Vulnerabilities and security researches forseur seur

May 05, 2025

CVE, Research URL: CVE-2025-46474
Home page URL: Security reports for SEUR Oficial
Application: SEUR Oficial
Date: -
Research Description: SEUR Oficial [seur] <= 2.2.23 (unfixed) CVE-2025-46474
Affected versions: Min -, max -.
Status: vulnerable

Oct 30, 2024

CVE, Research URL: CVE-2024-9438
Home page URL: Security reports for SEUR Oficial
Application: SEUR Oficial
Date: Oct 29, 2024
Research Description: The SEUR Oficial plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'change_service' parameter in all versions up to, and including, 2.2.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Oct 20, 2024

CVE, Research URL: CVE-2024-9201
Home page URL: Security reports for SEUR Oficial
Application: SEUR Oficial
Date: Oct 10, 2024
Research Description: The SEUR plugin, in its versions prior to 2.5.11, is vulnerable to time-based SQL injection through the use of the ‘id_order’ parameter of the ‘/modules/seur/ajax/saveCodFee.php’ endpoint.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-25005
Home page URL: Security reports for SEUR Oficial
Application: SEUR Oficial
Date: Jan 17, 2022
Research Description: The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-25004
Home page URL: Security reports for SEUR Oficial
Application: SEUR Oficial
Date: Feb 07, 2022
Research Description: The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page.
Affected versions: Min -, max -.
Status: vulnerable