Vulnerabilities and security researches forsimple-author-box simple-author-box

Mar 30, 2026

PSC, Research URL: PSC-2026-64639
Home page URL: Security reports for Simple Author Box
Application: Simple Author Box
Date: Mar 30, 2026
Research Description: Author box plugins are security-relevant because they render user-controlled profile data across the site, often including author bio text, website links, and social profiles. If output encoding, access control, or request integrity is weak, these surfaces can become a path to stored XSS, unauthorized profile metadata exposure, or CSRF-driven settings changes. Simple Author Box version 2.59 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64639, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for author profile and bio display plugins.
Affected versions: Min 2.59, max 2.59.
Status: SAFE & CERTIFIED

Jun 07, 2024

CVE, Research URL: CVE-2023-3601
Home page URL: Security reports for Simple Author Box
Application: Simple Author Box
Date: Aug 15, 2023
Research Description: The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.
Affected versions: max 2.52.
Status: vulnerable

CVE, Research URL: 8b7aa1417907f5ca7f22def8e70e2d23e5295ddf
Home page URL: Security reports for Simple Author Box
Application: Simple Author Box
Date: Mar 28, 2023
Research Description: Simple Author Box [simple-author-box] < 2.51 Simple Author Box <= 2.50 - Cross-Site Request Forgery via save_user_profile The Simple Author Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.50. This is due to missing or incorrect nonce validation on the save_user_profile function. This makes it possible for unauthenticated attackers to edit user profile settings of other users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.51.
Status: vulnerable