Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

CVE-2023-28499: WordPress Slide Anything plugin <= 2.4.9 - iFrame Injection to Cross-Site Scripting (XSS) vulnerability - Patchstack

Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in simonpedge Slide Anything – Responsive Content / HTML Slider and Carousel plugin <= 2.4.9 versions.

CVE
Open in Source
#xss#vulnerability#web#wordpress#auth
CVE-2022-42882: WordPress Simple CSV/XLS Exporter plugin <= 1.5.8 - Authenticated CSV Injection Vulnerability - Patchstack

Improper Neutralization of Formula Elements in a CSV File vulnerability in Shambix Simple CSV/XLS Exporter.This issue affects Simple CSV/XLS Exporter: from n/a through 1.5.8.

CVE-2022-47181: WordPress Email Templates plugin <= 1.4.2 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in wpexpertsio Email Templates Customizer and Designer for WordPress and WooCommerce email-templates allows Cross Site Request Forgery.This issue affects Email Templates Customizer and Designer for WordPress and WooCommerce: from n/a through 1.4.2.

CVE-2022-41616: WordPress Export Users Data CSV plugin <= 2.1 - Auth. CSV Injection vulnerability - Patchstack

Improper Neutralization of Formula Elements in a CSV File vulnerability in Kaushik Kalathiya Export Users Data CSV.This issue affects Export Users Data CSV: from n/a through 2.1.

CVE-2022-38702: WordPress WP CSV Exporter plugin <= 2.0 - Auth. CSV Injection Vulnerability - Patchstack

Improper Neutralization of Formula Elements in a CSV File vulnerability in Nakashima Masahiro WP CSV Exporter.This issue affects WP CSV Exporter: from n/a through 2.0.

CVE-2023-32966: WordPress Jazz Popups plugin <= 1.8.7 - Cross Site Request Forgery (CSRF) leading to XSS vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab Jazz Popups leads to Stored XSS.This issue affects Jazz Popups: from n/a through 1.8.7.

CVE-2023-46744: Stored XSS via insufficient SVG element filtering

Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG images, is insufficient resulting to stored XSS attacks. Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset. When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code. The validation logic consists of traversing the HTML nodes in the DOM. In order for the validation to succeed, 2 conditions must be met: 1. No HTML tags included in a "blacklist" called "InvalidSvgElements" are present. This list only contains the element "script". and 2. No attributes of HTML tags begin with "on" (i.e. onerror, onclick) (line 65). If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded. H...

CVE-2022-46803: WordPress Simple Newsletter Plugin – Noptin plugin <= 1.9.5 - Unauth. CSV Injection vulnerability - Patchstack

Improper Neutralization of Formula Elements in a CSV File vulnerability in Noptin Newsletter Simple Newsletter Plugin – Noptin.This issue affects Simple Newsletter Plugin – Noptin: from n/a through 1.9.5.

CVE-2022-46801: WordPress Site Reviews plugin <= 6.2.0 - Unauth. CSV Injection vulnerability - Patchstack

Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0.

CVE-2022-46802: WordPress Product Reviews Import Export for WooCommerce plugin <= 1.4.8 - Unauth. CSV Injection vulnerability - Patchstack

Improper Neutralization of Formula Elements in a CSV File vulnerability in WebToffee Product Reviews Import Export for WooCommerce.This issue affects Product Reviews Import Export for WooCommerce: from n/a through 1.4.8.