Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-0335

The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment.

CVE
Open in Source
#csrf#vulnerability#wordpress
CVE-2023-0395

The menu shortcode WordPress plugin through 1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2020-36666

The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site...

CVE-2023-22707: WordPress Greenshift – animation and page builder blocks plugin <= 4.9.9 - SVG upload to Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (author+) Cross-Site Scripting (XSS) vulnerability in Wpsoul Greenshift – animation and page builder blocks plugin <= 4.9.9 versions.

CVE-2022-47146: WordPress Real Estate 7 theme <= 3.3.1 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contempoinc Real Estate 7 WordPress theme <= 3.3.1 versions.

CVE-2022-46843: WordPress Woocommerce Vietnam Checkout plugin <= 2.0.4 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Le Van Toan Woocommerce Vietnam Checkout plugin <= 2.0.4 versions.

CVE-2022-30705: WordPress Ping Optimizer plugin <= 2.35.1.2.3 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions.

WordPress WooCommerce Payments 5.6.1 Authentication Bypass / Privilege Escalation

WordPress WooCommerce Payments plugin versions 5.6.1 and below suffer from authentication bypass and privilege escalation vulnerabilities. Details surrounding these issues seem minimal at this point.

Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. Put differently, the issue could permit

CVE-2023-25456: WordPress Klaviyo plugin <= 3.0.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Klaviyo, Inc. Klaviyo plugin <= 3.0.7 versions.