Xtendify Woffice vulnerabilities
9 known vulnerabilities affecting xtendify/woffice.
Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
2
Severity breakdown
CRITICAL4HIGH2MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2024-43153P1CRITICALCVSS 9.8Exploitedfixed in 5.4.122024-08-13
CVE-2024-43153 [CRITICAL] CWE-266 CVE-2024-43153: Incorrect Privilege Assignment vulnerability in WofficeIO Woffice woffice.This issue affects Woffice
Incorrect Privilege Assignment vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through <= 5.4.10.
nvd
CVE-2024-37472P2MEDIUMCVSS 6.1Exploitedfixed in 5.4.92024-07-04
CVE-2024-37472 [MEDIUM] CWE-79 CVE-2024-37472: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through <= 5.4.8.
nvd
CVE-2025-2798P2CRITICALCVSS 9.8fixed in 5.4.222025-04-04
CVE-2025-2798 [CRITICAL] CVE-2025-2798: The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, an
The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-
nvd
CVE-2024-43234P2CRITICALCVSS 9.8fixed in 5.4.152024-12-16
CVE-2024-43234 [CRITICAL] CWE-288 CVE-2024-43234: Authentication Bypass Using an Alternate Path or Channel vulnerability in WofficeIO Woffice woffice
Authentication Bypass Using an Alternate Path or Channel vulnerability in WofficeIO Woffice woffice allows Authentication Bypass.This issue affects Woffice: from n/a through <= 5.4.14.
nvd
CVE-2025-2780P2HIGHCVSS 8.8fixed in 5.4.222025-04-04
CVE-2025-2780 [HIGH] CWE-434 CVE-2025-2780: The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file up
The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affect
nvd
CVE-2025-7694P3HIGHCVSS 7.5fixed in 5.4.272025-08-02
CVE-2025-7694 [HIGH] CWE-22 CVE-2025-7694: The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient f
The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and including, 5.4.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can
nvd
CVE-2024-37470P3CRITICALCVSS 9.8fixed in 5.4.92024-11-01
CVE-2024-37470 [CRITICAL] CWE-862 CVE-2024-37470: Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Pro
Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Woffice Core: from n/a through 5.4.8.
nvd
CVE-2024-37471P4MEDIUMCVSS 6.1fixed in 5.4.92024-07-04
CVE-2024-37471 [MEDIUM] CWE-79 CVE-2024-37471: Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.This issue a
Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.This issue affects Woffice Core: from n/a through 5.4.8.
nvd
CVE-2025-2797P4MEDIUMCVSS 5.4fixed in 5.4.222025-04-04
CVE-2025-2797 [MEDIUM] CWE-352 CVE-2025-2797: The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up
The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request grant
nvd