Publishpress Authors

Source repositories

https://plugins.svn.wordpress.org/publishpress-authors/

CVEs (5)

CVE	Sev	Risk	CVSS	Published	Description
CVE-2024-9215	Hig	0.57	8.8	Oct 17, 2024	The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access.
CVE-2026-25309	Hig	0.49	7.5	Mar 25, 2026	Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.
CVE-2025-47496	Hig	0.49	7.5	May 7, 2025	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors publishpress-authors allows PHP Local File Inclusion.This issue affects PublishPress Authors: from n/a through <= 4.7.5.
CVE-2025-26886	Hig	0.49	7.6	Mar 15, 2025	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors publishpress-authors allows SQL Injection.This issue affects PublishPress Authors: from n/a through <= 4.7.3.
CVE-2026-25330	Med	0.28	4.3	Feb 19, 2026	Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.

CVE-2024-9215HigOct 17, 2024
risk 0.57cvss 8.8epss 0.00
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access.
CVE-2026-25309HigMar 25, 2026
risk 0.49cvss 7.5epss 0.00
Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.
CVE-2025-47496HigMay 7, 2025
risk 0.49cvss 7.5epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors publishpress-authors allows PHP Local File Inclusion.This issue affects PublishPress Authors: from n/a through <= 4.7.5.
CVE-2025-26886HigMar 15, 2025
risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors publishpress-authors allows SQL Injection.This issue affects PublishPress Authors: from n/a through <= 4.7.3.
CVE-2026-25330MedFeb 19, 2026
risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.