Skip to main content

Permalink Manager Lite

12 CVEs product

Monthly

CVE-2026-8494 MEDIUM This Month

Stored Cross-Site Scripting in the Permalink Manager Lite WordPress plugin (all versions through 2.5.3.3) allows authenticated contributors to inject persistent JavaScript into the admin URI Editor interface via crafted post titles. The payload executes in the browser of any administrator who subsequently visits the Permalink Manager page, enabling session hijacking or unauthorized admin-level actions. No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; vendor-released patch 2.5.3.4 is available.

WordPress XSS Permalink Manager Lite
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-32413 MEDIUM PATCH This Month

Permalink Manager Lite versions prior to 2.5.3 lack proper authorization controls, allowing unauthenticated remote attackers to modify content through incorrectly configured access restrictions. This missing authorization check enables attackers to alter data without authentication, affecting the integrity of managed permalinks. No patch is currently available for this vulnerability.

Authentication Bypass Permalink Manager Lite
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-8195 MEDIUM PATCH This Month

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'debug_data', 'debug_query', and 'debug_redirect' functions in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Information Disclosure Permalink Manager Lite
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-37257 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Maciej Bis Permalink Manager Lite allows Reflected XSS.4.3.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Permalink Manager Lite
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-2738 MEDIUM This Month

The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in multiple instances in all versions up to, and including, 2.4.3.1 due. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Permalink Manager Lite
NVD GitHub
CVSS 3.1
6.1
EPSS
1.2%
CVE-2024-2543 MEDIUM POC PATCH This Month

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Permalink Manager Lite
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-2538 MEDIUM POC PATCH This Month

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Permalink Manager Lite
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-29092 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maciej Bis Permalink Manager Lite allows Reflected XSS.4.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Permalink Manager Lite
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2022-4410 MEDIUM PATCH This Month

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including 2.2.20.3 due to improper output escaping on post/page/media titles. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Permalink Manager Lite
NVD WPScan VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2022-41781 CRITICAL Act Now

Broken Access Control vulnerability in Permalink Manager Lite plugin <= 2.2.20 on WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation WordPress Permalink Manager Lite
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-4021 HIGH PATCH This Week

The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Permalink Manager Lite
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2021-24769 HIGH POC This Week

The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Permalink Manager Lite
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Permalink Manager Lite WordPress plugin (all versions through 2.5.3.3) allows authenticated contributors to inject persistent JavaScript into the admin URI Editor interface via crafted post titles. The payload executes in the browser of any administrator who subsequently visits the Permalink Manager page, enabling session hijacking or unauthorized admin-level actions. No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; vendor-released patch 2.5.3.4 is available.

WordPress XSS Permalink Manager Lite
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Permalink Manager Lite versions prior to 2.5.3 lack proper authorization controls, allowing unauthenticated remote attackers to modify content through incorrectly configured access restrictions. This missing authorization check enables attackers to alter data without authentication, affecting the integrity of managed permalinks. No patch is currently available for this vulnerability.

Authentication Bypass Permalink Manager Lite
NVD VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'debug_data', 'debug_query', and 'debug_redirect' functions in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Maciej Bis Permalink Manager Lite allows Reflected XSS.4.3.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Permalink Manager Lite
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in multiple instances in all versions up to, and including, 2.4.3.1 due. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Permalink Manager Lite
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Permalink Manager Lite
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Permalink Manager Lite
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maciej Bis Permalink Manager Lite allows Reflected XSS.4.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Permalink Manager Lite
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including 2.2.20.3 due to improper output escaping on post/page/media titles. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Permalink Manager Lite
NVD WPScan VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Broken Access Control vulnerability in Permalink Manager Lite plugin <= 2.2.20 on WordPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation WordPress Permalink Manager Lite
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Permalink Manager Lite
NVD VulDB
EPSS 1% CVSS 7.2
HIGH POC This Week

The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Permalink Manager Lite
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy