Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-0399

The Image Over Image For WPBakery Page Builder WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE
#xss#wordpress
CVE-2023-0820

The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.

CVE-2023-1124

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.

CVE-2023-1330

The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.

CVE-2023-1377

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-26529: WordPress DupeOff plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DupeOff.Com DupeOff plugin <= 1.6 versions.

Zimbra email platform vulnerability exploited to steal European govt emails

By Deeba Ahmed Researchers have noted that attackers are targeting a medium-severity Zimbra vulnerability that the company patched in version 9.0.0 Patch 24, one year ago. This is a post from HackRead.com Read the original post: Zimbra email platform vulnerability exploited to steal European govt emails

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. "Improved code security enforcement in WooCommerce components," the

WordPress WooCommerce 7.1.0 Remote Code Execution

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

WordPress WPForms 1.7.8 Cross Site Scripting

WordPress WPForms plugin version 1.7.8 suffers from a cross site scripting vulnerability.