Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-2899 |
The Google Map Shortcode WordPress plugin through 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-2812 |
The Ultimate Dashboard WordPress plugin before 3.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-2811 |
The AI ChatBot WordPress plugin before 4.5.6 does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks to all admin when setting chatbot and all client when using chatbot Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-2805 |
The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-2779 |
The Social Share, Social Login and Social Comments WordPress plugin before 7.13.52 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-2751 |
The Upload Resume WordPress plugin through 1.2.0 does not validate the captcha parameter when uploading a resume via the resume_upload_form shortcode, allowing unauthenticated visitors to upload arbitrary media files to the site. Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-2742 |
The AI ChatBot WordPress plugin before 4.5.5 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-2719 |
The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection exploitable by users with a role as low as Subscriber. Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-2684 |
The File Renaming on Upload WordPress plugin before 2.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-2654 |
The Conditional Menus WordPress plugin before 1.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-2600 |
The Custom Base Terms WordPress plugin before 1.0.3 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-2527 |
The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin before 1.2.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-2492 |
The QueryWall: Plug'n Play Firewall WordPress plugin through 1.1.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-2401 |
The QuBot WordPress plugin before 1.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-2399 |
The QuBot WordPress plugin before 1.1.6 doesn't filter user input on chat, leading to bad code inserted on it be reflected on the user dashboard. Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-2359 |
The Slider Revolution WordPress plugin through 6.6.12 does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations. Published: June 19, 2023; 7:15:10 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-2221 |
The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. Published: June 19, 2023; 7:15:09 AM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-0489 |
The SlideOnline WordPress plugin through 1.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: June 19, 2023; 7:15:09 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0368 |
The Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: June 19, 2023; 7:15:09 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-3295 |
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) for WordPress is vulnerable to arbitrary file uploads due to missing file type validation of files in the file manager functionality in versions up to, and including, 1.5.66 . This makes it possible for authenticated attackers, with contributor-level permissions and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The issue was partially patched in version 1.5.66 and fully patched in 1.5.67 Published: June 16, 2023; 10:15:08 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |