Search criteria
3 vulnerabilities by ashishajani
CVE-2025-13717 (GCVE-0-2025-13717)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 17:44
VLAI?
Title
Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter
Summary
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ashishajani | Contact Form vCard Generator |
Affected:
* , ≤ 2.4
(semver)
|
Credits
Sopon Tangpathum (SoNaJaa)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:43:47.192497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:44:09.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form vCard Generator",
"vendor": "ashishajani",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sopon Tangpathum (SoNaJaa)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027wp_gvccf_check_download_request\u0027 function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the \u0027wp-gvc-cf-download-id\u0027 parameter, including names, phone numbers, email addresses, and messages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:34.501Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:36:46.000+00:00",
"value": "Disclosed"
}
],
"title": "Contact Form vCard Generator \u003c= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via \u0027wp-gvc-cf-download-id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13717",
"datePublished": "2026-01-09T11:15:34.501Z",
"dateReserved": "2025-11-25T21:54:45.575Z",
"dateUpdated": "2026-01-09T17:44:09.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-13690 (GCVE-0-2024-13690)
Vulnerability from cvelistv5 – Published: 2025-03-25 08:22 – Updated: 2025-03-25 13:13
VLAI?
Title
WP Church Donation <= 1.7 - Unauthenticated Stored Cross-Site Scripting
Summary
The WP Church Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several donation form submission parameters in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ashishajani | WP Church Donation |
Affected:
* , ≤ 1.7
(semver)
|
Credits
Johannes Skamletz
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T13:13:15.543609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T13:13:23.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Church Donation",
"vendor": "ashishajani",
"versions": [
{
"lessThanOrEqual": "1.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Johannes Skamletz"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Church Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several donation form submission parameters in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T08:22:16.138Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de8ac20f-d6ae-4e55-9337-4fb5ebd4f24a?source=cve"
},
{
"url": "http://plugins.svn.wordpress.org/wp-church-donation/tags/1.7/includes/church-donation-form-display.php"
},
{
"url": "http://plugins.svn.wordpress.org/wp-church-donation/tags/1.7/includes/church-donation-listings.php"
},
{
"url": "https://wordpress.org/plugins/wp-church-donation/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-24T19:33:56.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Church Donation \u003c= 1.7 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13690",
"datePublished": "2025-03-25T08:22:16.138Z",
"dateReserved": "2025-01-23T19:09:22.889Z",
"dateUpdated": "2025-03-25T13:13:23.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7385 (GCVE-0-2024-7385)
Vulnerability from cvelistv5 – Published: 2024-09-25 03:27 – Updated: 2024-09-25 14:01
VLAI?
Title
WordPress Simple HTML Sitemap <= 3.1 - Authenticated (Admin+) SQL Injection
Summary
The WordPress Simple HTML Sitemap plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
9.1 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ashishajani | WordPress Simple HTML Sitemap |
Affected:
* , ≤ 3.1
(semver)
|
Credits
anhchangmutrang
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:freelancer-coder:wordpress_simple_html_sitemap:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wordpress_simple_html_sitemap",
"vendor": "freelancer-coder",
"versions": [
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:58:59.363557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T14:01:58.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress Simple HTML Sitemap",
"vendor": "ashishajani",
"versions": [
{
"lessThanOrEqual": "3.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anhchangmutrang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Simple HTML Sitemap plugin for WordPress is vulnerable to SQL Injection via the \u0027id\u0027 parameter in all versions up to, and including, 3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T03:27:41.059Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f529b981-623f-4bd3-9155-ebfab4c65d1d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-simple-html-sitemap/tags/3.1/inc/wshs_saved.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3155037/wp-simple-html-sitemap/trunk/inc/wshs_saved.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-24T15:19:19.000+00:00",
"value": "Disclosed"
}
],
"title": "WordPress Simple HTML Sitemap \u003c= 3.1 - Authenticated (Admin+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7385",
"datePublished": "2024-09-25T03:27:41.059Z",
"dateReserved": "2024-08-01T14:36:48.651Z",
"dateUpdated": "2024-09-25T14:01:58.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}