Convertplug
by WordPress
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-3240 | Hig | 0.57 | 8.8 | 0.01 | May 4, 2024 | The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_info_bar' shortcode. This makes it possible for authenticated… | ||
| CVE-2024-13800 | Hig | 0.53 | 8.1 | 0.00 | Feb 12, 2025 | The ConvertPlus plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cp_dismiss_notice' AJAX endpoint in all versions up to, and including, 3.5.30. This makes it possible for… | ||
| CVE-2024-4838 | Hig | 0.49 | 7.5 | 0.01 | May 16, 2024 | The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_modal' shortcode. This makes it possible for authenticated… | ||
| CVE-2019-15863 | Hig | 0.49 | 7.5 | 0.02 | Sep 3, 2019 | The ConvertPlus plugin before 3.4.5 for WordPress has an unintended account creation (with the none role) via a request for variants. | ||
| CVE-2024-3237 | Med | 0.35 | 5.4 | 0.00 | May 4, 2024 | The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level… |
- risk 0.57cvss 8.8epss 0.01
The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_info_bar' shortcode. This makes it possible for authenticated…
- risk 0.53cvss 8.1epss 0.00
The ConvertPlus plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cp_dismiss_notice' AJAX endpoint in all versions up to, and including, 3.5.30. This makes it possible for…
- risk 0.49cvss 7.5epss 0.01
The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_modal' shortcode. This makes it possible for authenticated…
- risk 0.49cvss 7.5epss 0.02
The ConvertPlus plugin before 3.4.5 for WordPress has an unintended account creation (with the none role) via a request for variants.
- risk 0.35cvss 5.4epss 0.00
The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level…