#wordpress

CVE-2023-0399

The Image Over Image For WPBakery Page Builder WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

2 years ago

The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.

2 years ago

CVE

Open in Source

#csrf #web #wordpress

CVE-2023-1330

The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.

2 years ago

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

2 years ago

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.

2 years ago

CVE

Open in Source

#wordpress #auth

CVE-2023-26529: WordPress DupeOff plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DupeOff.Com DupeOff plugin <= 1.6 versions.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #wordpress #auth

Zimbra email platform vulnerability exploited to steal European govt emails

By Deeba Ahmed Researchers have noted that attackers are targeting a medium-severity Zimbra vulnerability that the company patched in version 9.0.0 Patch 24, one year ago. This is a post from HackRead.com Read the original post: Zimbra email platform vulnerability exploited to steal European govt emails

2 years ago

HackRead

Open in Source

#xss #csrf #vulnerability #web #java #wordpress

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. "Improved code security enforcement in WooCommerce components," the

2 years ago

The Hacker News

Open in Source

#vulnerability #web #wordpress #php #backdoor #perl #auth #The Hacker News

WordPress WooCommerce 7.1.0 Remote Code Execution

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

2 years ago

Packet Storm

Open in Source

#vulnerability #windows #wordpress #php #rce #auth #firefox

WordPress WPForms 1.7.8 Cross Site Scripting

WordPress WPForms plugin version 1.7.8 suffers from a cross site scripting vulnerability.