Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-35095: WordPress Flo Forms plugin <= 1.0.40 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Flothemes Flo Forms – Easy Drag & Drop Form Builder plugin <= 1.0.40 versions.

CVE
Open in Source
#xss#vulnerability#web#wordpress#auth
WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism

WordPress Theme Medic theme version 1.0.0 suffers from having a weak password recovery mechanism for the forgot password flow.

WordPress Kero jQuery/HTML Dashboard PRO 2.3.86 SQL Injection

WordPress Kero jQuery/HTML Dashboard PRO theme version 2.3.86 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

CVE-2023-35097: WordPress WP Affiliate Links plugin <= 0.1.1 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Internet Marketing Dojo WP Affiliate Links plugin <= 0.1.1 versions.

CVE-2023-35098: WordPress WordPress NextGen GalleryView plugin <= 0.5.5 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions.

CVE-2023-35882: WordPress Super Socializer plugin <= 7.13.52 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Team Heateor Super Socializer plugin <= 7.13.52 versions.

CVE-2023-35878: WordPress Extra User Details plugin <= 0.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Vadym K. Extra User Details plugin <= 0.5 versions.

CVE-2023-3325: CMS Commander <= 2.287 - Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature — Wordfence Intelligence

The CMS Commander plugin for WordPress is vulnerable to authorization bypass due to the use of an insufficiently unique cryptographic signature on the 'cmsc_add_site' function in versions up to, and including, 2.287. This makes it possible for unauthenticated attackers to the plugin to change the '_cmsc_public_key' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation. This can only be exploited if the plugin has not been configured yet, however, if combined with another arbitrary plugin installation and activation vulnerability, the impact can be severe.

CVE-2023-3320: WP Sticky Social <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Wordfence Intelligence

The WP Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation in the ~/admin/views/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.