CVEs.
Assigned vulnerabilities with official CVE identifiers, advisory references and direct links to the public record.
Key findings
All CVE records
The plugin only verifies that a user is logged in when handling a select2 query request and does not perform the required capability check. Subscriber-level attackers can supply an internal post type and retrieve otherwise restricted titles, including coupon codes.
On POSIX systems, pathe unconditionally converts backslashes to forward slashes before resolving a path. Inputs such as ..\..\..\etc\passwd can bypass validation that only blocks ../, then escape the intended base directory through join(), resolve() or normalize(), enabling arbitrary file read or write when the resolved path is used.
The package allocates memory from an untrusted ZIP uncompressed-size header without an upper bound. A crafted file of roughly 120 bytes can request nearly 4 GB before CRC validation, immediately crashing applications that read or extract it.
The package creates symlinks from archive entries without validating their targets. An attacker can place links to sensitive files outside the extraction directory and expose any data the application later reads or serves.
A flawed String.indexOf() containment check accepts sibling directories that share the extraction path prefix. Combined with symlink creation, a crafted archive can write files outside the intended output directory and bypass the fix for CVE-2020-12265.
The package passes an archive-controlled hardlink target directly to fs.link(). A crafted archive can expose a file on the same filesystem through the extraction directory, and changes made through that hardlink can corrupt the original file.
The plugin's move_image_on_server function concatenates an unsanitized layer ID into a filesystem path passed to PHP's copy(), allowing authenticated Author-level attackers to use traversal sequences to write attacker-controlled files to arbitrary locations on the server.
The plugin fails to properly neutralize input during page generation, allowing attackers to inject JavaScript through a cross-site scripting vulnerability in affected WordPress installations.
The plugin fails to properly validate object ownership on file access, allowing unauthenticated attackers to bypass authorization and access files uploaded by other users during checkout.
The plugin does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.
A logical flaw in the booking authorization check skips token validation when the booking status is 'waiting', allowing unauthenticated attackers to approve arbitrary bookings via the admin-ajax endpoint.