Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-34377: WordPress My Content Management plugin <= 1.7.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joseph C Dolson My Content Management plugin <= 1.7.6 versions.

CVE
Open in Source
#xss#vulnerability#web#wordpress#auth
CVE-2023-36689: WordPress WPFactory Helper plugin <= 1.5.2 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFactory WPFactory Helper plugin <= 1.5.2 versions.

CVE-2023-30491: WordPress CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.8 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodeBard CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.8 versions.

CVE-2023-34010: WordPress Media Library Assistant plugin <= 3.0.7 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in submodule of David Lingren Media Library Assistant plugin  <= 3.0.7 versions.

WordPress Adivaha Travel 2.3 Cross Site Scripting

WordPress Adivaha Travel plugin version 2.3 suffers from a cross site scripting vulnerability.

WordPress EventON Calendar 4.4 Insecure Direct Object Reference

WordPress EventON Calendar plugin version 4.4 suffers from an insecure direct object reference vulnerability.

WordPress Ninja Forms 3.6.25 Cross Site Scripting

WordPress Ninja Forms plugin version 3.6.25 suffers from a cross site scripting vulnerability.

CVE-2023-4142: WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) Remote Code Execution — Wordfence Intelligence

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution.

CVE-2023-4141: Changeset 2944635 for wp-ultimate-csv-importer/trunk/wp-ultimate-csv-importer.php – WordPress Plugin Repository

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.