Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by wpmessiah
CVE-2026-0807 (GCVE-0-2026-0807)
Vulnerability from cvelistv5 – Published: 2026-01-24 07:26 – Updated: 2026-04-08 16:45
VLAI?
Title
Frontis Blocks <= 1.1.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
Summary
The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint.
Severity ?
7.2 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpmessiah | Frontis Blocks — Block Library for the Block Editor |
Affected:
0 , ≤ 1.1.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T15:34:03.787859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T15:45:39.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Frontis Blocks \u2014 Block Library for the Block Editor",
"vendor": "wpmessiah",
"versions": [
{
"lessThanOrEqual": "1.1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Vilaysone CHANTHAVONG"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the \u0027url\u0027 parameter in the \u0027template_proxy\u0027 function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the \u0027/template-proxy/\u0027 and \u0027/proxy-image/\u0027 endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:45:16.150Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/322e0a27-9119-4b46-a043-d3a68c4fcdc4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/frontis-blocks/trunk/includes/Admin/Admin.php#L910"
},
{
"url": "https://plugins.trac.wordpress.org/browser/frontis-blocks/tags/1.1.4/includes/Admin/Admin.php#L910"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3444616/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T19:20:45.000Z",
"value": "Disclosed"
}
],
"title": "Frontis Blocks \u003c= 1.1.6 - Unauthenticated Server-Side Request Forgery via \u0027url\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0807",
"datePublished": "2026-01-24T07:26:41.330Z",
"dateReserved": "2026-01-09T14:24:31.880Z",
"dateUpdated": "2026-04-08T16:45:16.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12177 (GCVE-0-2024-12177)
Vulnerability from cvelistv5 – Published: 2025-01-30 13:42 – Updated: 2026-04-08 17:06
VLAI?
Title
Ai Image Alt Text Generator for WP <= 1.0.6 - Reflected Cross-Site Scripting
Summary
The Ai Image Alt Text Generator for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpmessiah | Ai Image Alt Text Generator for WP |
Affected:
0 , ≤ 1.0.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T14:39:30.348236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T14:39:33.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ai Image Alt Text Generator for WP",
"vendor": "wpmessiah",
"versions": [
{
"lessThanOrEqual": "1.0.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vgo0"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ai Image Alt Text Generator for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027page\u0027 parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:44.822Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/902ec583-c072-4c6d-8250-ad08d7ecf239?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ai-image-alt-text-generator-for-wp/tags/1.0.2/includes/class-boomdevs-ai-image-alt-text-generator-custom-menu.php#L218"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3230467/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-30T00:50:08.000Z",
"value": "Disclosed"
}
],
"title": "Ai Image Alt Text Generator for WP \u003c= 1.0.6 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12177",
"datePublished": "2025-01-30T13:42:05.040Z",
"dateReserved": "2024-12-04T16:17:03.609Z",
"dateUpdated": "2026-04-08T17:06:44.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12269 (GCVE-0-2024-12269)
Vulnerability from cvelistv5 – Published: 2025-01-30 13:41 – Updated: 2026-04-08 16:52
VLAI?
Title
Safe Ai Malware Protection for WP <= 1.0.17 - Missing Authorization to Unauthenticated Database Export
Summary
The Safe Ai Malware Protection for WP plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db() function in all versions up to, and including, 1.0.17. This makes it possible for unauthenticated attackers to retrieve a complete dump of the site's database.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpmessiah | Safe Ai Malware Protection for WP |
Affected:
0 , ≤ 1.0.17
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12269",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T14:52:17.660776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T14:52:23.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Safe Ai Malware Protection for WP",
"vendor": "wpmessiah",
"versions": [
{
"lessThanOrEqual": "1.0.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Safe Ai Malware Protection for WP plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db() function in all versions up to, and including, 1.0.17. This makes it possible for unauthenticated attackers to retrieve a complete dump of the site\u0027s database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:47.076Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5247bf43-ae02-47cb-825e-23821b78eba9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/safe-ai-malware-protection-for-wp/trunk/includes/class-mvsp-export-db.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3232957%40safe-ai-malware-protection-for-wp\u0026new=3232957%40safe-ai-malware-protection-for-wp\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-30T00:29:51.000Z",
"value": "Disclosed"
}
],
"title": "Safe Ai Malware Protection for WP \u003c= 1.0.17 - Missing Authorization to Unauthenticated Database Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12269",
"datePublished": "2025-01-30T13:41:58.042Z",
"dateReserved": "2024-12-05T17:34:26.308Z",
"dateUpdated": "2026-04-08T16:52:47.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5204 (GCVE-0-2024-5204)
Vulnerability from cvelistv5 – Published: 2024-05-29 02:00 – Updated: 2026-04-08 17:13
VLAI?
Title
Swiss Toolkit For WP <= 1.0.7 - Authenticated (Contributor+) Authentication Bypass
Summary
The Swiss Toolkit For WP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.7. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for authenticated attackers with contributor-level and above permissions to log in as any existing user on the site, such as an administrator.
Severity ?
8.8 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpmessiah | Swiss Toolkit For WP |
Affected:
0 , ≤ 1.0.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boomdevs:swiss_toolkit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "swiss_toolkit",
"vendor": "boomdevs",
"versions": [
{
"lessThanOrEqual": "1.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T14:55:33.944556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:02:11.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8526106-847a-420f-9275-f759a8dd4dfb?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/swiss-toolkit-for-wp/trunk/includes/plugins/class-boomdevs-swiss-toolkit-generate-login-url.php?rev=3077000#L50"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3091913/swiss-toolkit-for-wp"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Swiss Toolkit For WP",
"vendor": "wpmessiah",
"versions": [
{
"lessThanOrEqual": "1.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Swiss Toolkit For WP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.7. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for authenticated attackers with contributor-level and above permissions to log in as any existing user on the site, such as an administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:13:51.659Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8526106-847a-420f-9275-f759a8dd4dfb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/swiss-toolkit-for-wp/trunk/includes/plugins/class-boomdevs-swiss-toolkit-generate-login-url.php?rev=3077000#L50"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3091913/swiss-toolkit-for-wp"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-22T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-05-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-05-28T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Swiss Toolkit For WP \u003c= 1.0.7 - Authenticated (Contributor+) Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5204",
"datePublished": "2024-05-29T02:00:35.975Z",
"dateReserved": "2024-05-22T15:35:54.927Z",
"dateUpdated": "2026-04-08T17:13:51.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}