Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-4670 |
The PDF.js Viewer WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4664 |
The Logo Slider WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4657 |
The Restaurant Menu WordPress plugin before 2.3.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4626 |
The PPWP WordPress plugin before 1.8.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4577 |
The Easy Testimonials WordPress plugin before 3.9.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4489 |
The HUSKY WordPress plugin before 1.3.2 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-4459 |
The WP Show Posts WordPress plugin before 1.1.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4384 |
The Stream WordPress plugin before 3.9.2 does not prevent users with little privileges on the site (like subscribers) from using its alert creation functionality, which may enable them to leak sensitive information. Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-4321 |
The PDF Generator for WordPress plugin before 1.1.2 includes a vendored dompdf example file which is susceptible to Reflected Cross-Site Scripting and could be used against high privilege users such as admin Published: February 06, 2023; 3:15:11 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2017-20177 |
A vulnerability, which was classified as problematic, has been found in WangGuard Plugin 1.8.0 on WordPress. Affected by this issue is the function wangguard_users_info of the file wangguard-user-info.php of the component WGG User List Handler. The manipulation of the argument userIP leads to cross site scripting. The attack may be launched remotely. The patch is identified as 88414951e30773c8d2ec13b99642688284bf3189. It is recommended to apply a patch to fix this issue. VDB-220214 is the identifier assigned to this vulnerability. Published: February 06, 2023; 3:15:10 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-2933 |
The 0mk Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the zeromk_options_page function. This makes it possible for unauthenticated attackers to inject malicious web scripts via the 'zeromk_user' and 'zeromk_apikluc' parameters through a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: February 06, 2023; 2:15:09 PM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0253 |
The Real Media Library: Media Library Folder & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via folder names in versions up to, and including, 4.18.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with author-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: February 02, 2023; 4:22:47 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-2546 |
The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret key Published: February 02, 2023; 4:15:08 AM -0500 |
V3.1: 4.7 MEDIUM V2.0:(not available) |
CVE-2023-0619 |
The Kraken.io Image Optimizer plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset image optimizations. Published: February 01, 2023; 3:15:10 PM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-0097 |
The Post Grid, Post Carousel, & List Category Posts WordPress plugin before 2.4.19 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: January 30, 2023; 4:15:13 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0074 |
The WP Social Widget WordPress plugin before 2.2.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: January 30, 2023; 4:15:13 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0071 |
The WP Tabs WordPress plugin before 2.1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: January 30, 2023; 4:15:13 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0033 |
The PDF Viewer WordPress plugin before 1.0.0 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Published: January 30, 2023; 4:15:13 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4872 |
The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to 'no' Published: January 30, 2023; 4:15:12 PM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-4837 |
The CPO Companion WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 30, 2023; 4:15:12 PM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |