Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): WordPress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-5605 |
The URL Shortify WordPress plugin before 1.7.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: November 06, 2023; 4:15:10 PM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-5601 |
The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE. Published: November 06, 2023; 4:15:10 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-5530 |
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue Published: November 06, 2023; 4:15:10 PM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-5454 |
The Templately WordPress plugin before 2.2.6 does not properly authorize the `saved-templates/delete` REST API call, allowing unauthenticated users to delete arbitrary posts. Published: November 06, 2023; 4:15:09 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-5355 |
The Awesome Support WordPress plugin before 6.1.5 does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server. Published: November 06, 2023; 4:15:09 PM -0500 |
V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2023-5354 |
The Awesome Support WordPress plugin before 6.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Published: November 06, 2023; 4:15:09 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-5352 |
The Awesome Support WordPress plugin before 6.1.5 does not correctly authorize the wpas_edit_reply function, allowing users to edit posts for which they do not have permission. Published: November 06, 2023; 4:15:09 PM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-5228 |
The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 06, 2023; 4:15:09 PM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-5181 |
The WP Discord Invite WordPress plugin before 2.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: November 06, 2023; 4:15:09 PM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-5082 |
The History Log by click5 WordPress plugin before 1.0.13 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it. Published: November 06, 2023; 4:15:09 PM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-4930 |
The Front End PM WordPress plugin before 11.4.3 does not block listing the contents of the directories where it stores attachments to private messages, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled. Published: November 06, 2023; 4:15:09 PM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-4858 |
The Simple Table Manager WordPress plugin through 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 06, 2023; 4:15:08 PM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-4810 |
The Responsive Pricing Table WordPress plugin before 5.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: November 06, 2023; 4:15:08 PM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-46823 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Avirtum ImageLinks Interactive Image Builder for WordPress allows SQL Injection.This issue affects ImageLinks Interactive Image Builder for WordPress: from n/a through 1.5.4. Published: November 06, 2023; 5:15:08 AM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-45074 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress allows SQL Injection.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 7.1.1. Published: November 06, 2023; 4:15:08 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-45069 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Video Gallery by Total-Soft Video Gallery – Best WordPress YouTube Gallery Plugin allows SQL Injection.This issue affects Video Gallery – Best WordPress YouTube Gallery Plugin: from n/a through 2.1.3. Published: November 06, 2023; 4:15:08 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-35911 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Creative Solutions Contact Form Generator : Creative form builder for WordPress allows SQL Injection.This issue affects Contact Form Generator : Creative form builder for WordPress: from n/a through 2.6.0. Published: November 06, 2023; 4:15:07 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-35910 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nucleus_genius Quasar form free – Contact Form Builder for WordPress allows SQL Injection.This issue affects Quasar form free – Contact Form Builder for WordPress: from n/a through 6.0. Published: November 03, 2023; 8:15:08 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-36529 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme allows SQL Injection.This issue affects Houzez - Real Estate WordPress Theme: from n/a through 1.3.4. Published: November 03, 2023; 1:15:08 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-32121 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Highfivery LLC Zero Spam for WordPress allows SQL Injection.This issue affects Zero Spam for WordPress: from n/a through 5.4.4. Published: November 03, 2023; 1:15:08 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |