Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-1509: gmace.php in gmace/trunk – WordPress Plugin Repository

The GMAce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2. This is due to missing nonce validation on the gmace_manager_server function called via the wp_ajax_gmace_manager AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE
Open in Source
#mac#js#wordpress#php#rce#auth
Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe

A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed DBatLoader. "The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines," Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report

CVE-2022-47170: WordPress Unlimited Elements for Elementor plugin <= 1.5.48 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin <= 1.5.48 versions.

CVE-2023-25704: WordPress Interactive SVG Image Map Builder plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mehjabin Orthi Interactive SVG Image Map Builder plugin <= 1.0 versions.

CVE-2022-46863: WordPress Quick Event Manager plugin <= 9.6.4 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Quick Event Manager plugin <= 9.6.4 versions.

CVE-2022-45825: WordPress WPComplete plugin <= 2.9.4 - Reflected Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in iThemes WPComplete plugin <= 2.9.2 versions.

CVE-2022-46848: WordPress Visualizer: Tables and Charts Manager for WordPress plugin <= 3.9.2 - Auth. Cross-Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Themeisle Visualizer: Tables and Charts Manager for WordPress plugin <= 3.9.1 versions.

CVE-2022-45831: WordPress Image Hover Effects – Caption Hover with Carousel plugin <= 2.8 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in biplob018 Image Hover Effects for Elementor with Lightbox and Flipbox plugin <= 2.8 versions.

CVE-2022-46855: WordPress Responsive Pricing Table plugin <= 5.1.6 - Auth. Cross-Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WP Darko Responsive Pricing Table plugin <= 5.1.6 versions.

CVE-2023-0336

The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.