Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2020-35773: wp_create_nonce() | Function | WordPress Developer Resources

The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.

CVE
#csrf#git#wordpress#php
CVE-2020-35135: Changeset 2434070 – WordPress Plugin Repository

The ultimate-category-excluder plugin before 1.2 for WordPress allows ultimate-category-excluder.php CSRF.

CVE-2020-29136: 90 Change Log

In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).

CVE-2020-28033: WordPress 5.5.2 Security and Maintenance Release

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

CVE-2020-28032

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

CVE-2020-28039

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

CVE-2020-25213: Changeset 2373068 – WordPress Plugin Repository

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

CVE-2020-20627: Multiple vulnerabilities fixed in WordPress GiveWP plugin.

The includes/gateways/stripe/includes/admin/admin-actions.php in GiveWP plugin through 2.5.9 for WordPress allows unauthenticated settings change.

CVE-2020-15020: Elementor Website Builder – More than Just a Page Builder

An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field.