The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.2 does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack

CVE-2023-3366

The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-3954

The Bit Assist WordPress plugin before 1.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-3667

The Change WP Admin Login WordPress plugin before 1.1.4 discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered.

CVE-2023-3604

The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-3936

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.

CVE-2023-40068: Advanced Custom Fields (ACF)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.6 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Multi Rating Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 5 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-32130: WordPress Multi Rating plugin <= 5.0.6 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Spiffy Plugins Spiffy Calendar plugin <= 4.9.3 versions.

**Solution**

 Fixed

Update the WordPress Spiffy Calendar plugin to the latest available version (at least 4.9.4).

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Spiffy Calendar Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.9.4.

**Other vulnerabilities in this plugin**

 0 present

 7 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-32122: WordPress Spiffy Calendar plugin <= 4.9.3 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ignazio Scimone Albo Pretorio On line plugin <= 4.6.3 versions.

**Solution**

 Fixed

Update the WordPress Albo Pretorio Online plugin to the latest available version (at least 4.6.4).

Phd discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Albo Pretorio Online Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.6.4.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-32109: WordPress Albo Pretorio On line plugin <= 4.6.3 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

**Solution**

 Fixed

Update the WordPress Albo Pretorio Online plugin to the latest available version (at least 4.6.4).

Found this useful? Thank thiennv for reporting this vulnerability. Buy a coffee ☕

thiennv discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Albo Pretorio Online Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.6.4.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#wordpress