VYPR

String Locator

by WordPress

CVEs (4)

  • CVE-2022-2434HigSep 6, 2022
    risk 0.58cvss 8.8epss 0.01

    The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick…

  • CVE-2024-10936Jan 21, 2025
    risk 0.00cvss epss 0.01

    The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP…

  • CVE-2023-6987Aug 24, 2024
    risk 0.00cvss epss 0.00

    The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…

  • CVE-2022-0493Mar 28, 2022
    risk 0.00cvss epss 0.01

    The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. Furthermore, due to a flaw in the search,…