The tagDiv Cloud Library WordPress plugin before 2.7 does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog.

CVE-2023-1597

Cross-Site Request Forgery (CSRF) vulnerability in Deepak Anand WP Dummy Content Generator plugin <= 2.3.0 versions.

**Solution**

 Fixed

Update the WordPress WP Dummy Content Generator plugin to the latest available version (at least 3.0.0).

Found this useful? Thank Elliot for reporting this vulnerability. Buy a coffee ☕

Elliot discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WP Dummy Content Generator Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 3.0.0.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37392: WordPress WP Dummy Content Generator  plugin <= 2.3.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

The Export All URLs WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-3118

Cross-Site Request Forgery (CSRF) vulnerability in Albert Peschar WebwinkelKeur plugin <= 3.24 versions.

**Solution**

 Fixed

Update the WordPress WebwinkelKeur plugin to the latest available version (at least 3.25).

qilin\_99 discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WebwinkelKeur Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 3.25.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-36691: WordPress WebwinkelKeu plugin <= 3.24 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

The Float menu WordPress plugin before 5.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-3225

The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.

CVE-2023-3219

The AI ChatBot WordPress plugin before 4.6.1 does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2023-3175

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

Tag

#wordpress