Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-0275 |
The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0270 |
The YaMaps for WordPress Plugin WordPress plugin before 0.6.26 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0263 |
The WP Yelp Review Slider WordPress plugin before 7.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0262 |
The WP Airbnb Review Slider WordPress plugin before 3.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0261 |
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0260 |
The WP Review Slider WordPress plugin before 12.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0259 |
The WP Google Review Slider WordPress plugin before 11.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0255 |
The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0220 |
The Pinpoint Booking System WordPress plugin before 2.9.9.2.9 does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0177 |
The Social Like Box and Page by WpDevArt WordPress plugin before 0.8.41 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:21 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0169 |
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0166 |
The Product Slider for WooCommerce by PickPlugins WordPress plugin before 1.13.42 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0159 |
The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-0151 |
The uTubeVideo Gallery WordPress plugin before 2.0.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0099 |
The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-0098 |
The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0080 |
The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-0075 |
The Amazon JS WordPress plugin through 0.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0061 |
The Judge.me Product Reviews for WooCommerce WordPress plugin before 1.3.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-0060 |
The Responsive Gallery Grid WordPress plugin before 2.3.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:20 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |