Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-35878: WordPress Extra User Details plugin <= 0.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Vadym K. Extra User Details plugin <= 0.5 versions.

CVE
Open in Source
#xss#vulnerability#web#wordpress#auth
CVE-2023-3325: CMS Commander <= 2.287 - Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature — Wordfence Intelligence

The CMS Commander plugin for WordPress is vulnerable to authorization bypass due to the use of an insufficiently unique cryptographic signature on the 'cmsc_add_site' function in versions up to, and including, 2.287. This makes it possible for unauthenticated attackers to the plugin to change the '_cmsc_public_key' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation. This can only be exploited if the plugin has not been configured yet, however, if combined with another arbitrary plugin installation and activation vulnerability, the impact can be severe.

CVE-2023-3320: WP Sticky Social <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Wordfence Intelligence

The WP Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation in the ~/admin/views/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

WordPress Abandoned Cart Lite For WooCommerce 5.14.2 Authentication Bypass

WordPress Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and below suffer from an authentication bypass vulnerability.

CVE-2023-35776: WordPress Sermon'e – Sermons Online plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Beplus Sermon'e – Sermons Online plugin <= 1.0.0 versions.

CVE-2023-35772: WordPress Google Map Shortcode plugin <= 3.1.2 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Alain Gonzalez Google Map Shortcode plugin <= 3.1.2 versions.

CVE-2023-35775: WordPress WP Backup Manager plugin <= 1.13.1 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Backup Solutions WP Backup Manager plugin <= 1.13.1 versions.

CVE-2023-35779: WordPress Seed Fonts plugin 2.3.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Seed Webs Seed Fonts plugin <= 2.3.1 versions.

CVE-2023-34373: WordPress Zephyr Project Manager plugin <= 3.3.93 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Project Manager plugin <= 3.3.93 versions.