U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 8,315 matching records.
Displaying matches 1,621 through 1,640.
Vuln ID Summary CVSS Severity
CVE-2023-4239

The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7.1 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.

Published: August 08, 2023; 11:15:45 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2023-24413

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution WordPress vertical image slider plugin <= 1.2.16 versions.

Published: August 08, 2023; 8:15:10 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-32503

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in GTmetrix GTmetrix for WordPress plugin <= 0.4.6 versions.

Published: August 08, 2023; 7:15:11 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-3671

The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.4 does not sanitise and escape various parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Published: August 07, 2023; 11:15:11 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-3650

The Bubble Menu WordPress plugin before 3.0.5 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

Published: August 07, 2023; 11:15:11 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2023-3575

The Quiz And Survey Master WordPress plugin before 8.1.11 does not properly sanitize and escape question titles, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks

Published: August 07, 2023; 11:15:11 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-3524

The WPCode WordPress plugin before 2.0.13.1 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting

Published: August 07, 2023; 11:15:11 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-3492

The WP Shopping Pages WordPress plugin through 1.14 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Published: August 07, 2023; 11:15:11 AM -0400
V3.1: 6.8 MEDIUM
V2.0:(not available)
CVE-2023-3365

The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.14 does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment

Published: August 07, 2023; 11:15:11 AM -0400
V3.1: 8.1 HIGH
V2.0:(not available)
CVE-2023-2843

The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.15 does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.

Published: August 07, 2023; 11:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-0604

The WP Food Manager WordPress plugin before 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: August 07, 2023; 11:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2021-24916

The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.

Published: August 07, 2023; 11:15:10 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-4142

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution.

Published: August 03, 2023; 11:15:14 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-4141

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.

Published: August 03, 2023; 11:15:14 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-4140

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter.

Published: August 03, 2023; 11:15:14 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-4139

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and view exported files.

Published: August 03, 2023; 11:15:13 PM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-4067

The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab_date' and 'tab_date_r' parameters in versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: August 02, 2023; 5:15:14 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-3508

The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks

Published: July 31, 2023; 6:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2023-3507

The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack

Published: July 31, 2023; 6:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2023-3345

The LMS by Masteriyo WordPress plugin before 1.6.8 does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints.

Published: July 31, 2023; 6:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)