Qr Redirector
Monthly
Missing authorization in the QR Redirector WordPress plugin (versions through 2.0.3) exposes redirect management functionality to authenticated low-privileged users who lack the appropriate capability checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms any authenticated WordPress user - including subscribers or contributors - can exploit this flaw remotely without user interaction. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) and SSVC exploitation status of 'none' place this at low operational priority for most environments.
The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Missing authorization in the QR Redirector WordPress plugin (versions through 2.0.3) exposes redirect management functionality to authenticated low-privileged users who lack the appropriate capability checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms any authenticated WordPress user - including subscribers or contributors - can exploit this flaw remotely without user interaction. No public exploit code exists and no active exploitation has been identified; EPSS at 0.03% (8th percentile) and SSVC exploitation status of 'none' place this at low operational priority for most environments.
The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.