Search

Find a vulnerability

Search criteria

    16 vulnerabilities by RedefiningTheWeb

    CVE-2025-64231 (GCVE-0-2025-64231)

    Vulnerability from nvd – Published: 2025-12-18 07:22 – Updated: 2026-04-28 16:14
    VLAI
    Title
    WordPress WordPress Contact Form 7 PDF, Google Sheet & Database plugin <= 3.0.0 - Arbitrary File Upload vulnerability
    Summary
    Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Date Public
    2026-04-22 14:23
    Credits
    0xd4rk5id3 | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64231",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T14:32:23.979974Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T15:40:21.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://codecanyon.net",
              "defaultStatus": "unaffected",
              "packageName": "rtwwcfp-wordpress-contact-form-7-pdf",
              "product": "WordPress Contact Form 7 PDF, Google Sheet \u0026 Database",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.1.0",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-22T14:23:26.569Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet \u0026 Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.\u003cp\u003eThis issue affects WordPress Contact Form 7 PDF, Google Sheet \u0026 Database: from n/a through \u003c= 3.0.0.\u003c/p\u003e"
                }
              ],
              "value": "Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet \u0026 Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet \u0026 Database: from n/a through \u003c= 3.0.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-17",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Using Malicious Files"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:14:11.320Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/rtwwcfp-wordpress-contact-form-7-pdf/vulnerability/wordpress-wordpress-contact-form-7-pdf-google-sheet-database-plugin-3-0-0-arbitrary-file-upload-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WordPress Contact Form 7 PDF, Google Sheet \u0026 Database plugin \u003c= 3.0.0 - Arbitrary File Upload vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-64231",
        "datePublished": "2025-12-18T07:22:13.778Z",
        "dateReserved": "2025-10-29T03:08:07.244Z",
        "dateUpdated": "2026-04-28T16:14:11.320Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48342 (GCVE-0-2025-48342)

    Vulnerability from nvd – Published: 2025-05-19 14:55 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress Dynamic Pricing & Discounts Lite for WooCommerce plugin <= 2.0.3 - Cross Site Request Forgery (CSRF) vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in RedefiningTheWeb Dynamic Pricing & Discounts Lite for WooCommerce woo-dynamic-pricing-discounts-lite allows Cross Site Request Forgery.This issue affects Dynamic Pricing & Discounts Lite for WooCommerce: from n/a through <= 2.0.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Date Public
    2026-04-01 16:40
    Credits
    lucky_buddy | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48342",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:06:29.308371Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:15:39.024Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "woo-dynamic-pricing-discounts-lite",
              "product": "Dynamic Pricing \u0026 Discounts Lite for WooCommerce",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "lucky_buddy | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:40:38.339Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in RedefiningTheWeb Dynamic Pricing \u0026 Discounts Lite for WooCommerce woo-dynamic-pricing-discounts-lite allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Dynamic Pricing \u0026 Discounts Lite for WooCommerce: from n/a through \u003c= 2.0.4.\u003c/p\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in RedefiningTheWeb Dynamic Pricing \u0026 Discounts Lite for WooCommerce woo-dynamic-pricing-discounts-lite allows Cross Site Request Forgery.This issue affects Dynamic Pricing \u0026 Discounts Lite for WooCommerce: from n/a through \u003c= 2.0.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:56.897Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/woo-dynamic-pricing-discounts-lite/vulnerability/wordpress-dynamic-pricing-discounts-lite-for-woocommerce-2-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Dynamic Pricing \u0026 Discounts Lite for WooCommerce plugin \u003c= 2.0.3 - Cross Site Request Forgery (CSRF) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-48342",
        "datePublished": "2025-05-19T14:55:22.665Z",
        "dateReserved": "2025-05-19T14:41:32.123Z",
        "dateUpdated": "2026-04-28T16:12:56.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-39518 (GCVE-0-2025-39518)

    Vulnerability from nvd – Published: 2025-04-16 12:45 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress BMA Lite plugin <= 1.4.2 - SQL Injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedefiningTheWeb BMA Lite bma-lite-appointment-booking-and-scheduling allows SQL Injection.This issue affects BMA Lite: from n/a through <= 1.4.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    RedefiningTheWeb BMA Lite Affected: 0 , ≤ 1.4.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:39
    Credits
    Pham Van Phuoc - VNPT Cyber Immunity | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-39518",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T13:25:34.318803Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T13:25:46.931Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "bma-lite-appointment-booking-and-scheduling",
              "product": "BMA Lite",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.4.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pham Van Phuoc - VNPT Cyber Immunity | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:39:26.446Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in RedefiningTheWeb BMA Lite bma-lite-appointment-booking-and-scheduling allows SQL Injection.\u003cp\u003eThis issue affects BMA Lite: from n/a through \u003c= 1.4.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in RedefiningTheWeb BMA Lite bma-lite-appointment-booking-and-scheduling allows SQL Injection.This issue affects BMA Lite: from n/a through \u003c= 1.4.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:34.232Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/bma-lite-appointment-booking-and-scheduling/vulnerability/wordpress-bma-lite-1-4-2-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress BMA Lite plugin \u003c= 1.4.2 - SQL Injection vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-39518",
        "datePublished": "2025-04-16T12:45:50.853Z",
        "dateReserved": "2025-04-16T06:24:32.683Z",
        "dateUpdated": "2026-04-28T16:12:34.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-31850 (GCVE-0-2025-31850)

    Vulnerability from nvd – Published: 2025-04-01 14:51 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress PDF Generator Addon for Elementor Page Builder plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 2.1.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2026-04-01 16:38
    Credits
    João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31850",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-01T16:01:10.362645Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-01T16:01:17.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "pdf-generator-addon-for-elementor-page-builder",
              "product": "PDF Generator Addon for Elementor Page Builder",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.2.0",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.1.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:38:03.768Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.\u003cp\u003eThis issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 2.1.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 2.1.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:14.264Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-generator-addon-for-elementor-page-builder/vulnerability/wordpress-pdf-generator-addon-for-elementor-page-builder-plugin-1-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress PDF Generator Addon for Elementor Page Builder plugin \u003c= 2.1.0 - Cross Site Scripting (XSS) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-31850",
        "datePublished": "2025-04-01T14:51:59.841Z",
        "dateReserved": "2025-04-01T13:21:00.364Z",
        "dateUpdated": "2026-04-28T16:12:14.264Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-24569 (GCVE-0-2025-24569)

    Vulnerability from nvd – Published: 2025-02-03 14:22 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress PDF Generator Addon for Elementor Page Builder plugin <= 1.7.5 - Arbitrary File Read vulnerability
    Summary
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Path Traversal.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 1.7.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Date Public
    2026-04-01 16:33
    Credits
    thiennv | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24569",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T16:23:43.810835Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T16:26:49.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "pdf-generator-addon-for-elementor-page-builder",
              "product": "PDF Generator Addon for Elementor Page Builder",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.0.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "thiennv | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:33:58.362Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Path Traversal.\u003cp\u003eThis issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 1.7.5.\u003c/p\u003e"
                }
              ],
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Path Traversal.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 1.7.5."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:28.667Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-generator-addon-for-elementor-page-builder/vulnerability/wordpress-pdf-generator-addon-for-elementor-page-builder-plugin-1-7-5-arbitrary-file-read-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress PDF Generator Addon for Elementor Page Builder plugin \u003c= 1.7.5 - Arbitrary File Read vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-24569",
        "datePublished": "2025-02-03T14:22:46.891Z",
        "dateReserved": "2025-01-23T14:50:32.998Z",
        "dateUpdated": "2026-04-28T16:11:28.667Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9935 (GCVE-0-2024-9935)

    Vulnerability from nvd – Published: 2024-11-16 03:20 – Updated: 2026-04-08 16:46
    VLAI
    Title
    PDF Generator Addon for Elementor Page Builder <= 2.0.0 - Unauthenticated Arbitrary File Download
    Summary
    The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-24569 may be a duplicate of this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    redefiningtheweb PDF Generator for WordPress Elementor Affected: 0 , ≤ 2.0.0 (semver)
    Create a notification for this product.
    redefiningtheweb pdf_generator_addon_for_elementor_page_builder Affected: 0 , ≤ 1.7.5 (custom)
        cpe:2.3:a:redefiningtheweb:pdf_generator_addon_for_elementor_page_builder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:redefiningtheweb:pdf_generator_addon_for_elementor_page_builder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pdf_generator_addon_for_elementor_page_builder",
                "vendor": "redefiningtheweb",
                "versions": [
                  {
                    "lessThanOrEqual": "1.7.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9935",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-18T15:42:43.697577Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-19T15:14:19.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PDF Generator for WordPress Elementor",
              "vendor": "redefiningtheweb",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-24569 may be a duplicate of this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:11.801Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36daf2af-1db3-4b35-8849-480212660b2f?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-generator-addon-for-elementor-page-builder/trunk/public/class-pdf-generator-addon-for-elementor-page-builder-public.php#L133"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3197343%40pdf-generator-addon-for-elementor-page-builder\u0026new=3197343%40pdf-generator-addon-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-11-15T15:00:29.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "PDF Generator Addon for Elementor Page Builder \u003c= 2.0.0 - Unauthenticated Arbitrary File Download"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-9935",
        "datePublished": "2024-11-16T03:20:45.226Z",
        "dateReserved": "2024-10-14T13:28:12.183Z",
        "dateUpdated": "2026-04-08T16:46:11.801Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-50449 (GCVE-0-2024-50449)

    Vulnerability from nvd – Published: 2024-10-28 17:54 – Updated: 2026-05-11 21:18
    VLAI
    Title
    WordPress PDF Generator Addon for Elementor Page Builder plugin <= 1.7.4 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 1.7.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2026-04-01 16:28
    Credits
    João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50449",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-28T20:01:22.475558Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T21:18:42.816Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "pdf-generator-addon-for-elementor-page-builder",
              "product": "PDF Generator Addon for Elementor Page Builder",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.7.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.7.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:28:46.068Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.\u003cp\u003eThis issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 1.7.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 1.7.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:29.054Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-generator-addon-for-elementor-page-builder/vulnerability/wordpress-pdf-generator-addon-for-elementor-page-builder-plugin-1-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress PDF Generator Addon for Elementor Page Builder plugin \u003c= 1.7.4 - Cross Site Scripting (XSS) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-50449",
        "datePublished": "2024-10-28T17:54:49.768Z",
        "dateReserved": "2024-10-24T07:26:07.770Z",
        "dateUpdated": "2026-05-11T21:18:42.816Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9289 (GCVE-0-2024-9289)

    Vulnerability from nvd – Published: 2024-10-01 08:30 – Updated: 2026-04-08 17:31
    VLAI
    Title
    WordPress & WooCommerce Affiliate Program <= 8.4.1 - Authentication Bypass to Account Takeover and Privilege Escalation
    Summary
    The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    RedefiningTheWeb WordPress & WooCommerce Affiliate Program Affected: 0 , ≤ 8.4.1 (semver)
    Create a notification for this product.
    redefiningtheweb affiliate_pro Affected: 0 , ≤ 8.4.1 (custom)
        cpe:2.3:a:redefiningtheweb:affiliate_pro:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Tonn
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:redefiningtheweb:affiliate_pro:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "affiliate_pro",
                "vendor": "redefiningtheweb",
                "versions": [
                  {
                    "lessThanOrEqual": "8.4.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9289",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-01T14:02:34.674930Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-01T14:27:13.343Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WordPress \u0026 WooCommerce Affiliate Program",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "lessThanOrEqual": "8.4.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tonn"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WordPress \u0026 WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user\u0027s identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator\u0027s email."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:31:32.803Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed19835f-2718-41d8-95af-47c8b9589529?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/wordpress-woocommerce-affiliate-program/23580333"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-30T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WordPress \u0026 WooCommerce Affiliate Program \u003c= 8.4.1 - Authentication Bypass to Account Takeover and Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-9289",
        "datePublished": "2024-10-01T08:30:19.607Z",
        "dateReserved": "2024-09-27T15:41:11.548Z",
        "dateUpdated": "2026-04-08T17:31:32.803Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64231 (GCVE-0-2025-64231)

    Vulnerability from cvelistv5 – Published: 2025-12-18 07:22 – Updated: 2026-04-28 16:14
    VLAI
    Title
    WordPress WordPress Contact Form 7 PDF, Google Sheet & Database plugin <= 3.0.0 - Arbitrary File Upload vulnerability
    Summary
    Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Date Public
    2026-04-22 14:23
    Credits
    0xd4rk5id3 | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64231",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T14:32:23.979974Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-27T15:40:21.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://codecanyon.net",
              "defaultStatus": "unaffected",
              "packageName": "rtwwcfp-wordpress-contact-form-7-pdf",
              "product": "WordPress Contact Form 7 PDF, Google Sheet \u0026 Database",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.1.0",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-22T14:23:26.569Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet \u0026 Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.\u003cp\u003eThis issue affects WordPress Contact Form 7 PDF, Google Sheet \u0026 Database: from n/a through \u003c= 3.0.0.\u003c/p\u003e"
                }
              ],
              "value": "Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet \u0026 Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet \u0026 Database: from n/a through \u003c= 3.0.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-17",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Using Malicious Files"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:14:11.320Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/rtwwcfp-wordpress-contact-form-7-pdf/vulnerability/wordpress-wordpress-contact-form-7-pdf-google-sheet-database-plugin-3-0-0-arbitrary-file-upload-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WordPress Contact Form 7 PDF, Google Sheet \u0026 Database plugin \u003c= 3.0.0 - Arbitrary File Upload vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-64231",
        "datePublished": "2025-12-18T07:22:13.778Z",
        "dateReserved": "2025-10-29T03:08:07.244Z",
        "dateUpdated": "2026-04-28T16:14:11.320Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-48342 (GCVE-0-2025-48342)

    Vulnerability from cvelistv5 – Published: 2025-05-19 14:55 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress Dynamic Pricing & Discounts Lite for WooCommerce plugin <= 2.0.3 - Cross Site Request Forgery (CSRF) vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in RedefiningTheWeb Dynamic Pricing & Discounts Lite for WooCommerce woo-dynamic-pricing-discounts-lite allows Cross Site Request Forgery.This issue affects Dynamic Pricing & Discounts Lite for WooCommerce: from n/a through <= 2.0.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Date Public
    2026-04-01 16:40
    Credits
    lucky_buddy | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48342",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:06:29.308371Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:15:39.024Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "woo-dynamic-pricing-discounts-lite",
              "product": "Dynamic Pricing \u0026 Discounts Lite for WooCommerce",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "lucky_buddy | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:40:38.339Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in RedefiningTheWeb Dynamic Pricing \u0026 Discounts Lite for WooCommerce woo-dynamic-pricing-discounts-lite allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Dynamic Pricing \u0026 Discounts Lite for WooCommerce: from n/a through \u003c= 2.0.4.\u003c/p\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in RedefiningTheWeb Dynamic Pricing \u0026 Discounts Lite for WooCommerce woo-dynamic-pricing-discounts-lite allows Cross Site Request Forgery.This issue affects Dynamic Pricing \u0026 Discounts Lite for WooCommerce: from n/a through \u003c= 2.0.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:56.897Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/woo-dynamic-pricing-discounts-lite/vulnerability/wordpress-dynamic-pricing-discounts-lite-for-woocommerce-2-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Dynamic Pricing \u0026 Discounts Lite for WooCommerce plugin \u003c= 2.0.3 - Cross Site Request Forgery (CSRF) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-48342",
        "datePublished": "2025-05-19T14:55:22.665Z",
        "dateReserved": "2025-05-19T14:41:32.123Z",
        "dateUpdated": "2026-04-28T16:12:56.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-39518 (GCVE-0-2025-39518)

    Vulnerability from cvelistv5 – Published: 2025-04-16 12:45 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress BMA Lite plugin <= 1.4.2 - SQL Injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedefiningTheWeb BMA Lite bma-lite-appointment-booking-and-scheduling allows SQL Injection.This issue affects BMA Lite: from n/a through <= 1.4.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    RedefiningTheWeb BMA Lite Affected: 0 , ≤ 1.4.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:39
    Credits
    Pham Van Phuoc - VNPT Cyber Immunity | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-39518",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T13:25:34.318803Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T13:25:46.931Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "bma-lite-appointment-booking-and-scheduling",
              "product": "BMA Lite",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.4.3",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pham Van Phuoc - VNPT Cyber Immunity | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:39:26.446Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in RedefiningTheWeb BMA Lite bma-lite-appointment-booking-and-scheduling allows SQL Injection.\u003cp\u003eThis issue affects BMA Lite: from n/a through \u003c= 1.4.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in RedefiningTheWeb BMA Lite bma-lite-appointment-booking-and-scheduling allows SQL Injection.This issue affects BMA Lite: from n/a through \u003c= 1.4.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:34.232Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/bma-lite-appointment-booking-and-scheduling/vulnerability/wordpress-bma-lite-1-4-2-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress BMA Lite plugin \u003c= 1.4.2 - SQL Injection vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-39518",
        "datePublished": "2025-04-16T12:45:50.853Z",
        "dateReserved": "2025-04-16T06:24:32.683Z",
        "dateUpdated": "2026-04-28T16:12:34.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-31850 (GCVE-0-2025-31850)

    Vulnerability from cvelistv5 – Published: 2025-04-01 14:51 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress PDF Generator Addon for Elementor Page Builder plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 2.1.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2026-04-01 16:38
    Credits
    João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-31850",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-01T16:01:10.362645Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-01T16:01:17.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "pdf-generator-addon-for-elementor-page-builder",
              "product": "PDF Generator Addon for Elementor Page Builder",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.2.0",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.1.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:38:03.768Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.\u003cp\u003eThis issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 2.1.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 2.1.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:14.264Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-generator-addon-for-elementor-page-builder/vulnerability/wordpress-pdf-generator-addon-for-elementor-page-builder-plugin-1-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress PDF Generator Addon for Elementor Page Builder plugin \u003c= 2.1.0 - Cross Site Scripting (XSS) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-31850",
        "datePublished": "2025-04-01T14:51:59.841Z",
        "dateReserved": "2025-04-01T13:21:00.364Z",
        "dateUpdated": "2026-04-28T16:12:14.264Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-24569 (GCVE-0-2025-24569)

    Vulnerability from cvelistv5 – Published: 2025-02-03 14:22 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress PDF Generator Addon for Elementor Page Builder plugin <= 1.7.5 - Arbitrary File Read vulnerability
    Summary
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Path Traversal.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 1.7.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Date Public
    2026-04-01 16:33
    Credits
    thiennv | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-24569",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-03T16:23:43.810835Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-03T16:26:49.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "pdf-generator-addon-for-elementor-page-builder",
              "product": "PDF Generator Addon for Elementor Page Builder",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.0.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "thiennv | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:33:58.362Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Path Traversal.\u003cp\u003eThis issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 1.7.5.\u003c/p\u003e"
                }
              ],
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Path Traversal.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 1.7.5."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:28.667Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-generator-addon-for-elementor-page-builder/vulnerability/wordpress-pdf-generator-addon-for-elementor-page-builder-plugin-1-7-5-arbitrary-file-read-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress PDF Generator Addon for Elementor Page Builder plugin \u003c= 1.7.5 - Arbitrary File Read vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-24569",
        "datePublished": "2025-02-03T14:22:46.891Z",
        "dateReserved": "2025-01-23T14:50:32.998Z",
        "dateUpdated": "2026-04-28T16:11:28.667Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9935 (GCVE-0-2024-9935)

    Vulnerability from cvelistv5 – Published: 2024-11-16 03:20 – Updated: 2026-04-08 16:46
    VLAI
    Title
    PDF Generator Addon for Elementor Page Builder <= 2.0.0 - Unauthenticated Arbitrary File Download
    Summary
    The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-24569 may be a duplicate of this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    redefiningtheweb PDF Generator for WordPress Elementor Affected: 0 , ≤ 2.0.0 (semver)
    Create a notification for this product.
    redefiningtheweb pdf_generator_addon_for_elementor_page_builder Affected: 0 , ≤ 1.7.5 (custom)
        cpe:2.3:a:redefiningtheweb:pdf_generator_addon_for_elementor_page_builder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:redefiningtheweb:pdf_generator_addon_for_elementor_page_builder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "pdf_generator_addon_for_elementor_page_builder",
                "vendor": "redefiningtheweb",
                "versions": [
                  {
                    "lessThanOrEqual": "1.7.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9935",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-18T15:42:43.697577Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-19T15:14:19.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PDF Generator for WordPress Elementor",
              "vendor": "redefiningtheweb",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-24569 may be a duplicate of this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:11.801Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36daf2af-1db3-4b35-8849-480212660b2f?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-generator-addon-for-elementor-page-builder/trunk/public/class-pdf-generator-addon-for-elementor-page-builder-public.php#L133"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3197343%40pdf-generator-addon-for-elementor-page-builder\u0026new=3197343%40pdf-generator-addon-for-elementor-page-builder\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-11-15T15:00:29.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "PDF Generator Addon for Elementor Page Builder \u003c= 2.0.0 - Unauthenticated Arbitrary File Download"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-9935",
        "datePublished": "2024-11-16T03:20:45.226Z",
        "dateReserved": "2024-10-14T13:28:12.183Z",
        "dateUpdated": "2026-04-08T16:46:11.801Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-50449 (GCVE-0-2024-50449)

    Vulnerability from cvelistv5 – Published: 2024-10-28 17:54 – Updated: 2026-05-11 21:18
    VLAI
    Title
    WordPress PDF Generator Addon for Elementor Page Builder plugin <= 1.7.4 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 1.7.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2026-04-01 16:28
    Credits
    João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-50449",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-28T20:01:22.475558Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T21:18:42.816Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "pdf-generator-addon-for-elementor-page-builder",
              "product": "PDF Generator Addon for Elementor Page Builder",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.7.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.7.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:28:46.068Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.\u003cp\u003eThis issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 1.7.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through \u003c= 1.7.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:29.054Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-generator-addon-for-elementor-page-builder/vulnerability/wordpress-pdf-generator-addon-for-elementor-page-builder-plugin-1-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress PDF Generator Addon for Elementor Page Builder plugin \u003c= 1.7.4 - Cross Site Scripting (XSS) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-50449",
        "datePublished": "2024-10-28T17:54:49.768Z",
        "dateReserved": "2024-10-24T07:26:07.770Z",
        "dateUpdated": "2026-05-11T21:18:42.816Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9289 (GCVE-0-2024-9289)

    Vulnerability from cvelistv5 – Published: 2024-10-01 08:30 – Updated: 2026-04-08 17:31
    VLAI
    Title
    WordPress & WooCommerce Affiliate Program <= 8.4.1 - Authentication Bypass to Account Takeover and Privilege Escalation
    Summary
    The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
    Assigner
    Impacted products
    Vendor Product Version
    RedefiningTheWeb WordPress & WooCommerce Affiliate Program Affected: 0 , ≤ 8.4.1 (semver)
    Create a notification for this product.
    redefiningtheweb affiliate_pro Affected: 0 , ≤ 8.4.1 (custom)
        cpe:2.3:a:redefiningtheweb:affiliate_pro:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Tonn
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:redefiningtheweb:affiliate_pro:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "affiliate_pro",
                "vendor": "redefiningtheweb",
                "versions": [
                  {
                    "lessThanOrEqual": "8.4.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9289",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-01T14:02:34.674930Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-01T14:27:13.343Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WordPress \u0026 WooCommerce Affiliate Program",
              "vendor": "RedefiningTheWeb",
              "versions": [
                {
                  "lessThanOrEqual": "8.4.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tonn"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WordPress \u0026 WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user\u0027s identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator\u0027s email."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-288",
                  "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:31:32.803Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed19835f-2718-41d8-95af-47c8b9589529?source=cve"
            },
            {
              "url": "https://codecanyon.net/item/wordpress-woocommerce-affiliate-program/23580333"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-30T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WordPress \u0026 WooCommerce Affiliate Program \u003c= 8.4.1 - Authentication Bypass to Account Takeover and Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-9289",
        "datePublished": "2024-10-01T08:30:19.607Z",
        "dateReserved": "2024-09-27T15:41:11.548Z",
        "dateUpdated": "2026-04-08T17:31:32.803Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }