Vulnerabilities and security researches foronlyoffice onlyoffice

Jul 25, 2025

CVE, Research URL: CVE-2025-6380
Home page URL: Security reports for ONLYOFFICE
Application: ONLYOFFICE
Date: Jul 24, 2025
Research Description: The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester’s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user.
Affected versions: Min -, max -.
Status: vulnerable

Dec 06, 2024

CVE, Research URL: CVE-2024-11450
Home page URL: Security reports for ONLYOFFICE
Application: ONLYOFFICE
Date: Dec 06, 2024
Research Description: The ONLYOFFICE Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'onlyoffice' shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable