Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

WordPress TextMe SMS 1.9.0 Cross Site Request Forgery

WordPress TextMe SMS plugin versions 1.9.0 and below suffer from a cross site request forgery vulnerability.

Packet Storm
Open in Source
#csrf#vulnerability#windows#linux#wordpress#php#auth
CVE-2023-5756: Digital Publications by Supsystic <= 1.7.6 - Cross-Site Request Forgery via AJAX action — Wordfence Intelligence

The Digital Publications by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-6120: Welcart e-Commerce <= 2.9.6 - Authenticated (Administrator+) Directory Traversal — Wordfence Intelligence

The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.

WordPress Elementor 3.18.1 File Upload / Remote Code Execution

WordPress Elementor plugin versions 3.18.1 and below are vulnerability to remote code execution via file upload in the template import functionality.

WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability

WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites. "A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins,

CVE-2023-47548: WordPress Integrate Google Drive plugin <= 1.3.2 - Open Redirection vulnerability - Patchstack

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SoftLab Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site.This issue affects Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site: from n/a through 1.3.2.

CVE-2023-45762: WordPress Responsive Column Widgets plugin <= 1.2.7 - Open Redirection vulnerability - Patchstack

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Michael Uno (miunosoft) Responsive Column Widgets.This issue affects Responsive Column Widgets: from n/a through 1.2.7.

CVE-2023-48325: WordPress Landing Page Builder plugin <= 1.5.1.5 - Open Redirection vulnerability - Patchstack

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in PluginOps Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages.This issue affects Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages: from n/a through 1.5.1.5.

CVE-2023-35039: WordPress Password Reset with Code for WordPress REST API plugin <= 0.0.15 - Privilege Escalation Due To Weak Pin Generation Vulnerability - Patchstack

Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.

CVE-2023-35909: WordPress Ninja Forms plugin 3.6.25 - Denial of Service Attack vulnerability - Patchstack

Uncontrolled Resource Consumption vulnerability in Saturday Drive Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress leading to DoS.This issue affects Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress: from n/a through 3.6.25.