Search Results (Refine Search)
- Keyword (text search): Wordpress
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-5818 |
The Amazonify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8.1. This is due to missing or incorrect nonce validation on the amazonifyOptionsPage() function. This makes it possible for unauthenticated attackers to update the plugins settings, including the Amazon Tracking ID, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: November 07, 2023; 3:15:09 PM -0500 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-41798 |
Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through 7.7.1. Published: November 07, 2023; 1:15:08 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-47181 |
Cross-Site Request Forgery (CSRF) vulnerability in wpexpertsio Email Templates Customizer and Designer for WordPress and WooCommerce email-templates allows Cross Site Request Forgery.This issue affects Email Templates Customizer and Designer for WordPress and WooCommerce: from n/a through 1.4.2. Published: November 07, 2023; 1:15:08 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-45810 |
Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2. Published: November 07, 2023; 12:15:08 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-45370 |
Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee WordPress Comments Import & Export.This issue affects WordPress Comments Import & Export: from n/a through 2.3.1. Published: November 07, 2023; 12:15:08 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-5709 |
The WD WidgetTwitter plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Published: November 07, 2023; 7:15:13 AM -0500 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-5703 |
The Gift Up Gift Cards for WordPress and WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'giftup' shortcode in all versions up to, and including, 2.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:13 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5669 |
The Featured Image Caption plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and post meta in all versions up to, and including, 0.8.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:13 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5661 |
The Social Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialfeed' shortcode in all versions up to, and including, 1.5.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:13 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5660 |
The SendPress Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.22.3.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:13 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5659 |
The Interact: Embed A Quiz On Your Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interact-quiz' shortcode in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:13 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5577 |
The Bitly's plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpbitly' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:12 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5567 |
The QR Code Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'qrcodetag' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:12 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4888 |
The Simple Like Page Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sfp-page-plugin' shortcode in versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:12 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4842 |
The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 7:15:12 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5975 |
The ImageMapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.6. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. Published: November 07, 2023; 6:15:12 AM -0500 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-5743 |
The Telephone Number Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'telnumlink' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 6:15:11 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5658 |
The WP MapIt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_mapit' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 6:15:11 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5532 |
The ImageMapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.6. This is due to missing or incorrect nonce validation on the 'imgmap_save_area_title' function. This makes it possible for unauthenticated attackers to update the post title and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. Published: November 07, 2023; 6:15:11 AM -0500 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-5507 |
The ImageMapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'imagemap' shortcode in versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: November 07, 2023; 6:15:11 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |