Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-4407 |
The Custom Banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.2 This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2020-36750 |
The EWWW Image Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.1. This is due to missing or incorrect nonce validation on the ewww_ngg_bulk_init() function. This makes it possible for unauthenticated attackers to perform bulk image optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-34029 |
Cross-Site Request Forgery (CSRF) vulnerability in Prem Tiwari Disable WordPress Update Notifications and auto-update Email Notifications plugin <= 2.3.3 versions. Published: July 11, 2023; 9:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-25706 |
Cross-Site Request Forgery (CSRF) vulnerability in Pagup WordPress Robots.Txt optimization plugin <= 1.4.5 versions. Published: July 11, 2023; 9:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-34185 |
Cross-Site Request Forgery (CSRF) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions. Published: July 11, 2023; 8:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-37391 |
Cross-Site Request Forgery (CSRF) vulnerability in WPMobilePack.Com WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps plugin <= 3.4.1 versions. Published: July 11, 2023; 6:15:11 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-45823 |
Cross-Site Request Forgery (CSRF) vulnerability in GalleryPlugins Video Contest WordPress plugin <= 3.2 versions. Published: July 11, 2023; 4:15:09 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-2079 |
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for unauthenticated attackers to update the plugins settings, via a forged request granted the attacker can trick a site's administrator into performing an action such as clicking on a link. Published: July 10, 2023; 11:15:09 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-2078 |
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to update the plugins settings. CVE-2023-25030 may be a duplicate of this issue. Published: July 10, 2023; 11:15:09 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-3225 |
The Float menu WordPress plugin before 5.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-3219 |
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-3209 |
The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 3.5 LOW V2.0:(not available) |
CVE-2023-3175 |
The AI ChatBot WordPress plugin before 4.6.1 does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-3131 |
The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-3129 |
The URL Shortify WordPress plugin before 1.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-3118 |
The Export All URLs WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Published: July 10, 2023; 12:15:54 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-3077 |
The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin. Published: July 10, 2023; 12:15:54 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-3076 |
The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features. Published: July 10, 2023; 12:15:54 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-2967 |
The TinyMCE Custom Styles WordPress plugin before 1.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: July 10, 2023; 12:15:51 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-2964 |
The Simple Iframe WordPress plugin before 1.2.0 does not properly validate one of its WordPress block attribute's content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks. Published: July 10, 2023; 12:15:51 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |