Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2017-20099: Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP Object injection vulnerability

A vulnerability was found in Analytics Stats Counter Statistics Plugin 1.2.2.5 and classified as critical. This issue affects some unknown processing. The manipulation leads to code injection. The attack may be initiated remotely.

CVE
Open in Source
#vulnerability#web#wordpress#php#auth
WordPress Simple Page Transition 1.4.1 Cross Site Scripting

WordPress Simple Page Transition plugin version 1.4.1 suffers from a persistent cross site scripting vulnerability.

WordPress W-DALIL 2.0 Cross Site Scripting

WordPress W-DALIL plugin version 2.0 suffers from a persistent cross site scripting vulnerability.

WordPress Weblizar 8.9 Code Execution

WordPress Weblizar plugin version 8.9 suffers from a remote code execution vulnerability.

CVE-2013-2180: CVE-2012-5856 uk-cookie plugin XSS · Issue #184 · wpscanteam/wpscan

WordPress Plugin UK Cookie is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin UK Cookie version 1.1 is vulnerable; other versions may also be affected.

CVE-2022-1971

The NextCellent Gallery WordPress plugin through 1.9.35 does not sanitise and escape some of its image settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-1964

The Easy SVG Support WordPress plugin before 3.3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads

CVE-2022-1960

The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1953

The Product Configurator for WooCommerce WordPress plugin before 1.2.32 suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts user input that is being used in a path and passed to unlink() without validation first

CVE-2022-1916

The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store WordPress plugin before 1.0.5 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected cross-Site Scripting