Search Results (Refine Search)
- Keyword (text search): wordpress
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-5357 |
The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 03, 2023; 10:15:10 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5291 |
The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'AWL-BlogFilter' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 03, 2023; 10:15:10 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-3213 |
The WP Mail SMTP Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_print_page function in versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to disclose potentially sensitive email information. Published: October 03, 2023; 10:15:09 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-37996 |
Cross-Site Request Forgery (CSRF) vulnerability in GTmetrix GTmetrix for WordPress plugin <= 0.4.7 versions. Published: October 03, 2023; 6:15:10 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-37992 |
Cross-Site Request Forgery (CSRF) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <= 3.1.35 versions. Published: October 03, 2023; 6:15:10 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-5334 |
The WP Responsive header image slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sp_responsiveslider' shortcode in versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: October 02, 2023; 10:15:10 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2015-10124 |
A vulnerability was found in Most Popular Posts Widget Plugin up to 0.8 on WordPress. It has been classified as critical. Affected is the function add_views/show_views of the file functions.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 0.9 is able to address this issue. The patch is identified as a99667d11ac8d320006909387b100e9a8b5c12e1. It is recommended to upgrade the affected component. VDB-241026 is the identifier assigned to this vulnerability. Published: October 02, 2023; 10:15:09 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-41731 |
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution WordPress publish post email notification plugin <= 1.0.2.2 versions. Published: October 02, 2023; 4:15:38 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-5295 |
The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'vivafbcomment' shortcode in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 29, 2023; 11:15:09 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5201 |
The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the [php] shortcode setting to be enabled on the vulnerable site. Published: September 29, 2023; 11:15:09 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-41661 |
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PressPage Entertainment Inc. Smarty for WordPress plugin <= 3.1.35 versions. Published: September 29, 2023; 10:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-5233 |
The Font Awesome Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'fawesome' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 28, 2023; 1:15:46 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5232 |
The Font Awesome More Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'icon' shortcode in versions up to, and including, 3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 28, 2023; 1:15:46 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5230 |
The TM WooCommerce Compare & Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'tm_woo_wishlist_table' shortcode in versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 28, 2023; 1:15:46 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5162 |
The Options for Twenty Seventeen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social-links' shortcode in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 27, 2023; 11:19:41 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5161 |
The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 27, 2023; 11:19:41 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-5135 |
The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: September 27, 2023; 11:19:41 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2023-4506 |
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server. Published: September 27, 2023; 11:19:40 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-4505 |
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server. Published: September 27, 2023; 11:19:40 AM -0400 |
V3.1: 4.9 MEDIUM V2.0:(not available) |
CVE-2023-4423 |
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.1.37.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Published: September 27, 2023; 11:19:40 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |