Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical1
High1
Medium2
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2025-08-12

CVE-2025-7694 - Woffice Plugin

The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and including, 5.4.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Woffice

CVE-2025-7694

MEDIUM CVSS 6.8 2025-08-02
Open Full Technical Breakdown
Threat Entry Updated 2025-08-08

CVE-2025-2798 - Woffice Plugin

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.

PLUGIN Woffice

CVE-2025-2798

CRITICAL CVSS 9.8 2025-04-04
Open Full Technical Breakdown
Threat Entry Updated 2025-08-08

CVE-2025-2797 - Woffice Plugin

The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Woffice

CVE-2025-2797

MEDIUM CVSS 5.4 2025-04-04
Open Full Technical Breakdown
Threat Entry Updated 2025-08-08

CVE-2025-2780 - Woffice Plugin

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Woffice

CVE-2025-2780

HIGH CVSS 8.8 2025-04-04
Open Full Technical Breakdown
Scroll to top