cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forpublishpress-authors publishpress-authors

Direction: ascending
Oct 17, 2024

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors # CVE-2024-9215

CVE, Research URL

CVE-2024-9215

Home page URL

Security reports for Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Application

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Date
Oct 17, 2024
Research Description
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access.
Affected versions
Min -, max -.
Status
vulnerable
Mar 07, 2025

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors # CVE-2025-26886

CVE, Research URL

CVE-2025-26886

Home page URL

Security reports for Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Application

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Date
Mar 16, 2025
Research Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors allows SQL Injection. This issue affects PublishPress Authors: from n/a through 4.7.3.
Affected versions
Min -, max -.
Status
vulnerable
May 09, 2025

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors # CVE-2025-47496

CVE, Research URL

CVE-2025-47496

Home page URL

Security reports for Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Application

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Date
May 07, 2025
Research Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors allows PHP Local File Inclusion. This issue affects PublishPress Authors: from n/a through 4.7.5.
Affected versions
Min -, max -.
Status
vulnerable