cleantalk
Vulnerabilities and Security Researches

SecuPress Free — WordPress Security, CVE-2024-9019

CVE, Research URL

CVE-2024-9019

Home page URL

Security reports for SecuPress Free — WordPress Security

Application

SecuPress Free — WordPress Security

Published on
Feb 28, 2025
Research Description
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's secupress_check_ban_ips_form shortcode in all versions up to, and including, 2.2.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 2.3.
Status
vulnerable
Previous vulnerability researches
SecuPress Free — WordPress Security (CVE-2025-30907) , Apr 03, 2025
SecuPress Free — WordPress Security (CVE-2024-1504) , Jun 07, 2024
SecuPress Free — WordPress Security (bec7d275dc66a21d2b0257e900e50f83e62446c1) , Jun 07, 2024
SecuPress Free — WordPress Security (CVE-2025-3452) , Apr 30, 2025
SecuPress Free — WordPress Security (CVE-2024-43228) , Mar 15, 2025
New vulnerability
Admin and Site Enhancements (ASE) (CVE-2024-13688) , Apr 30, 2025
WordPress Simple Shopping Cart (CVE-2025-3529) , Apr 30, 2025
SecuPress Free — WordPress Security (CVE-2025-3452) , Apr 30, 2025
Gutenverse – Gutenberg Blocks – Page Builder for Site Editor (CVE-2025-2893) , Apr 30, 2025
My Tickets (CVE-2025-3761) , Apr 29, 2025