#wordpress

CVE-2022-29420: Countdown, Coming Soon, Maintenance – Countdown & Clock

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-circle-countdown-before-countdown and &ycd-circle-countdown-after-countdown vulnerable parameters.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #wordpress #auth

CVE-2021-36912: Andrea Pernici News Sitemap for Google

Stored Cross-Site Scripting (XSS) vulnerability in Andrea Pernici News Sitemap for Google plugin <= 1.0.16 on WordPress, attackers must have contributor or higher user role.

2 years ago

CVE

Open in Source

#xss #vulnerability #google #wordpress #php

WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

Attackers pounce before site owners can activate the installation wizard

2 years ago

PortSwigger

Open in Source

#vulnerability #web #windows #ddos #wordpress #php #auth #ssl

WordPress Stafflist 3.1.2 Cross Site Scripting

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

2 years ago

Packet Storm

Open in Source

#sql #xss #csrf #vulnerability #web #ios #mac #windows #apple #ubuntu #linux #debian #cisco #java #wordpress #php #perl #auth #ruby #firefox

CVE-2021-36844: WP Subscribe

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop WP Subscribe plugin <= 1.2.12 on WordPress.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #google #js #git #java #wordpress #php #perl #auth

CVE-2022-29444: WordPress Breeze plugin <= 2.0.2 - Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability - Patchstack

Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability in Cloudways Breeze plugin <= 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wp_ajax_* actions in the class Breeze_Configuration which includes the ability to change any of the plugin's settings including CDN setting which could be further used for XSS attack.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #wordpress #auth

CVE-2022-0952

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.

2 years ago

CVE

Open in Source

#csrf #wordpress #auth

CVE-2021-25002

The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL

2 years ago

The Multiple Shipping Address Woocommerce WordPress plugin before 2.0 does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections

2 years ago

CVE

Open in Source

#sql #wordpress #perl #auth

CVE-2022-1269

The Fast Flow WordPress plugin before 1.2.12 does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting

2 years ago

CVE

Open in Source

#xss #wordpress

Tag

#wordpress