Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-4862 |
The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users. Published: October 16, 2023; 4:15:17 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-4861 |
The File Manager Pro WordPress plugin before 1.8.1 allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution. Published: October 16, 2023; 4:15:17 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-4821 |
The Drag and Drop Multiple File Upload for WooCommerce WordPress plugin before 1.1.1 does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4820 |
The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.0.12 does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4819 |
The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-4811 |
The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4805 |
The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4800 |
The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed logins to low privileged users. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-4798 |
The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4795 |
The Testimonial Slider Shortcode WordPress plugin before 1.1.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4783 |
The Magee Shortcodes WordPress plugin through 2.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4776 |
The School Management System WordPress plugin before 2.2.5 uses the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-4725 |
The Simple Posts Ticker WordPress plugin before 1.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-4691 |
The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-4687 |
The Page Builder: Pagelayer WordPress plugin before 1.7.7 doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts. Published: October 16, 2023; 4:15:16 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-4666 |
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE Published: October 16, 2023; 4:15:15 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-4646 |
The Simple Posts Ticker WordPress plugin before 1.1.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: October 16, 2023; 4:15:15 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4643 |
The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog Published: October 16, 2023; 4:15:15 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-4388 |
The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: October 16, 2023; 4:15:15 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-4290 |
The WP Matterport Shortcode WordPress plugin before 2.1.7 does not escape the PHP_SELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin Published: October 16, 2023; 4:15:15 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |