Vulnerabilities and security researches forportfolio-and-projects portfolio-and-projects

Jun 07, 2024

CVE, Research URL: 1e5ab0d376bb286eb9f3c02b0bc3818f419fb17d
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: Aug 11, 2023
Research Description: Portfolio and Projects [portfolio-and-projects] < 1.3.8 WordPress Portfolio and Projects Plugin <= 1.3.7 is vulnerable to Broken Access Control Update the WordPress Portfolio and Projects plugin to the latest available version (at least 1.3.8). Cat discovered and reported this Broken Access Control vulnerability in WordPress Portfolio and Projects Plugin. A broken access control issue refers to a missing authorization, authentication or nonce token check in a function that could lead to an unprivileged user to executing a certain higher privileged action. This vulnerability has been fixed in version 1.3.8.
Affected versions: Min -, max -.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-40200
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: -
Research Description: Multiple WPOnlineSupport plugins for WordPress are vulnerable to unauthorized modification of data due to a missing capability check on the wpos_anylc_admin_init_process() function hooked via admin_init in various versions. This makes it possible for unauthenticated attackers to dismiss a license notice.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-39995
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: Dec 13, 2024
Research Description: Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Portfolio and Projects allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio and Projects: from n/a through 1.3.7.
Affected versions: Min -, max -.
Status: vulnerable

Mar 15, 2025

CVE, Research URL: CVE-2024-13847
Home page URL: Security reports for Portfolio and Projects
Application: Portfolio and Projects
Date: Mar 15, 2025
Research Description: The Portfolio and Projects plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: Min -, max -.
Status: vulnerable