Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-23489 |
The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action. Published: January 20, 2023; 1:15:10 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-23488 |
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route. Published: January 20, 2023; 1:15:10 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-0404 |
The Events Made Easy plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions related to AJAX actions in versions up to, and including, 2.3.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those functions intended for administrator use. While the plugin is still pending review from the WordPress repository, site owners can download a copy of the patched version directly from the developer's Github at https://github.com/liedekef/events-made-easy Published: January 19, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0403 |
The Social Warfare plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.0. This is due to missing or incorrect nonce validation on several AJAX actions. This makes it possible for unauthenticated attackers to delete post meta information and reset network access tokens, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: January 19, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0402 |
The Social Warfare plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete post meta information and reset network access tokens. Published: January 19, 2023; 10:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0385 |
The Custom 404 Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.7.1. This is due to missing or incorrect nonce validation on the custom_404_pro_admin_init function. This makes it possible for unauthenticated attackers to delete logs, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: January 18, 2023; 10:15:11 AM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-4658 |
The RSSImport WordPress plugin through 4.6.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4655 |
The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4653 |
The Greenshift WordPress plugin before 4.8.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4648 |
The Real Testimonials WordPress plugin before 2.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4578 |
The Video Conferencing with Zoom WordPress plugin before 4.0.10 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4571 |
The Seriously Simple Podcasting WordPress plugin before 2.19.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4549 |
The Tickera WordPress plugin before 3.5.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-4547 |
The Conditional Payment Methods for WooCommerce WordPress plugin through 1.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by [high privilege users such as admin|users with a role as low as admin. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-4544 |
The MashShare WordPress plugin before 3.8.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4508 |
The ConvertKit WordPress plugin before 2.0.5 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4507 |
The Real Cookie Banner WordPress plugin before 3.4.10 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4487 |
The Easy Accordion WordPress plugin before 2.2.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 16, 2023; 11:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4486 |
The Meteor Slides WordPress plugin before 1.5.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 16, 2023; 11:15:12 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4484 |
The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.44 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 16, 2023; 11:15:12 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |