Skip to main content

Woffice

7 CVEs product

Monthly

CVE-2026-27435 MEDIUM PATCH This Month

Broken access control in the WofficeIO Woffice WordPress theme (all versions before 5.4.33) permits unauthenticated remote attackers to exploit incorrectly configured access control security levels, achieving low-impact unauthorized write actions without credentials or user interaction. Discovered and disclosed by Patchstack, the flaw stems from CWE-862 (Missing Authorization), where the theme fails to enforce proper capability checks on specific endpoints. No public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated and low-complexity attack vector broadens the exposure surface beyond what the medium CVSS score alone conveys.

Authentication Bypass Woffice
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-7694 MEDIUM This Month

The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP Path Traversal RCE Woffice
NVD
CVSS 3.1
6.8
EPSS
0.5%
CVE-2025-2798 CRITICAL Act Now

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation Woffice PHP
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-2797 MEDIUM This Month

The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Woffice PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-2780 HIGH This Week

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload Woffice PHP
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2024-37470 CRITICAL Act Now

Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.4.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Woffice
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-37471 MEDIUM This Month

Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.4.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Woffice
NVD
CVSS 3.1
6.1
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Broken access control in the WofficeIO Woffice WordPress theme (all versions before 5.4.33) permits unauthenticated remote attackers to exploit incorrectly configured access control security levels, achieving low-impact unauthorized write actions without credentials or user interaction. Discovered and disclosed by Patchstack, the flaw stems from CWE-862 (Missing Authorization), where the theme fails to enforce proper capability checks on specific endpoints. No public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated and low-complexity attack vector broadens the exposure surface beyond what the medium CVSS score alone conveys.

Authentication Bypass Woffice
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP Path Traversal +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Woffice +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload +2
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Missing Authorization vulnerability in WofficeIO Woffice Core allows Accessing Functionality Not Properly Constrained by ACLs.4.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Woffice
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross Site Scripting (XSS) vulnerability in WofficeIO Woffice Core allows Reflected XSS.4.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Woffice
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy