Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-0443

The AnyWhere Elementor WordPress plugin before 1.2.8 discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked.

CVE
Open in Source
#wordpress
CVE-2022-4676

The OSM WordPress plugin through 6.01 does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

CVE-2023-2223

The Login rebuilder WordPress plugin before 2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2023-0329

The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.

CVE-2014-125102: V1.0.8 - Security Exploit was fixed. Ability to show posts thumbnails. · wp-plugins/relevant@860d189

A vulnerability classified as problematic was found in Bestwebsoft Relevant Plugin up to 1.0.7 on WordPress. Affected by this vulnerability is an unknown functionality of the component Thumbnail Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 1.0.8 is able to address this issue. The name of the patch is 860d1891025548cf0f5f97364c1f51a888f523c3. It is recommended to upgrade the affected component. The identifier VDB-230113 was assigned to this vulnerability.

CVE-2023-23699: WordPress Progress Bar plugin <= 2.2.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Chris Reynolds Progress Bar plugin <= 2.2.1 versions.

CVE-2023-27613: WordPress Forms Ada plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in MonitorClick Forms Ada – Form Builder plugin <= 1.0 versions.

CVE-2022-45372: WordPress Product Gallery Slider for WooCommerce plugin <= 2.2.8 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Codeixer Product Gallery Slider for WooCommerce plugin <= 2.2.8 versions.

CVE-2022-33974: WordPress Custom Twitter Feeds plugin <= 1.8.4 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Custom Twitter Feeds (Tweets Widget) plugin <= 1.8.4 versions.

A week in security (May 22-28)

Categories: News Tags: Cisco Tags: Zyxel Tags: ChatGPT Tags: Malvertising Tags: Apple Tags: Google Tags: insider threat Tags: Pentagon explosion Tags: CISA Tags: ransomware guide Tags: Rheinmetall Tags: BlackBasta Tags: WordPress A list of topics we covered in the week of May 22- 28 of 2023 (Read more...) The post A week in security (May 22-28) appeared first on Malwarebytes Labs.