#wordpress

The menu shortcode WordPress plugin through 1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Auth. (author+) Cross-Site Scripting (XSS) vulnerability in Wpsoul Greenshift – animation and page builder blocks plugin <= 4.9.9 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contempoinc Real Estate 7 WordPress theme <= 3.3.1 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Le Van Toan Woocommerce Vietnam Checkout plugin <= 2.0.4 versions.

Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions.

WordPress WooCommerce Payments plugin versions 5.6.1 and below suffer from authentication bypass and privilege escalation vulnerabilities. Details surrounding these issues seem minimal at this point.

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. Put differently, the issue could permit

Reflected Cross-Site Scripting (XSS) vulnerability in Blockonomics WordPress Bitcoin Payments – Blockonomics plugin <= 3.5.7 versions.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Klaviyo, Inc. Klaviyo plugin <= 3.0.7 versions.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM Answers plugin <= 3.1.9 versions.