RootHarpy

7 exploits Active since Feb 2025
CVE-2025-2539 NOMISEC HIGH WORKING POC
File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read
The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
2 stars
CVSS 7.5
CVE-2025-5287 NOMISEC HIGH WORKING POC
Likes and Dislikes Plugin <1.0.0 - SQL Injection
The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
1 stars
CVSS 7.5
CVE-2025-25163 NOMISEC HIGH SCANNER
Zach Swetz Plugin A/B Image Optimizer <3.3 - Path Traversal
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Zach Swetz Plugin A/B Image Optimizer images-optimizer allows Path Traversal.This issue affects Plugin A/B Image Optimizer: from n/a through <= 3.3.
1 stars
CVSS 7.5
CVE-2025-39459 NOMISEC HIGH SCANNER
Contempo Themes Real Estate <3.5.2 - Privilege Escalation
Incorrect Privilege Assignment vulnerability in contempoinc Real Estate 7 realestate-7 allows Privilege Escalation.This issue affects Real Estate 7: from n/a through <= 3.5.2.
CVSS 7.3
CVE-2025-47646 NOMISEC CRITICAL WORKING POC
Gilblas Ngunte Possi PSW Front-end Login & Registration <1.13 - Inf...
Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration allows Password Recovery Exploitation.This issue affects PSW Front-end Login & Registration: from n/a through <= 1.13.
CVSS 9.8
CVE-2025-5815 NOMISEC MEDIUM SCANNER
WordPress Traffic Monitor <3.2.2 - Info Disclosure
The Traffic Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tfcm_maybe_set_bot_flags() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to disabled bot logging.
CVSS 5.3
CVE-2025-14172 NOMISEC MEDIUM SCANNER
WP Page Permalink Extension <1.5.4 - Auth Bypass
The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.
CVSS 6.5