Sudo-WP

6 exploits Active since Feb 2021
CVE-2025-13543 NOMISEC HIGH WRITEUP
PostGallery plugin <1.12.5 - File Upload
The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
1 stars
CVSS 8.8
CVE-2025-69015 NOMISEC LOW WRITEUP
Automattic Crowdsignal Forms <1.7.3 - Info Disclosure
Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2.
CVSS 3.8
CVE-2024-5153 NOMISEC CRITICAL WORKING POC
Startklar Elementor Addons <1.7.15 - Path Traversal
The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain sensitive information, and to delete arbitrary directories, including the root WordPress directory.
CVSS 9.1
CVE-2024-6297 NOMISEC CRITICAL WORKING POC
Compromised WordPress.org Plugins - Malicious Admin Creation
Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan.
CVSS 10.0
CVE-2022-4782 NOMISEC MEDIUM WRITEUP
ClickFunnels < 3.1.1 - Stored Cross-Site Scripting via Shortcode Attribute
The ClickFunnels WordPress plugin through 3.1.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
CVSS 5.4
CVE-2021-21311 NOMISEC HIGH WRITEUP
Adminer 4.0.0-4.7.8 - Server-Side Request Forgery
Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
CVSS 7.2