10up

By the Year

In 2026 there have been 1 vulnerability in 10up with an average score of 5.4 out of ten. Last year, in 2025 10up had 3 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.73.

Recent 10up Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-25311	Feb 19, 2026	Auth Bypass in 10up Autoshare for Twitter <=2.3.1 (CVE-2026-25311) Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Autoshare for Twitter: from n/a through <= 2.3.1.	Autoshare For Twitter
CVE-2025-67621	Dec 24, 2025	WordPress Eight Day Week Print Workflow <=1.2.5 Sensitive Data Disclosure Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in 10up Eight Day Week Print Workflow eight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.This issue affects Eight Day Week Print Workflow: from n/a through <= 1.2.5.	Eight Day Week Print Workflow
CVE-2025-10749	Oct 24, 2025	Unauthorized Arbitrary Media Deletion in Microsoft Azure Storage WP Plugin v4.5.1 The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users.	Microsoft Azure Storage For Wordpress
CVE-2025-8482	Aug 12, 2025	Simple Local Avatars 2.8.4 Auth+Sub can tamper data migrate_from_wp_user_avatar The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.
CVE-2023-32798	Dec 13, 2024	Missing Authorization in 10up Simple Page Ordering <=2.5.0 Missing Authorization vulnerability in 10up Simple Page Ordering simple-page-ordering allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Page Ordering: from n/a through <= 2.5.0.	Simple Page Ordering
CVE-2024-10786	Nov 16, 2024	Simple Local Avatars Plugin: Unauthorized Cache Clear Vulnerability The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the sla_clear_user_cache function in all versions up to, and including, 2.7.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear user caches.
CVE-2024-8378	Nov 07, 2024	Safe SVG WP Plugin <2.2.6 Bypasses Sanitisation The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.	Safe Svg
CVE-2024-43116	Aug 26, 2024	CSRF in Simple Local Avatars <= 2.7.10 Cross-Site Request Forgery (CSRF) vulnerability in 10up Simple Local Avatars.This issue affects Simple Local Avatars: from n/a through 2.7.10.	Simple Local Avatars
CVE-2024-35684	Jun 08, 2024	CSRF in 10up ElasticPress before 5.1.1 Cross-Site Request Forgery (CSRF) vulnerability in 10up ElasticPress elasticpress.This issue affects ElasticPress: from n/a through <= 5.1.1.	Elasticpress
CVE-2021-4405	Jul 01, 2023	CVE-2021-4405: ElasticPress WP Plugin 3.5.3 XSRF via epio_send_autosuggest() The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	Elasticpress
CVE-2021-4342	Jun 07, 2023	Common Vulnerability in unspecified software (CVE-2021-4342) ** REJECT ** CVE split into individual CVE IDs for each software record.	Elasticpress
CVE-2022-1613	Sep 26, 2022	Restricted Site Access WP plugin < 7.3.2 IP bypass via HTTP header precedence The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations.	Restricted Site Access
CVE-2022-1091	Apr 18, 2022	The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).	Safe Svg
CVE-2019-18855	Nov 11, 2019	A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.	Safe Svg
CVE-2019-18854	Nov 11, 2019	A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.	Safe Svg