiotViet Sync
Application: KiotViet Sync
Date: Apr 24, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync allows Stored XSS. This issue affects KiotViet Sync: from n/a through 1.8.4.
Affected versions: max 1.8.4.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-12677
Home page URL: Security reports for KiotViet Sync
Application: KiotViet Sync
Date: Nov 05, 2025
Research Description: The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured.
Affected versions: max 1.8.5.
Status: vulnerable

CVE, Research URL: CVE-2025-62978
Home page URL: Security reports for KiotViet Sync
Application: KiotViet Sync
Date: Oct 27, 2025
Research Description: Missing Authorization vulnerability in Kiotviet KiotViet Sync kiotvietsync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiotViet Sync: from n/a through <= 1.8.5.
Affected versions: max 1.8.5.
Status: vulnerable

CVE, Research URL: CVE-2025-12674
Home page URL: Security reports for KiotViet Sync
Application: KiotViet Sync
Date: Nov 05, 2025
Research Description: The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the create_media() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 1.8.5.
Status: vulnerable

CVE, Research URL: CVE-2025-12675
Home page URL: Security reports for KiotViet Sync
Application: KiotViet Sync
Date: Nov 05, 2025
Research Description: The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig() function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's config.
Affected versions: max 1.8.5.
Status: vulnerable

CVE, Research URL: CVE-2025-12676
Home page URL: Security reports for KiotViet Sync
Application: KiotViet Sync
Date: Nov 05, 2025
Research Description: The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attackers to create and sync products.
Affected versions: max 1.8.5.
Status: vulnerable