Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-23737: WordPress MainWP Broken Links Checker Extension Plugin <= 4.0 - Unauthenticated SQL Injection Vulnerability - Patchstack

Unauth. SQL Injection (SQLi) vulnerability in MainWP MainWP Broken Links Checker Extension plugin <= 4.0 versions.

CVE
Open in Source
#sql#vulnerability#wordpress#auth
CVE-2023-23651: WordPress MainWP Google Analytics Extension Plugin <= 4.0.4 - Auth. SQL Injection Vulnerability - Patchstack

Auth. (subscriber+) SQL Injection (SQLi) vulnerability in MainWP Google Analytics Extension plugin <= 4.0.4 versions.

Researchers Uncover Malware Posing as WordPress Caching Plugin

Cybersecurity researchers have shed light on a new sophisticated strain of malware that masquerades a WordPress plugin to stealthily create administrator accounts and remotely control a compromised site. "Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list

CVE-2023-45047: WordPress LeadSquared Suite plugin <= 0.7.4 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in LeadSquared, Inc LeadSquared Suite plugin <= 0.7.4 versions.

CVE-2023-5470: Etsy Shop <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

The Etsy Shop plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'etsy-shop' shortcode in versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-5531: Thumbnail Slider With Lightbox <= 1.0 - Cross-Site Request Forgery — Wordfence Intelligence

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the delete functionality. This makes it possible for unauthenticated attackers to delete image lightboxes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023

More than 17,000 WordPress websites have been compromised in the month of September 2023 with malware known as Balada Injector, nearly twice the number of detections in August. Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1) that could be exploited by unauthenticated users to

CVE-2023-44997: WordPress WP Forms Puzzle Captcha plugin <= 4.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Nitin Rathod WP Forms Puzzle Captcha plugin <= 4.1 versions.

Hackers on WordPress Websites Hacking Spree with Balada Malware

By Deeba Ahmed If you use WordPress, update to the latest version. This is a post from HackRead.com Read the original post: Hackers on WordPress Websites Hacking Spree with Balada Malware

CVE-2023-44996: WordPress Post View Count plugin <= 1.8.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Naresh Parmar Post View Count plugin <= 1.8.2 versions.