Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-5232 |
The Font Awesome More Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'icon' shortcode in versions up to, and including, 3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 28, 2023; 1:15:46 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5230 |
The TM WooCommerce Compare & Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'tm_woo_wishlist_table' shortcode in versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 28, 2023; 1:15:46 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5162 |
The Options for Twenty Seventeen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social-links' shortcode in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 27, 2023; 11:19:41 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5161 |
The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 27, 2023; 11:19:41 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5135 |
The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 27, 2023; 11:19:41 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4506 |
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server. Published: September 27, 2023; 11:19:40 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-4505 |
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server. Published: September 27, 2023; 11:19:40 AM -0400 |
V3.1: 4.9 MEDIUM V2.0:(not available) |
CVE-2023-4423 |
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.1.37.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Published: September 27, 2023; 11:19:40 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-41241 |
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SureCart WordPress Ecommerce For Creating Fast Online Stores plugin <= 2.5.0 versions. Published: September 27, 2023; 11:19:28 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-4631 |
The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. Published: September 25, 2023; 12:15:15 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-4549 |
The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form. Published: September 25, 2023; 12:15:15 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-4521 |
The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version. Published: September 25, 2023; 12:15:15 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-4502 |
The Translate WordPress with GTranslate WordPress plugin before 3.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). This vulnerability affects multiple parameters. Published: September 25, 2023; 12:15:15 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-4490 |
The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users Published: September 25, 2023; 12:15:15 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-4476 |
The Locatoraid Store Locator WordPress plugin before 3.9.24 does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Published: September 25, 2023; 12:15:15 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-4300 |
The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution. Published: September 25, 2023; 12:15:15 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-4281 |
This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. Published: September 25, 2023; 12:15:14 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-4238 |
The Prevent files / folders access WordPress plugin before 2.5.2 does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server. Published: September 25, 2023; 12:15:14 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-4148 |
The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Published: September 25, 2023; 12:15:14 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-3664 |
The FileOrganizer WordPress plugin through 1.0.2 does not restrict functionality on multisite instances, allowing site admins to gain full control over the server. Published: September 25, 2023; 12:15:14 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |