VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 11 known issues Latest disclosed Mar 20, 2024

Advanced Access Manager – Access Governance for WordPress Vulnerabilities

Review known vulnerability records for the WordPress plugin Advanced Access Manager – Access Governance for WordPress (`advanced-access-manager`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-29127, CVE-2024-29124 and CVE-2023-51675, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
11
High or Critical
4
Patch Coverage
100%
Last Updated
Oct 16, 2024
Priority CVE Quick Links

Fast paths into Advanced Access Manager – Access Governance for WordPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
10
CVE-2019-25213 Critical 5.9.9
CVE-2019-25213 Advanced Access Manager – Access Governance for WordPress Vulnerability

Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read

CVE-2020-35935 High 6.6.2
CVE-2020-35935 Advanced Access Manager – Access Governance for WordPress Authorization Bypass

Advanced Access Manager <= 6.6.1 - Authenticated Authorization Bypass and Privilege Escalation

CVE-2014-6059 High 2.8.3
CVE-2014-6059 Advanced Access Manager – Access Governance for WordPress Vulnerability

Advanced Access Manager <= 2.8.2 - Arbitrary File Overwrite

CVE-2023-51674 Medium 6.9.19
CVE-2023-51674 Advanced Access Manager – Access Governance for WordPress Stored Cross-Site Scripting

Advanced Access Manager <= 6.9.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE-2023-50881 Medium 6.9.16
CVE-2023-50881 Advanced Access Manager – Access Governance for WordPress Stored Cross-Site Scripting

Advanced Access Manager <= 6.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-29127 Medium 6.9.21
CVE-2024-29127 Advanced Access Manager – Access Governance for WordPress Cross-Site Scripting

Advanced Access Manager <= 6.9.20 - Reflected Cross-Site Scripting

CVE-2024-29124 Medium 6.9.21
CVE-2024-29124 Advanced Access Manager – Access Governance for WordPress Stored Cross-Site Scripting

Advanced Access Manager <= 6.9.20 - Authenticated (Administrator+) Stored Cross-Site Scripting

CVE-2021-24830 Medium 6.8.0
CVE-2021-24830 Advanced Access Manager – Access Governance for WordPress Stored Cross-Site Scripting

Advanced Access Manager <= 6.7.9 - Admin+ Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Advanced Access Manager – Access Governance for WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
11 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 3 high severity findings.
Recent CVEs
CVE-2024-29127, CVE-2024-29124 and CVE-2023-51675
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Advanced Access Manager – Access Governance for WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-29127
CVE-2024-29127: Advanced Access Manager <= 6.9.20 - Reflected Cross-Site Scripting

The Advanced Access Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 6.9.20 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

Published
Mar 20, 2024
Patched Release
6.9.21
Affected Versions
Versions up to 6.9.20
Next Step
Update to 6.9.21 or newer if supported.
Open CVE-2024-29127 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-29124
CVE-2024-29124: Advanced Access Manager <= 6.9.20 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.9.20 due to insufficient input sanitization and output escaping...

Published
Mar 16, 2024
Patched Release
6.9.21
Affected Versions
Versions up to 6.9.20
Next Step
Update to 6.9.21 or newer if supported.
Open CVE-2024-29124 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-51675
CVE-2023-51675: Advanced Access Manager <= 6.9.18 - Authenticated (Author+) Open Redirect

The Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 6.9.18. This is due to insufficient validation on the redirect url supplied via params->redirect p...

Published
Dec 27, 2023
Patched Release
6.9.19
Affected Versions
Versions up to 6.9.18
Next Step
Update to 6.9.19 or newer if supported.
Open CVE-2023-51675 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-51674
CVE-2023-51674: Advanced Access Manager <= 6.9.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Advanced Access Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 6.9.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

Published
Dec 27, 2023
Patched Release
6.9.19
Affected Versions
Versions up to 6.9.18
Next Step
Update to 6.9.19 or newer if supported.
Open CVE-2023-51674 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-50881
CVE-2023-50881: Advanced Access Manager <= 6.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Advanced Access Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to, and including, 6.9.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Published
Dec 26, 2023
Patched Release
6.9.16
Affected Versions
Versions up to 6.9.15
Next Step
Update to 6.9.16 or newer if supported.
Open CVE-2023-50881 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-24830
CVE-2021-24830: Advanced Access Manager <= 6.7.9 - Admin+ Stored Cross-Site Scripting

The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Published
Oct 19, 2021
Patched Release
6.8.0
Affected Versions
Versions before 6.8.0
Next Step
Update to 6.8.0 or newer if supported.
Open CVE-2021-24830 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2020-35934
CVE-2020-35934: Advanced Access Manager <= 6.6.1 - Authenticated Information Disclosure

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). This is a security problem if this object stores information that the user is not s...

Published
Aug 20, 2020
Patched Release
6.6.2
Affected Versions
Versions up to 6.6.1
Next Step
Update to 6.6.2 or newer if supported.
Open CVE-2020-35934 Report Open CVE Reference
Plugin High Patched: Yes CVE-2020-35935
CVE-2020-35935: Advanced Access Manager <= 6.6.1 - Authenticated Authorization Bypass and Privilege Escalation

The Advanced Access Manager plugin before 6.6.2 for WordPress allows privilege escalation on profile updates via the aam_user_roles POST parameter if Multiple Role support is enabled. (The mechanism for deciding whether a user was entitled to add a role did not work in various cu...

Published
Aug 14, 2020
Patched Release
6.6.2
Affected Versions
Versions up to 6.6.1
Next Step
Update to 6.6.2 or newer if supported.
Open CVE-2020-35935 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2019-25213
CVE-2019-25213: Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read

The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, includi...

Published
Sep 09, 2019
Patched Release
5.9.9
Affected Versions
Versions before 5.9.9
Next Step
Update to 5.9.9 or newer if supported.
Open CVE-2019-25213 Report Open CVE Reference
Plugin High Patched: Yes
Advanced Access Manager <= 3.2.1 - Unrestricted AJAX Actions allowing Privilege Escalation

The Advanced Access Manager plugin for WordPress does not use capability checks on any of its registered AJAX actions. This allows authenticated attackers with any privilege level, including subscribers, to perform actions including elevating their privileges to those of an admin...

Published
Jun 21, 2016
Patched Release
3.2.2
Affected Versions
Versions before 3.2.2
Next Step
Update to 3.2.2 or newer if supported.
Open Full Report
Plugin High Patched: Yes CVE-2014-6059
CVE-2014-6059: Advanced Access Manager <= 2.8.2 - Arbitrary File Overwrite

WordPress Advanced Access Manager Plugin before 2.8.2 has an Arbitrary File Overwrite Vulnerability

Published
Aug 20, 2014
Patched Release
2.8.3
Affected Versions
Versions before 2.8.3
Next Step
Update to 2.8.3 or newer if supported.
Open CVE-2014-6059 Report Open CVE Reference