Search Results (Refine Search)
- Keyword (text search): wordpress
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-22150 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PWR Plugins Portfolio & Image Gallery for WordPress | PowerFolio allows Stored XSS.This issue affects Portfolio & Image Gallery for WordPress | PowerFolio: from n/a through 3.1. Published: January 31, 2024; 2:15:09 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2024-23508 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins PDF Poster – PDF Embedder Plugin for WordPress allows Reflected XSS.This issue affects PDF Poster – PDF Embedder Plugin for WordPress: from n/a through 2.1.17. Published: January 31, 2024; 11:15:47 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2024-22304 |
Cross-Site Request Forgery (CSRF) vulnerability in Borbis Media FreshMail For WordPress.This issue affects FreshMail For WordPress: from n/a through 2.3.2. Published: January 31, 2024; 8:15:11 AM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2024-22305 |
Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36. Published: January 31, 2024; 7:16:05 AM -0500 |
V4.0:(not available) V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2024-0836 |
The WordPress Review & Structure Data Schema Plugin – Review Schema plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtrs_review_edit() function in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify arbitrary reviews. Published: January 31, 2024; 3:15:41 AM -0500 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2024-1069 |
The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Published: January 30, 2024; 10:15:08 PM -0500 |
V4.0:(not available) V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2023-2439 |
The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: January 30, 2024; 10:15:07 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2024-23825 |
TablePress is a table plugin for Wordpress. For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user. That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses. On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials. This vulnerability is fixed in 2.2.5. Published: January 30, 2024; 12:15:11 PM -0500 |
V4.0:(not available) V3.1: 4.9 MEDIUM V2.0:(not available) |
CVE-2024-1061 |
The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function. Published: January 30, 2024; 4:15:48 AM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-7225 |
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the width and height parameters in all versions up to, and including, 2.88.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: January 30, 2024; 3:15:40 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-7204 |
The WP STAGING WordPress Backup plugin before 3.2.0 allows access to cache files during the cloning process which provides Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-7200 |
The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-7199 |
The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-7089 |
The Easy SVG Allow WordPress plugin through 1.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-7074 |
The WP SOCIAL BOOKMARK MENU WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-6946 |
The Autotitle for WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-6633 |
The Site Notes WordPress plugin through 2.0.0 does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-6530 |
The TJ Shortcodes WordPress plugin through 0.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-6503 |
The WP Plugin Lister WordPress plugin through 2.1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-6391 |
The Custom User CSS WordPress plugin through 0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Published: January 29, 2024; 10:15:09 AM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |