cleantalk
Vulnerabilities and Security Researches

Earnware Connect, CVE-2025-7651

CVE, Research URL

CVE-2025-7651

Home page URL

Security reports for Earnware Connect

Application

Earnware Connect

Published on
Aug 16, 2025
Research Description
The Earnware Connect plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ew_hasrole' shortcode in all versions up to, and including, 1.0.73 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 1.0.73.
Status
vulnerable
Previous vulnerability researches
Team 118GROUP Agent (CVE-2025-23512) , Jan 21, 2025
Luzuk Team (CVE-2024-51871) , Nov 12, 2024
OS Our Team (CVE-2024-52341) , Nov 12, 2024
Inpersttion For Theme (CVE-2025-8905) , Aug 16, 2025
Team Showcase and Slider – Team Members Builder (CVE-2024-51763) , Nov 08, 2024
New vulnerability
Injection Guard (CVE-2025-8046) , Aug 16, 2025
WP Statistics (CVE-2025-55716) , Aug 16, 2025
Google Reviews WordPress Plugin (Widget to add and display reviews) (CVE-2025-54730) , Aug 16, 2025
Billplz Addon for Contact Form 7 (CVE-2025-31007) , Aug 16, 2025
Time Sheets (CVE-2025-49054) , Aug 16, 2025