Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-1330 |
The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack. Published: April 03, 2023; 11:15:19 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-1124 |
The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks. Published: April 03, 2023; 11:15:18 AM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-0820 |
The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role. Published: April 03, 2023; 11:15:18 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0399 |
The Image Over Image For WPBakery Page Builder WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: April 03, 2023; 11:15:18 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-25040 |
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Vova Anokhin WordPress Shortcodes Plugin — Shortcodes Ultimate plugin <= 5.12.6 versions. Published: March 30, 2023; 8:15:07 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-23677 |
Reflected Cross-Site Scripting (XSS) vulnerability in GTmetrix GTmetrix for WordPress plugin <= 0.4.5 versions. Published: March 30, 2023; 7:15:07 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-23670 |
Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Team Heateor Fancy Comments WordPress plugin <= 1.2.10 versions. Published: March 30, 2023; 7:15:06 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-1575 |
The Mega Main Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via some of its settings parameters in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Published: March 29, 2023; 11:15:07 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-1509 |
The GMAce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2. This is due to missing nonce validation on the gmace_manager_server function called via the wp_ajax_gmace_manager AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: March 29, 2023; 7:15:07 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-46848 |
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Themeisle Visualizer: Tables and Charts Manager for WordPress plugin <= 3.9.1 versions. Published: March 28, 2023; 4:15:07 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-1400 |
The Modern Events Calendar Lite WordPress plugin before 6.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-1093 |
The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-1092 |
The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-1089 |
The Coupon Zen WordPress plugin before 1.0.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-1088 |
The WP Plugin Manager WordPress plugin before 1.1.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-1087 |
The WC Sales Notification WordPress plugin before 1.2.3 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-1086 |
The Preview Link Generator WordPress plugin before 1.0.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-1069 |
The Complianz WordPress plugin before 6.4.2, Complianz Premium WordPress plugin before 6.4.2 do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-1025 |
The Simple File List WordPress plugin before 6.0.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-0955 |
The WP Statistics WordPress plugin before 14.0 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well. Published: March 27, 2023; 12:15:09 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |