Search criteria
3 vulnerabilities by marcinlawrowski
CVE-2025-14609 (GCVE-0-2025-14609)
Vulnerability from cvelistv5 – Published: 2026-01-24 07:26 – Updated: 2026-01-24 07:26
VLAI?
Title
Wise Analytics <= 1.1.9 - Missing Authorization to Unauthenticated Arbitrary Analytics Database Disclosure via 'name' Parameter
Summary
The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| marcinlawrowski | Wise Analytics |
Affected:
* , ≤ 1.1.9
(semver)
|
Credits
Lior Yeshayahu
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wise Analytics",
"vendor": "marcinlawrowski",
"versions": [
{
"lessThanOrEqual": "1.1.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lior Yeshayahu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint \u0027/wise-analytics/v1/report\u0027. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the \u0027name\u0027 parameter granted they can send unauthenticated requests."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-24T07:26:47.717Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d92c80cb-080b-4774-8c66-1d5cf68e771f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wise-analytics/trunk/src/Endpoints/ReportsEndpoint.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wise-analytics/tags/1.1.9/src/Endpoints/ReportsEndpoint.php#L43"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T19:19:12.000+00:00",
"value": "Disclosed"
}
],
"title": "Wise Analytics \u003c= 1.1.9 - Missing Authorization to Unauthenticated Arbitrary Analytics Database Disclosure via \u0027name\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14609",
"datePublished": "2026-01-24T07:26:47.717Z",
"dateReserved": "2025-12-12T20:14:45.895Z",
"dateUpdated": "2026-01-24T07:26:47.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-3774 (GCVE-0-2025-3774)
Vulnerability from cvelistv5 – Published: 2025-06-17 01:44 – Updated: 2025-06-17 14:17
VLAI?
Title
Wise Chat <= 3.3.4 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header
Summary
The Wise Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| marcinlawrowski | Wise Chat |
Affected:
* , ≤ 3.3.4
(semver)
|
Credits
Vincent Fourcade
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T14:17:34.118844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T14:17:51.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wise Chat",
"vendor": "marcinlawrowski",
"versions": [
{
"lessThanOrEqual": "3.3.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vincent Fourcade"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Wise Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T01:44:10.303Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34fd5045-cd38-4eab-9e97-98f1e3d7423a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wise-chat/tags/3.3.3/src/admin/WiseChatKicksTab.php#L11"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-15T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-06-16T13:03:18.000+00:00",
"value": "Disclosed"
}
],
"title": "Wise Chat \u003c= 3.3.4 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3774",
"datePublished": "2025-06-17T01:44:10.303Z",
"dateReserved": "2025-04-17T16:19:28.304Z",
"dateUpdated": "2025-06-17T14:17:51.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13613 (GCVE-0-2024-13613)
Vulnerability from cvelistv5 – Published: 2025-05-17 11:17 – Updated: 2025-05-19 14:53
VLAI?
Title
Wise Chat <= 3.3.3 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Summary
The Wise Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.3 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments included in chat messages. The vulnerability was partially patched in version 3.3.3.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| marcinlawrowski | Wise Chat |
Affected:
* , ≤ 3.3.2
(semver)
|
Credits
Tim Coen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13613",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:53:13.702874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:53:22.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wise Chat",
"vendor": "marcinlawrowski",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Wise Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.3 via the \u0027uploads\u0027 directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments included in chat messages. The vulnerability was partially patched in version 3.3.3."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-17T11:17:17.487Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f70dabb4-3ae6-43cf-86e2-62ac1454b697?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wise-chat/trunk/src/services/WiseChatAttachmentsService.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3268074/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3288680/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Wise Chat \u003c= 3.3.3 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13613",
"datePublished": "2025-05-17T11:17:17.487Z",
"dateReserved": "2025-01-22T01:01:46.932Z",
"dateUpdated": "2025-05-19T14:53:22.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}