Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

CVE-2023-30473: WordPress YML for Yandex Market plugin <= 3.10.7 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov YML for Yandex Market plugin <= 3.10.7 versions.

CVE
Open in Source
#xss#vulnerability#web#wordpress#auth
CVE-2023-30786: WordPress Captcha Them All plugin <= 1.3.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Benjamin Guy Captcha Them All plugin <= 1.3.3 versions.

CVE-2023-30785: WordPress Video Grid plugin <= 1.21 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Video Grid plugin <= 1.21 versions.

CVE-2023-30782: WordPress Church Admin plugin <= 3.7.5 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.5 versions.

CVE-2023-39507: "Rikunabi NEXT" App for Android fails to restrict custom URL schemes properly

Improper authorization in the custom URL scheme handler in "Rikunabi NEXT" App for Android prior to ver. 11.5.0 allows a malicious intent to lead the vulnerable App to access an arbitrary website.

CVE-2023-3958: Changeset 2953845 for wp-remote-users-sync – WordPress Plugin Repository

The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. This was partially patched in version 1.2.12 and fully patched in version 1.2.13.

CVE-2023-4374: WP Remote Users Sync <= 1.2.11 - Missing Authorization to Authenticated (Subscriber+) Log View — Wordfence Intelligence

The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refresh_logs_async' functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber privileges or above, to view logs.

Nearly 2,000 Citrix NetScaler Instances Hacked via Critical Vulnerability

Nearly 2,000 Citrix NetScaler instances have been compromised with a backdoor by weaponizing a recently disclosed critical security vulnerability as part of a large-scale attack. "An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing web shells on vulnerable NetScalers to gain persistent access," NCC Group said in an advisory released Tuesday. "The adversary can

GHSA-9c9v-w225-v5rg: Ghost vulnerable to arbitrary file read via symlinks in content import

### Impact A vulnerability in Ghost allows authenticated users to upload files which are symlinks. This can be exploited to perform an arbitrary file read of any file on the operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder ### Vulnerable versions This security vulnerability is present in Ghost ≤ v5.59.0. ### Patches v5.59.1 contains a fix for this issue. ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])