Vulnerabilites related to Themeum - Qubely
Vulnerability from fkie_nvd
Published
2025-03-11 07:15
Modified
2025-05-26 02:31
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:themeum:qubely:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "61C17398-A525-472A-B8EF-C4B1094F276D",
"versionEndExcluding": "1.8.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Qubely \u2013 Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the \u0027qubely_get_content\u0027. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data."
},
{
"lang": "es",
"value": "El complemento Qubely \u2013 Advanced Gutenberg Blocks para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en todas las versiones hasta la 1.8.13 incluida a trav\u00e9s de \u0027qubely_get_content\u0027. Esto permite que atacantes autenticados, con acceso de nivel de colaborador o superior, extraigan datos confidenciales de publicaciones privadas, pendientes, programadas, protegidas con contrase\u00f1a, borradores y eliminadas."
}
],
"id": "CVE-2024-13228",
"lastModified": "2025-05-26T02:31:47.207",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-11T07:15:32.670",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/qubely/trunk/core/QUBELY.php#L1172"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3253223/"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72c66e71-dddb-4142-ae13-da3caffd8714?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-359"
}
],
"source": "security@wordfence.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-24 08:15
Modified
2024-11-21 05:54
Severity ?
Summary
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:themeum:qubely:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C0F9349A-058D-4DBF-A5FA-0CE3B85BC9E5",
"versionEndExcluding": "1.7.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts"
},
{
"lang": "es",
"value": "El plugin Qubely de WordPress versiones anteriores a 1.7.8, no presenta autorizaci\u00f3n y comprobaci\u00f3n CSRF en la acci\u00f3n AJAX qubely_delete_saved_block, y no asegura que el bloque que va a ser eliminado pertenezca al plugin, como resultado, cualquier usuario autenticado, como el suscriptor, puede eliminar entradas arbitrarias"
}
],
"id": "CVE-2021-25013",
"lastModified": "2024-11-21T05:54:11.230",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-24T08:15:09.240",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-07 15:15
Modified
2024-11-21 05:54
Severity ?
Summary
The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:themeum:qubely:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "191D064A-A2B1-4102-853A-8590D497494A",
"versionEndExcluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action."
},
{
"lang": "es",
"value": "El complemento Qubely WordPress anterior a 1.8.6 permite a usuarios no autenticados enviar correos electr\u00f3nicos arbitrarios a direcciones arbitrarias mediante la acci\u00f3n qubely_send_form_data AJAX."
}
],
"id": "CVE-2021-24916",
"lastModified": "2024-11-21T05:54:00.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-07T15:15:10.447",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-16 23:15
Modified
2025-05-23 17:46
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely – Advanced Gutenberg Blocks allows Stored XSS. This issue affects Qubely – Advanced Gutenberg Blocks: from n/a through 1.8.12.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:themeum:qubely:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8C054573-F8DC-43A4-AFC8-BB556B46990B",
"versionEndExcluding": "1.8.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeum Qubely \u2013 Advanced Gutenberg Blocks allows Stored XSS. This issue affects Qubely \u2013 Advanced Gutenberg Blocks: from n/a through 1.8.12."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Themeum Qubely \u2013 Advanced Gutenberg Blocks permite XSS almacenado. Este problema afecta a Qubely \u2013 Advanced Gutenberg Blocks: desde n/a hasta 1.8.12."
}
],
"id": "CVE-2025-26767",
"lastModified": "2025-05-23T17:46:53.990",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-16T23:15:11.350",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/wordpress/plugin/qubely/vulnerability/wordpress-qubely-advanced-gutenberg-blocks-plugin-1-8-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "audit@patchstack.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-16 16:15
Modified
2025-06-02 15:15
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:themeum:qubely:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4506F22E-0603-4CCD-9D55-0DACA4E11A50",
"versionEndExcluding": "1.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks."
},
{
"lang": "es",
"value": "El complemento Qubely WordPress anterior a 1.8.5 no valida ni escapa algunas de sus opciones de bloqueo antes de devolverlas a una p\u00e1gina/publicaci\u00f3n donde est\u00e1 incrustado el bloque, lo que podr\u00eda permitir a los usuarios con el rol de colaborador y superior realizar ataques de cross site scripting almacenado."
}
],
"id": "CVE-2023-0376",
"lastModified": "2025-06-02T15:15:21.640",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-01-16T16:15:10.487",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-14 07:15
Modified
2025-02-25 19:42
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:themeum:qubely:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8C054573-F8DC-43A4-AFC8-BB556B46990B",
"versionEndExcluding": "1.8.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Qubely \u2013 Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018align\u2019 and \u0027UniqueID\u0027 parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
},
{
"lang": "es",
"value": "El complemento Qubely \u2013 Advanced Gutenberg Blocks para WordPress es vulnerable a Cross Site Scripting almacenado a trav\u00e9s de los par\u00e1metros \u0027align\u0027 y \u0027UniqueID\u0027 en todas las versiones hasta la 1.8.12 incluida, debido a una depuraci\u00f3n de entrada al escape de salida insuficiente. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."
}
],
"id": "CVE-2024-9601",
"lastModified": "2025-02-25T19:42:12.050",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-14T07:15:32.570",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/qubely/trunk/core/blocks/postgrid.php#L1419"
},
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/3235188/"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58387a60-ef68-4911-9349-97b0f7e7726f?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
CVE-2024-13228 (GCVE-0-2024-13228)
Vulnerability from cvelistv5
Published
2025-03-11 07:05
Modified
2025-03-11 15:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Summary
The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themeum | Qubely – Advanced Gutenberg Blocks |
Version: * ≤ 1.8.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T15:47:34.425283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T15:54:12.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Qubely \u2013 Advanced Gutenberg Blocks",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "1.8.13",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nirmal"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Qubely \u2013 Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the \u0027qubely_get_content\u0027. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T07:05:16.631Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72c66e71-dddb-4142-ae13-da3caffd8714?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/qubely/trunk/core/QUBELY.php#L1172"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3253223/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-10T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Qubely \u2013 Advanced Gutenberg Blocks \u003c= 1.8.13 - Authenticated (Contributor+) Sensitive Information Exposure via qubely_get_content"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13228",
"datePublished": "2025-03-11T07:05:16.631Z",
"dateReserved": "2025-01-08T20:52:26.234Z",
"dateUpdated": "2025-03-11T15:54:12.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26767 (GCVE-0-2025-26767)
Vulnerability from cvelistv5
Published
2025-02-16 22:17
Modified
2025-02-18 19:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely – Advanced Gutenberg Blocks allows Stored XSS. This issue affects Qubely – Advanced Gutenberg Blocks: from n/a through 1.8.12.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Themeum | Qubely – Advanced Gutenberg Blocks |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26767",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T17:24:39.593901Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T19:33:50.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "qubely",
"product": "Qubely \u2013 Advanced Gutenberg Blocks",
"vendor": "Themeum",
"versions": [
{
"changes": [
{
"at": "1.8.13",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.12",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "zaim (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeum Qubely \u2013 Advanced Gutenberg Blocks allows Stored XSS.\u003c/p\u003e\u003cp\u003eThis issue affects Qubely \u2013 Advanced Gutenberg Blocks: from n/a through 1.8.12.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeum Qubely \u2013 Advanced Gutenberg Blocks allows Stored XSS. This issue affects Qubely \u2013 Advanced Gutenberg Blocks: from n/a through 1.8.12."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-16T22:17:18.804Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/qubely/vulnerability/wordpress-qubely-advanced-gutenberg-blocks-plugin-1-8-12-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Qubely \u2013 Advanced Gutenberg Blocks wordpress plugin to the latest available version (at least 1.8.13)."
}
],
"value": "Update the WordPress Qubely \u2013 Advanced Gutenberg Blocks wordpress plugin to the latest available version (at least 1.8.13)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Qubely \u2013 Advanced Gutenberg Blocks plugin \u003c= 1.8.12 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26767",
"datePublished": "2025-02-16T22:17:18.804Z",
"dateReserved": "2025-02-14T06:53:32.111Z",
"dateUpdated": "2025-02-18T19:33:50.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58249 (GCVE-0-2025-58249)
Vulnerability from cvelistv5
Published
2025-09-22 18:23
Modified
2025-09-23 16:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in Themeum Qubely allows Retrieve Embedded Sensitive Data. This issue affects Qubely: from n/a through 1.8.14.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T15:58:13.377589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T16:12:58.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "qubely",
"product": "Qubely",
"vendor": "Themeum",
"versions": [
{
"lessThanOrEqual": "1.8.14",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsertion of Sensitive Information Into Sent Data vulnerability in Themeum Qubely allows Retrieve Embedded Sensitive Data.\u003c/p\u003e\u003cp\u003eThis issue affects Qubely: from n/a through 1.8.14.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in Themeum Qubely allows Retrieve Embedded Sensitive Data. This issue affects Qubely: from n/a through 1.8.14."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T18:23:30.092Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Qubely Plugin \u003c= 1.8.14 - Sensitive Data Exposure Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58249",
"datePublished": "2025-09-22T18:23:30.092Z",
"dateReserved": "2025-08-27T16:19:44.959Z",
"dateUpdated": "2025-09-23T16:12:58.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9601 (GCVE-0-2024-9601)
Vulnerability from cvelistv5
Published
2025-02-14 06:40
Modified
2025-02-14 14:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themeum | Qubely – Advanced Gutenberg Blocks |
Version: * ≤ 1.8.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T14:39:25.308332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T14:39:42.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Qubely \u2013 Advanced Gutenberg Blocks",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "1.8.12",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nirmal"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Qubely \u2013 Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018align\u2019 and \u0027UniqueID\u0027 parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T06:40:11.635Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58387a60-ef68-4911-9349-97b0f7e7726f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/qubely/trunk/core/blocks/postgrid.php#L1419"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3235188/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-13T18:36:16.000+00:00",
"value": "Disclosed"
}
],
"title": "Qubely \u2013 Advanced Gutenberg Blocks \u003c= 1.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027align\u0027 and \u0027UniqueID\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9601",
"datePublished": "2025-02-14T06:40:11.635Z",
"dateReserved": "2024-10-07T19:27:28.196Z",
"dateUpdated": "2025-02-14T14:39:42.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0376 (GCVE-0-2023-0376)
Vulnerability from cvelistv5
Published
2024-01-16 15:55
Modified
2025-06-02 15:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389/ | exploit, vdb-entry, technical-description |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:10:55.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0376",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T17:24:47.089344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:09:50.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Qubely",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lana Codes"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T15:55:51.086Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Qubely \u003c 1.8.5 - Contributor+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-0376",
"datePublished": "2024-01-16T15:55:51.086Z",
"dateReserved": "2023-01-18T07:22:43.292Z",
"dateUpdated": "2025-06-02T15:09:50.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25013 (GCVE-0-2021-25013)
Vulnerability from cvelistv5
Published
2022-01-24 08:01
Modified
2024-08-03 19:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Qubely – Advanced Gutenberg Blocks |
Version: 1.7.8 < 1.7.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:14.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Qubely \u2013 Advanced Gutenberg Blocks",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.7.8",
"status": "affected",
"version": "1.7.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-24T08:01:08",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Qubely \u003c 1.7.8 - Subscriber+ Arbitrary Post Deletion",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-25013",
"STATE": "PUBLIC",
"TITLE": "Qubely \u003c 1.7.8 - Subscriber+ Arbitrary Post Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Qubely \u2013 Advanced Gutenberg Blocks",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.7.8",
"version_value": "1.7.8"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-25013",
"datePublished": "2022-01-24T08:01:08",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:49:14.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58663 (GCVE-0-2025-58663)
Vulnerability from cvelistv5
Published
2025-09-22 18:22
Modified
2025-09-23 16:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Themeum Qubely allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Qubely: from n/a through 1.8.14.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58663",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T16:02:18.940007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T16:16:13.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "qubely",
"product": "Qubely",
"vendor": "Themeum",
"versions": [
{
"lessThanOrEqual": "1.8.14",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Denver Jackson (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Themeum Qubely allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Qubely: from n/a through 1.8.14.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Themeum Qubely allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Qubely: from n/a through 1.8.14."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T18:22:59.929Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-broken-access-control-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Qubely Plugin \u003c= 1.8.14 - Broken Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58663",
"datePublished": "2025-09-22T18:22:59.929Z",
"dateReserved": "2025-09-03T09:03:35.442Z",
"dateUpdated": "2025-09-23T16:16:13.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24916 (GCVE-0-2021-24916)
Vulnerability from cvelistv5
Published
2023-08-07 14:31
Modified
2024-10-15 18:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5 | exploit, vdb-entry, technical-description |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:13.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-24916",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T18:10:15.292532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T18:12:07.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Qubely",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.8.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T14:31:23.983Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Qubely \u003c 1.8.6 - Unauthenticated Arbitrary E-mail Sending",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24916",
"datePublished": "2023-08-07T14:31:23.983Z",
"dateReserved": "2021-01-14T15:03:46.811Z",
"dateUpdated": "2024-10-15T18:12:07.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}