Unrated severityNVD Advisory· Published Oct 16, 2024· Updated Apr 8, 2026

ShopWP <= 2.0.4 - Missing Authorization to Stored Cross-Site Scripting

CVE-2019-25214

Description

The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts.

Affected products

Andrewmrobbins/Shopwpv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetmitre
www.wordfence.com/threat-intel/vulnerabilities/id/d04f11b4-ee58-428b-aaa2-dc7d9f3e68e3mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000