Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-3411: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Wordfence Intelligence

The Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing nonce validation on the ajax_store_save() function. This makes it possible for unauthenticated attackers to modify plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE
Open in Source
#xss#vulnerability#web#wordpress#intel#perl#auth
CVE-2023-3132: Changeset 2923512 for mainwp-child – WordPress Plugin Repository

The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.4.1.1 due to insufficient controls on the storage of back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including the entire installations database if a backup occurs and the deletion of the back-up files fail.

CVE-2023-3371: Helper.php in embedpress/tags/3.7.3/EmbedPress/Includes/Classes – WordPress Plugin Repository

The User Registration plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content.

CVE-2023-29438: WordPress SimpleModal Contact Form (SMCF) plugin <= 1.2.9 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Eric Martin SimpleModal Contact Form (SMCF) plugin <= 1.2.9 versions.

CVE-2023-29437: WordPress Connections Business Directory plugin <= 10.4.36 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Steven A. Zahm Connections Business Directory plugin <= 10.4.36 versions.

CVE-2023-29435: WordPress Cryptocurrency All-in-One plugin <= 3.0.19 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Zwaply Cryptocurrency All-in-One plugin <= 3.0.19 versions.

CVE-2023-29436: WordPress IFrame Shortcode plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Flyn San IFrame Shortcode plugin <= 1.0.5 versions.

CVE-2023-29434: WordPress Optin Forms plugin <= 1.3.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in FancyThemes Optin Forms – Simple List Building Plugin for WordPress plugin <= 1.3.1 versions.

CVE-2023-29430: WordPress TheRoof theme <= 1.0.3 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CTHthemes TheRoof plugin <= 1.0.3 versions.

CVE-2023-29427: WordPress Amelia plugin <= 1.0.75 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in TMS Booking for Appointments and Events Calendar – Amelia plugin <= 1.0.75 versions.