cleantalk
Vulnerabilities and Security Researches

WP Debugging, 939b6f2f-1e62-4a32-bcb7-2e0a340f6cc6

CVE, Research URL

939b6f2f-1e62-4a32-bcb7-2e0a340f6cc6

Home page URL

Security reports for WP Debugging

Application

WP Debugging

Published on
-
Research Description
WP Debugging [wp-debugging] < 2.11.7 WP Dependency Installer &lt; 4.3.1 - Subscriber+ Arbitrary Plugin Activation The wp-dependency-installer library, used in the plugins does not have authorisation and CSRF checks in its dependency_installer AJAX action with the activate method, allowing any authenticated users, such as subscriber to activate arbitrary plugin installed on the blog. Furthermore, despite having a capability check, the install method was missing any CSRF which could allow attackers to make a logged in admin install plugins defined in the wp-dependencies.json via a CSRF attack.
Affected versions
max 2.11.7.
Status
vulnerable
Previous vulnerability researches
MapifyLite (by MapifyPro) (e5bfd53d-0d9a-42f2-8af8-5bb710bac828) , Jun 16, 2026
MapifyLite (by MapifyPro) (6be590d56cf666ad67a6e008b71242e607d966ea) , Jun 16, 2026
MapifyLite (by MapifyPro) (d7a357e358b4eb001b41f84d3531981914480734) , Jun 07, 2024
New vulnerability
leenk.me (753d31765913b4d2dbb8af0a5512e5f1f8c70c61) , Jun 16, 2026
Social Hashtags (5abd4657-8a58-4d97-b8cb-b67235ab5b8a) , Jun 16, 2026
Social Hashtags (1965c7b04565befbb11c28b56cb6922733a47b03) , Jun 16, 2026
Social Hashtags (a7cf6766582e354e702766a86f85716127d19bdc) , Jun 16, 2026
Simple Calendar &#8211; Google Calendar Plugin (e98a6264-9c5a-417f-b2f8-bd0017b411a0) , Jun 16, 2026