Wp Customer Area
Monthly
Authenticated path traversal in the WP Customer Area WordPress plugin through version 8.3.4 allows users with low-privilege custom roles to escape intended directory boundaries and access or manipulate files outside the plugin's permitted scope. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates network-reachable exploitation by authenticated users with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authenticated path traversal in the WP Customer Area WordPress plugin through version 8.3.4 allows users with low-privilege custom roles to escape intended directory boundaries and access or manipulate files outside the plugin's permitted scope. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates network-reachable exploitation by authenticated users with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.