Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-49179: WordPress Event post plugin <= 5.8.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in N.O.U.S. Open Useful and Simple Event post allows Stored XSS.This issue affects Event post: from n/a through 5.8.6.

CVE
Open in Source
#xss#vulnerability#web#wordpress
CVE-2023-49176: WordPress WP Pocket URLs plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution WP Pocket URLs allows Reflected XSS.This issue affects WP Pocket URLs: from n/a through 1.0.2.

CVE-2023-49184: WordPress Parallax Slider Block plugin <= 1.2.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Parallax Slider Block allows Stored XSS.This issue affects Parallax Slider Block: from n/a through 1.2.4.

CVE-2023-48765: WordPress Email Address Encoder plugin <= 1.0.22 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Till Krüss Email Address Encoder allows Stored XSS.This issue affects Email Address Encoder: from n/a through 1.0.22.

CVE-2023-49160: WordPress Formzu WP plugin <= 1.6.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in formzu Inc. Formzu WP allows Stored XSS.This issue affects Formzu WP: from n/a through 1.6.6.

CVE-2023-49165: WordPress Client Dash plugin <= 2.2.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Real Big Plugins Client Dash allows Stored XSS.This issue affects Client Dash: from n/a through 2.2.1.

CVE-2023-6553: Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution — Wordfence Intelligence

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

CVE-2023-6826: E2Pdf <= 1.20.25 - Authenticated (Administrator+) Arbitrary File Upload — Wordfence Intelligence

The E2Pdf plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'import_action' function in versions up to, and including, 1.20.25. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE-2023-6827: Essential Real Estate <= 4.3.5 - Authenticated (Subscriber+) Arbitrary File Upload — Wordfence Intelligence

The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authenticated attackers with subscriber-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE-2023-49152: WordPress Credit Tracker plugin <= 1.1.17 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labs64 Credit Tracker allows Stored XSS.This issue affects Credit Tracker: from n/a through 1.1.17.