Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
5 vulnerabilities by watchtowerhq
CVE-2025-13972 (GCVE-0-2025-13972)
Vulnerability from cvelistv5 – Published: 2025-12-12 03:20 – Updated: 2026-04-08 16:36
VLAI
Title
WatchTowerHQ <= 3.16.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter
Summary
The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| watchtowerhq | WatchTowerHQ |
Affected:
0 , ≤ 3.16.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T18:08:23.670986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T18:17:03.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WatchTowerHQ",
"vendor": "watchtowerhq",
"versions": [
{
"lessThanOrEqual": "3.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Camilla Flocco"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the \u0027wht_download_big_object_origin\u0027 parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:42.928Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13fcbff8-8560-48ca-82df-8b620961d9c6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/tags/3.15.0/src/Download.php#L104"
},
{
"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/trunk/src/Download.php#L104"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T14:28:08.000Z",
"value": "Disclosed"
}
],
"title": "WatchTowerHQ \u003c= 3.16.0 - Authenticated (Administrator+) Arbitrary File Read via \u0027wht_download_big_object_origin\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13972",
"datePublished": "2025-12-12T03:20:40.150Z",
"dateReserved": "2025-12-03T15:58:53.268Z",
"dateUpdated": "2026-04-08T16:36:42.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9933 (GCVE-0-2024-9933)
Vulnerability from cvelistv5 – Published: 2024-10-26 01:58 – Updated: 2026-04-08 16:52
VLAI
Title
WatchTowerHQ <= 3.10.1 - Authentication Bypass to Administrator due to Missing Empty Value Check
Summary
The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.10.1. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| watchtowerhq | WatchTowerHQ |
Affected:
0 , ≤ 3.10.1
(semver)
|
|
| watchtowerhq | watchtower |
Affected:
0 , ≤ 3.9.6
(semver)
cpe:2.3:a:watchtowerhq:watchtower:*:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:watchtowerhq:watchtower:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "watchtower",
"vendor": "watchtowerhq",
"versions": [
{
"lessThanOrEqual": "3.9.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T16:33:35.407554Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T19:39:04.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WatchTowerHQ",
"vendor": "watchtowerhq",
"versions": [
{
"lessThanOrEqual": "3.10.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.10.1. This is due to the \u0027watchtower_ota_token\u0027 default value is empty, and the not empty check is missing in the \u0027Password_Less_Access::login\u0027 function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:14.608Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50349086-e7b0-4f73-8722-1367cc05180e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/tags/3.9.6/src/Password_Less_Access.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3177064/watchtowerhq#file2"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-10-12T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-10-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WatchTowerHQ \u003c= 3.10.1 - Authentication Bypass to Administrator due to Missing Empty Value Check"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9933",
"datePublished": "2024-10-26T01:58:35.013Z",
"dateReserved": "2024-10-14T11:53:51.301Z",
"dateUpdated": "2026-04-08T16:52:14.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-25701 (GCVE-0-2023-25701)
Vulnerability from cvelistv5 – Published: 2024-05-17 06:40 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress WatchTowerHQ plugin <= 3.6.16 - Privilege Escalation
Summary
Improper Privilege Management vulnerability in WhatArmy WatchTowerHQ allows Privilege Escalation.This issue affects WatchTowerHQ: from n/a through 3.6.16.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wat… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WhatArmy | WatchTowerHQ |
Affected:
n/a , ≤ 3.6.16
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-17T17:14:11.568760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:18:43.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:11.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/watchtowerhq/wordpress-watchtowerhq-plugin-3-6-16-privilege-escalation?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "watchtowerhq",
"product": "WatchTowerHQ",
"vendor": "WhatArmy",
"versions": [
{
"changes": [
{
"at": "3.6.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.6.16",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dave Jong (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in WhatArmy WatchTowerHQ allows Privilege Escalation.\u003cp\u003eThis issue affects WatchTowerHQ: from n/a through 3.6.16.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in WhatArmy WatchTowerHQ allows Privilege Escalation.This issue affects WatchTowerHQ: from n/a through 3.6.16."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:09.866Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/watchtowerhq/wordpress-watchtowerhq-plugin-3-6-16-privilege-escalation?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.6.17 or a higher version."
}
],
"value": "Update to 3.6.17 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WatchTowerHQ plugin \u003c= 3.6.16 - Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-25701",
"datePublished": "2024-05-17T06:40:37.582Z",
"dateReserved": "2023-02-13T04:13:47.557Z",
"dateUpdated": "2026-04-28T16:08:09.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-44583 (GCVE-0-2022-44583)
Vulnerability from cvelistv5 – Published: 2022-11-18 22:02 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WatchTowerHQ plugin <= 3.6.15 - Unauth. Arbitrary File Download vulnerability
Summary
Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Arbitrary File Download
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WhatArmy | WatchTowerHQ (WordPress plugin) |
Affected:
<= 3.6.15 , ≤ 3.6.15
(custom)
|
Date Public
2022-11-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/watchtowerhq/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/watchtowerhq/wordpress-watchtowerhq-plugin-3-6-15-unauth-arbitrary-file-download-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-44583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T14:19:41.612943Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T14:19:49.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WatchTowerHQ (WordPress plugin)",
"vendor": "WhatArmy",
"versions": [
{
"lessThanOrEqual": "3.6.15",
"status": "affected",
"version": "\u003c= 3.6.15",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Dave Jong (Patchstack)"
}
],
"datePublic": "2022-11-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin \u003c= 3.6.15 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary File Download",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:51.355Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://wordpress.org/plugins/watchtowerhq/#developers"
},
{
"url": "https://patchstack.com/database/vulnerability/watchtowerhq/wordpress-watchtowerhq-plugin-3-6-15-unauth-arbitrary-file-download-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 3.6.16 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WatchTowerHQ plugin \u003c= 3.6.15 - Unauth. Arbitrary File Download vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-44583",
"datePublished": "2022-11-18T22:02:16.165Z",
"dateReserved": "2022-11-01T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:51.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-44584 (GCVE-0-2022-44584)
Vulnerability from cvelistv5 – Published: 2022-11-18 22:01 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WatchTowerHQ plugin <= 3.6.15 - Unauth. Arbitrary File Deletion vulnerability
Summary
Unauth. Arbitrary File Deletion vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Arbitrary File Deletion
- CWE-noinfo Not enough information
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WhatArmy | WatchTowerHQ (WordPress plugin) |
Affected:
<= 3.6.15 , ≤ 3.6.15
(custom)
|
Date Public
2022-11-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/watchtowerhq/wordpress-watchtowerhq-plugin-3-6-15-unauth-arbitrary-file-deletion-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/watchtowerhq/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-44584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:14:56.332115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:51:27.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WatchTowerHQ (WordPress plugin)",
"vendor": "WhatArmy",
"versions": [
{
"lessThanOrEqual": "3.6.15",
"status": "affected",
"version": "\u003c= 3.6.15",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Dave Jong (Patchstack)"
}
],
"datePublic": "2022-11-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauth. Arbitrary File Deletion vulnerability in WatchTowerHQ plugin \u003c= 3.6.15 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary File Deletion",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:51.245Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/watchtowerhq/wordpress-watchtowerhq-plugin-3-6-15-unauth-arbitrary-file-deletion-vulnerability?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/watchtowerhq/#developers"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 3.6.16 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WatchTowerHQ plugin \u003c= 3.6.15 - Unauth. Arbitrary File Deletion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-44584",
"datePublished": "2022-11-18T22:01:01.983Z",
"dateReserved": "2022-11-01T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:51.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}