Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-28666 |
The InPost Gallery WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'imgurl' parameter to the add_inpost_gallery_slide_item action, which can only be triggered by an authenticated user. Published: March 22, 2023; 5:15:19 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-28665 |
The Woo Bulk Price Update WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'page' parameter to the techno_get_products action, which can only be triggered by an authenticated user. Published: March 22, 2023; 5:15:19 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-28664 |
The Meta Data and Taxonomies Filter WordPress plugin, in versions < 1.3.1, is affected by a reflected cross-site scripting vulnerability in the 'tax_name' parameter of the mdf_get_tax_options_in_widget action, which can only be triggered by an authenticated user. Published: March 22, 2023; 5:15:19 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-28663 |
The Formidable PRO2PDF WordPress Plugin, version < 3.11, is affected by an authenticated SQL injection vulnerability in the ‘fieldmap’ parameter in the fpropdf_export_file action. Published: March 22, 2023; 5:15:18 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-28662 |
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action. Published: March 22, 2023; 5:15:18 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-28661 |
The WP Popup Banners WordPress Plugin, version <= 1.2.5, is affected by an authenticated SQL injection vulnerability in the 'value' parameter in the get_popup_data action. Published: March 22, 2023; 5:15:18 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-28660 |
The Events Made Easy WordPress Plugin, version <= 2.3.14 is affected by an authenticated SQL injection vulnerability in the 'search_name' parameter in the eme_recurrences_list action. Published: March 22, 2023; 5:15:18 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-28659 |
The Waiting: One-click Countdowns WordPress Plugin, version <= 0.6.2, is affected by an authenticated SQL injection vulnerability in the pbc_down[meta][id] parameter of the pbc_save_downs action. Published: March 22, 2023; 5:15:18 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2012-10009 |
A vulnerability was found in 404like Plugin up to 1.0.2 on WordPress. It has been classified as critical. Affected is the function checkPage of the file 404Like.php. The manipulation of the argument searchWord leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 1.0.2 is able to address this issue. The name of the patch is 2c4b589d27554910ab1fd104ddbec9331b540f7f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-223404. Published: March 20, 2023; 8:15:10 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-0940 |
The ProfileGrid WordPress plugin before 5.3.1 provides an AJAX endpoint for resetting a user password but does not implement proper authorization. This allows a user with low privileges, such as subscriber, to change the password of any account, including Administrator ones. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0937 |
The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-0911 |
The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not validate the user meta to be retrieved via the user shortcode, allowing any authenticated users such as subscriber to retrieve arbitrary user meta (except the user_pass), such as the user email and activation key by default. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-0890 |
The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-0876 |
The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-0875 |
The WP Meta SEO WordPress plugin before 4.5.3 does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0865 |
The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0631 |
The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0630 |
The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0370 |
The WPB Advanced FAQ WordPress plugin through 1.0.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0369 |
The GoToWP WordPress plugin through 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: March 20, 2023; 12:15:12 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |