cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forsmartpay smartpay

Direction: descending
Jul 04, 2025

Download Manager and Payment Form WordPress Plugin – WP SmartPay # CVE-2025-3848

CVE, Research URL

CVE-2025-3848

Home page URL

Security reports for Download Manager and Payment Form WordPress Plugin – WP SmartPay

Application

Download Manager and Payment Form WordPress Plugin – WP SmartPay

Date
Jul 02, 2025
Research Description
The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Affected versions
max 1.1.0.
Status
vulnerable
Jul 02, 2025

Download Manager and Payment Form WordPress Plugin – WP SmartPay # CVE-2025-25171

CVE, Research URL

CVE-2025-25171

Home page URL

Security reports for Download Manager and Payment Form WordPress Plugin – WP SmartPay

Application

Download Manager and Payment Form WordPress Plugin – WP SmartPay

Date
Jun 27, 2025
Research Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemesGrove WP SmartPay allows Authentication Abuse. This issue affects WP SmartPay: from n/a through 2.7.13.
Affected versions
max 2.7.13.
Status
vulnerable

Download Manager and Payment Form WordPress Plugin – WP SmartPay # CVE-2025-3851

CVE, Research URL

CVE-2025-3851

Home page URL

Security reports for Download Manager and Payment Form WordPress Plugin – WP SmartPay

Application

Download Manager and Payment Form WordPress Plugin – WP SmartPay

Date
May 07, 2025
Research Description
The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 1.1.0 to 2.7.13 via the show() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's data like email address, name, and notes.
Affected versions
Min 1.1.0, max 2.7.13.
Status
vulnerable
Apr 14, 2025

Download Manager and Payment Form WordPress Plugin – WP SmartPay # CVE-2025-32689

CVE, Research URL

CVE-2025-32689

Home page URL

Security reports for Download Manager and Payment Form WordPress Plugin – WP SmartPay

Application

Download Manager and Payment Form WordPress Plugin – WP SmartPay

Date
-
Research Description
Download Manager and Payment Form WordPress Plugin &#8211; WP SmartPay [smartpay] <= 2.7.12 (unfixed + closed) CVE-2025-32689
Affected versions
max 2.7.12.
Status
vulnerable