Vulnerabilities and security researches forpwa-for-wp pwa-for-wp

Jun 06, 2024

CVE, Research URL: 2d58fea2639bbd2fa6bd4a9a4dbefba1f662bc7a
Home page URL: Security reports for PWA for WP & AMP
Application: PWA for WP & AMP
Date: Jul 01, 2021
Research Description: PWA for WP & AMP [pwa-for-wp] < 1.7.33 WordPress PWA for WP & AMP plugin <= 1.7.32 - Authenticated Arbitrary File Upload vulnerability Authenticated Arbitrary File Upload vulnerability discovered by Jerome Bruandet in WordPress PWA for WP & AMP plugin (versions <= 1.7.32).
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-4366
Home page URL: Security reports for PWA for WP & AMP
Application: PWA for WP & AMP
Date: Jun 07, 2023
Research Description: The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-4354
Home page URL: Security reports for PWA for WP & AMP
Application: PWA for WP & AMP
Date: Jun 07, 2023
Research Description: The PWA for WP & AMP for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pwaforwp_splashscreen_uploader function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable

Sep 29, 2024

CVE, Research URL: CVE-2024-47318
Home page URL: Security reports for PWA for WP & AMP
Application: PWA for WP & AMP
Date: Nov 01, 2024
Research Description: Missing Authorization vulnerability in Magazine3 PWA for WP & AMP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PWA for WP & AMP: from n/a through 1.7.72.
Affected versions: Min -, max -.
Status: vulnerable

May 19, 2025

CVE, Research URL: CVE-2024-7759
Home page URL: Security reports for PWA for WP & AMP
Application: PWA for WP & AMP
Date: May 16, 2025
Research Description: The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: Min -, max -.
Status: vulnerable