Wpjam Basic
Monthly
Server-Side Request Forgery in the WPJAM Basic WordPress plugin (by denishua) affects all versions up to and including 7.0, letting remote attackers coerce the site's server into issuing crafted outbound requests. Because the CVSS scope is marked Changed with low confidentiality and integrity impact, an attacker can reach internal or otherwise-protected services and read back limited responses. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through the Patchstack vulnerability database.
PHP Object Injection in the WPJAM Basic WordPress plugin (denishua) affects all versions up to and including 7.0, allowing an authenticated attacker to inject crafted serialized objects that are deserialized by the plugin. Reported by Patchstack and rated CVSS 8.8, it can lead to high-impact compromise (confidentiality, integrity, and availability) of the WordPress site, though exploitation requires at least low-level authenticated access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
WPJAM Basic, a WordPress plugin, contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files without proper validation. All versions through 6.9.2 are affected, potentially enabling remote code execution or other attacks depending on server configuration. While CVSS and EPSS scores are unavailable, the nature of arbitrary file upload vulnerabilities in WordPress plugins typically carries high real-world risk due to ease of exploitation and severe impact.
Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Server-Side Request Forgery in the WPJAM Basic WordPress plugin (by denishua) affects all versions up to and including 7.0, letting remote attackers coerce the site's server into issuing crafted outbound requests. Because the CVSS scope is marked Changed with low confidentiality and integrity impact, an attacker can reach internal or otherwise-protected services and read back limited responses. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through the Patchstack vulnerability database.
PHP Object Injection in the WPJAM Basic WordPress plugin (denishua) affects all versions up to and including 7.0, allowing an authenticated attacker to inject crafted serialized objects that are deserialized by the plugin. Reported by Patchstack and rated CVSS 8.8, it can lead to high-impact compromise (confidentiality, integrity, and availability) of the WordPress site, though exploitation requires at least low-level authenticated access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
WPJAM Basic, a WordPress plugin, contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files without proper validation. All versions through 6.9.2 are affected, potentially enabling remote code execution or other attacks depending on server configuration. While CVSS and EPSS scores are unavailable, the nature of arbitrary file upload vulnerabilities in WordPress plugins typically carries high real-world risk due to ease of exploitation and severe impact.
Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.