Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-5051 |
The CallRail Phone Call Tracking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callrail_form' shortcode in versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on the 'form_id' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 27, 2023; 12:15:10 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5802 |
Cross-Site Request Forgery (CSRF) vulnerability in Mihai Iova WordPress Knowledge base & Documentation Plugin – WP Knowledgebase plugin <= 1.3.4 versions. Published: October 26, 2023; 8:15:08 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-46074 |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Borbis Media FreshMail For WordPress plugin <= 2.3.2 versions. Published: October 26, 2023; 8:15:08 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-5798 |
The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks Published: October 26, 2023; 6:15:34 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-5745 |
The Reusable Text Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text-blocks' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 25, 2023; 2:17:44 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5744 |
The Very Simple Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vsgmap' shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 25, 2023; 2:17:44 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5740 |
The Live Chat with Facebook Messenger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'messenger' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 25, 2023; 2:17:44 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5311 |
The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the contents of the .htaccess files located in a site's root directory or /wp-content and /wp-includes folders and achieve remote code execution. Published: October 25, 2023; 2:17:43 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-5127 |
The WP Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping on 'icon' user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 25, 2023; 2:17:42 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5126 |
The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'plugin_delete_me' shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The shortcode is not displayed to administrators, so it cannot be used against administrator users. Published: October 25, 2023; 2:17:42 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5110 |
The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'bsk-pdfm-category-dropdown' shortcode in versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 25, 2023; 2:17:42 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5085 |
The Advanced Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'advMenu' shortcode in versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 25, 2023; 2:17:42 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-46152 |
Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.7.1 versions. Published: October 25, 2023; 2:17:36 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-46068 |
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in XQueue GmbH Maileon for WordPress plugin <= 2.16.0 versions. Published: October 25, 2023; 2:17:35 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-45829 |
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in HappyBox Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress plugin <= 2.0.1 versions. Published: October 25, 2023; 2:17:34 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-45640 |
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in TechnoWich WP ULike – Most Advanced WordPress Marketing Toolkit plugin <= 4.6.8 versions. Published: October 25, 2023; 2:17:33 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5205 |
The Add Custom Body Class plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_custom_body_class' value in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 21, 2023; 4:15:09 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4939 |
The SALESmanago plugin for WordPress is vulnerable to Log Injection in versions up to, and including, 3.2.4. This is due to the use of a weak authentication token for the /wp-json/salesmanago/v1/callbackApiV3 API endpoint which is simply a SHA1 hash of the site URL and client ID found in the page source of the website. This makes it possible for unauthenticated attackers to inject arbitrary content into the log files, and when combined with another vulnerability this could have significant consequences. Published: October 21, 2023; 4:15:08 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-4635 |
The EventON plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Published: October 21, 2023; 4:15:08 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-5132 |
The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1. This makes it possible for unauthenticated attackers with knowledge of an existing WooCommerce Order ID to expose sensitive WooCommerce order information (e.g., Name, Address, Email Address, and other order metadata). Published: October 20, 2023; 10:15:07 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |