Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-2171 |
The BadgeOS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.7.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: August 31, 2023; 2:15:08 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0689 |
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter's first name. Published: August 31, 2023; 2:15:08 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-25453 |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ian Sadovy WordPress Tables plugin <= 1.3.9 versions. Published: August 30, 2023; 12:15:08 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-4209 |
The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks. Published: August 30, 2023; 11:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-4150 |
The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-4109 |
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability. Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-4036 |
The Simple Blog Card WordPress plugin before 1.32 does not ensure that posts to be displayed via a shortcode are public, allowing any authenticated users, such as subscriber, to retrieve arbitrary post title and their content such as draft, private and password protected ones Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-4035 |
The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4023 |
The All Users Messenger WordPress plugin through 1.24 does not prevent non-administrator users from deleting messages from the all-users messenger. Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-4013 |
The GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) WordPress plugin before 4.12.5 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-3992 |
The PostX WordPress plugin before 3.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-3720 |
The Upload Media By URL WordPress plugin before 1.0.8 does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files (including HTML containing JS code for users with the unfiltered_html capability) on their behalf. Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-3501 |
The FormCraft WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-3356 |
The Subscribers Text Counter WordPress plugin before 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-34172 |
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Miled WordPress Social Login plugin <= 3.0.4 versions. Published: August 30, 2023; 11:15:09 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-34023 |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Miled WordPress Social Login plugin <= 3.0.4 versions. Published: August 30, 2023; 11:15:08 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-1982 |
The Front Editor WordPress plugin through 4.0.4 does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: August 30, 2023; 11:15:08 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-1601 |
The User Access Manager WordPress plugin before 2.2.18 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible for attackers to access restricted content in certain situations. Published: August 30, 2023; 11:15:08 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-34180 |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in KAPlugins Google Fonts For WordPress plugin <= 3.0.0 versions. Published: August 30, 2023; 10:15:09 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-4600 |
The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwp_activate_addons_page_plugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate arbitrary plugins. Published: August 30, 2023; 8:15:09 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |