Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-22673: WordPress Website Monetization by MageNet plugin <= 1.0.29.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in MageNet Website Monetization by MageNet plugin <= 1.0.29.1 versions.

CVE
#csrf#vulnerability#web#wordpress#auth
CVE-2023-1780

The Companion Sitemap Generator WordPress plugin before 4.5.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVE-2023-28989: WordPress Happy Addons for Elementor plugin <= 3.8.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in weDevs Happy Addons for Elementor plugin <= 3.8.2 versions.

CVE-2023-28995: WordPress Configurable Tag Cloud plugin <= 5.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Keith Solomon Configurable Tag Cloud (CTC) plugin <= 5.2 versions.

CVE-2023-29095: WordPress RSVPMaker plugin < 10.5.5 - SQL Injection vulnerability - Patchstack

Auth. (admin+) SQL Injection (SQLi) vulnerability in David F. Carr RSVPMaker plugin < 10.5.5 versions.

CVE-2023-1597

The tagDiv Cloud Library WordPress plugin before 2.7 does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog.

CVE-2023-3077

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.

CVE-2023-3076

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features.

CVE-2023-1119

The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin through 2.4 use a third-party library that removes the escaping on some HTML characters, leading to a Cross-Site Scripting vulnerability.

CVE-2023-2635

The Call Now Accessibility Button WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)