Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2023-0583: class-vk-blocks-entrypoint.php in vk-blocks/trunk/inc/vk-blocks/App/RestAPI/BlockMeta – WordPress Plugin Repository

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'update_vk_blocks_options' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default icons.

CVE
Open in Source
#js#git#wordpress#php#auth
CVE-2023-3052: azexo_html.php in page-builder-by-azexo/trunk – WordPress Plugin Repository

The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_add_post', 'azh_duplicate_post', 'azh_update_post' and 'azh_remove_post' functions. This makes it possible for unauthenticated attackers to create, modify, and delete a post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-2781: class-xlwuev-woocommerce-confirmation-email-public.php in woo-confirmation-email/tags/3.5.0/public – WordPress Plugin Repository

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticate_user_by_email in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resend_verification_email function. This allows unauthenticated attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Allow Automatic Login After Successful Verification setting to be enabled, which it is not by default.

CVE-2023-33762: CVEs/CVE-2023-33762 at main · rauschecker/CVEs

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a SQL injection vulnerability via the Activity parameter.

CVE-2023-33761: CVEs/CVE-2023-33761 at main · rauschecker/CVEs

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /view/cb/format_642.php.

CVE-2023-33763: CVEs/CVE-2023-33763 at main · rauschecker/CVEs

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /scheduler/index.php.

CVE-2023-3069: sec(Users) repeat password checks in backend before update · tsolucio/corebos@e3dabd7

Unverified Password Change in GitHub repository tsolucio/corebos prior to 8.

CVE-2023-3068: cve/Retro Cellphone Online Store.pdf at main · wordpress405/cve

A vulnerability classified as critical has been found in Campcodes Retro Cellphone Online Store 1.0. Affected is an unknown function of the file /admin/modal_add_product.php. The manipulation of the argument category leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230580.

Total CMS 1.7.4 Shell Upload

Total CMS version 1.7.4 suffers from a remote shell upload vulnerability.