Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

publishpress — Vulnerabilities & Security Advisories 19

Browse all 19 CVE security advisories affecting publishpress. AI-powered Chinese analysis, POCs, and references for each vulnerability.

PublishPress is a WordPress plugin designed to manage editorial workflows and content publishing processes. Historically, the plugin has been susceptible to multiple security vulnerabilities, including remote code execution (RCE), cross-site scripting (XSS), and privilege escalation issues. These vulnerabilities often stem from insufficient input validation and improper access controls. While no major public security incidents have been widely documented, the 19 CVEs on record indicate a consistent pattern of security flaws that could allow attackers to compromise website integrity, steal sensitive data, or gain unauthorized administrative access. Regular updates and careful configuration are essential for maintaining security when using this plugin.

Top products by publishpress: PublishPress Authors Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes Gutenberg Blocks Post Expirator PublishPress Revisions Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors PublishPress Blocks – Block Controls, Block Visibility, Block Permissions PublishPress Capabilities
CVE IDTitleCVSSSeverityPublished
CVE-2026-5247 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute — Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change CategoriesCWE-79 5.5 Medium2026-05-05
CVE-2026-39482 WordPress Post Expirator plugin <= 4.9.4 - Cross Site Scripting (XSS) vulnerability — Post ExpiratorCWE-79 6.5 Medium2026-04-08
CVE-2026-32539 WordPress PublishPress Revisions plugin <= 3.7.23 - SQL Injection vulnerability — PublishPress RevisionsCWE-89 9.3 Critical2026-03-25
CVE-2026-25309 WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability — PublishPress AuthorsCWE-862 7.5 High2026-03-25
CVE-2026-32394 WordPress PublishPress Capabilities plugin <= 2.31.0 - Broken Access Control vulnerability — PublishPress CapabilitiesCWE-862 4.3 Medium2026-03-13
CVE-2026-25330 WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability — PublishPress AuthorsCWE-862 4.3 Medium2026-02-19
CVE-2026-25322 WordPress PublishPress Revisions plugin <= 3.7.22 - Cross Site Request Forgery (CSRF) vulnerability — PublishPress RevisionsCWE-352 5.4 Medium2026-02-19
CVE-2025-14718 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.3 - Missing Authorization to Authenticated (Contributor+) Workflow Manipulation — Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change CategoriesCWE-862 5.4 Medium2026-01-09
CVE-2025-69361 WordPress Post Expirator plugin <= 4.9.3 - Broken Access Control vulnerability — Post ExpiratorCWE-862 4.3 Medium2026-01-06
CVE-2025-13741 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure — Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change CategoriesCWE-862 4.3 Medium2025-12-16
CVE-2025-13149 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification — Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change CategoriesCWE-862 4.3 Medium2025-11-21
CVE-2025-8588 Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks <= 3.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting — PublishPress Blocks – Block Controls, Block Visibility, Block PermissionsCWE-79 6.4 Medium2025-10-25
CVE-2025-48332 WordPress Gutenberg Blocks <= 3.3.1 - Local File Inclusion Vulnerability — Gutenberg BlocksCWE-98 7.5 High2025-08-14
CVE-2025-49032 WordPress Gutenberg Blocks plugin <= 3.3.1 - Cross Site Scripting (XSS) vulnerability — Gutenberg BlocksCWE-79 6.5 Medium2025-07-03
CVE-2025-47496 WordPress PublishPress Authors plugin <= 4.7.5 - Local File Inclusion Vulnerability — PublishPress AuthorsCWE-98 7.5 High2025-05-07
CVE-2025-26886 WordPress PublishPress Authors plugin <= 4.7.3 - SQL Injection vulnerability — PublishPress AuthorsCWE-89 7.6 High2025-03-15
CVE-2024-11154 PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes <= 3.5.15 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure — PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content ChangesCWE-862 4.3 Medium2024-11-20
CVE-2024-9215 Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover — Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress AuthorsCWE-639 8.8 High2024-10-17
CVE-2024-9436 PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes <= 3.5.14 - Reflected Cross-Site Scripting — PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content ChangesCWE-79 6.1 Medium2024-10-11

This page lists every published CVE security advisory associated with publishpress. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.