Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-4239 |
The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7.1 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. Published: August 08, 2023; 11:15:45 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-24413 |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution WordPress vertical image slider plugin <= 1.2.16 versions. Published: August 08, 2023; 8:15:10 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-32503 |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in GTmetrix GTmetrix for WordPress plugin <= 0.4.6 versions. Published: August 08, 2023; 7:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-3671 |
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.4 does not sanitise and escape various parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Published: August 07, 2023; 11:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-3650 |
The Bubble Menu WordPress plugin before 3.0.5 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup). Published: August 07, 2023; 11:15:11 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-3575 |
The Quiz And Survey Master WordPress plugin before 8.1.11 does not properly sanitize and escape question titles, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks Published: August 07, 2023; 11:15:11 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-3524 |
The WPCode WordPress plugin before 2.0.13.1 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting Published: August 07, 2023; 11:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-3492 |
The WP Shopping Pages WordPress plugin through 1.14 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. Published: August 07, 2023; 11:15:11 AM -0400 |
V3.1: 6.8 MEDIUM V2.0:(not available) |
CVE-2023-3365 |
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.14 does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment Published: August 07, 2023; 11:15:11 AM -0400 |
V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2023-2843 |
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.15 does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. Published: August 07, 2023; 11:15:10 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0604 |
The WP Food Manager WordPress plugin before 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: August 07, 2023; 11:15:10 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2021-24916 |
The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action. Published: August 07, 2023; 11:15:10 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-4142 |
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution. Published: August 03, 2023; 11:15:14 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-4141 |
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution. Published: August 03, 2023; 11:15:14 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-4140 |
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.9.8 due to insufficient restriction on the 'get_header_values' function. This makes it possible for authenticated attackers, with minimal permissions such as an author, if the administrator previously grants access in the plugin settings, to modify their user role by supplying the 'wp_capabilities->cus1' parameter. Published: August 03, 2023; 11:15:14 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-4139 |
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and view exported files. Published: August 03, 2023; 11:15:13 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-4067 |
The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab_date' and 'tab_date_r' parameters in versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Published: August 02, 2023; 5:15:14 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-3508 |
The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks Published: July 31, 2023; 6:15:10 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-3507 |
The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack Published: July 31, 2023; 6:15:10 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-3345 |
The LMS by Masteriyo WordPress plugin before 1.6.8 does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints. Published: July 31, 2023; 6:15:10 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |