Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-2627

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings

CVE
Open in Source
#csrf#wordpress#auth
CVE-2023-2623

The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users

CVE-2023-2592

The FormCraft WordPress plugin before 3.9.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVE-2023-3412: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 - Missing Authorization to Stored Cross-Site Scripting — Wordfence Intelligence

The Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.0. This is due to a missing capability check on the ajax_store_save() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify plugin settings and inject malicious web scripts.

CVE-2023-3411: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Wordfence Intelligence

The Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing nonce validation on the ajax_store_save() function. This makes it possible for unauthenticated attackers to modify plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-3132: Changeset 2923512 for mainwp-child – WordPress Plugin Repository

The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.4.1.1 due to insufficient controls on the storage of back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including the entire installations database if a backup occurs and the deletion of the back-up files fail.

CVE-2023-3371: Helper.php in embedpress/tags/3.7.3/EmbedPress/Includes/Classes – WordPress Plugin Repository

The User Registration plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content.

CVE-2023-29438: WordPress SimpleModal Contact Form (SMCF) plugin <= 1.2.9 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Eric Martin SimpleModal Contact Form (SMCF) plugin <= 1.2.9 versions.

CVE-2023-29437: WordPress Connections Business Directory plugin <= 10.4.36 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Steven A. Zahm Connections Business Directory plugin <= 10.4.36 versions.

CVE-2023-29435: WordPress Cryptocurrency All-in-One plugin <= 3.0.19 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Zwaply Cryptocurrency All-in-One plugin <= 3.0.19 versions.