Threat Entry Updated 2024-11-21

CVE-2024-3999 - Eazydocs Plugin

The EazyDocs WordPress plugin before 2.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Eazydocs

CVE-2024-3999

MEDIUM CVSS 4.8 2024-07-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-07

CVE-2024-0248 - Eazydocs Plugin

The EazyDocs WordPress plugin before 2.4.0 re-introduced CVE-2023-6029 (https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/) in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9.

PLUGIN Eazydocs

CVE-2024-0248

MEDIUM CVSS 4.3 2024-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-11

CVE-2023-6029 - Eazydocs Plugin

The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections.

PLUGIN Eazydocs

CVE-2023-6029

HIGH CVSS 7.5 2024-01-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6035 - Eazydocs Plugin

The EazyDocs WordPress plugin before 2.3.4 does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.

PLUGIN Eazydocs

CVE-2023-6035

HIGH CVSS 8.8 2023-12-11

Risk Score

Open Full Technical Breakdown