Connections
by WordPress
Source repositories
CVEs (5)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-12885 | Med | 0.42 | 6.5 | 0.00 | Jan 25, 2025 | The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versions up to, and including, 10.4.66. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server and all their content. | |
| CVE-2026-21789 | Med | 0.30 | 4.6 | — | May 18, 2026 | HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. | |
| CVE-2026-21788 | 0.00 | — | 0.00 | Mar 19, 2026 | HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks. | ||
| CVE-2025-52603 | 0.00 | — | 0.00 | Feb 20, 2026 | HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser. | ||
| CVE-2025-52639 | 0.00 | — | 0.00 | Nov 18, 2025 | HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data. |
- risk 0.42cvss 6.5epss 0.00
The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versions up to, and including, 10.4.66. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server and all their content.
- risk 0.30cvss 4.6epss —
HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.
- CVE-2026-21788Mar 19, 2026risk 0.00cvss —epss 0.00
HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.
- CVE-2025-52603Feb 20, 2026risk 0.00cvss —epss 0.00
HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.
- CVE-2025-52639Nov 18, 2025risk 0.00cvss —epss 0.00
HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data.