Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-0369

The GoToWP WordPress plugin through 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE
Open in Source
#xss#wordpress
CVE-2022-3894

The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.5 does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack.

CVE-2022-4148

The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.5 has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client.

CVE-2023-0145

The Saan World Clock WordPress plugin through 1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2022-47591: WordPress Map Multi Marker plugin <= 3.2.1 - Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Reflected Cross-Site Scripting (XSS) vulnerability in Mickael Austoni Map Multi Marker plugin <= 3.2.1 versions.

Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen

A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads. The activity, which commenced in August 2022, is currently ongoing, Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. Mispadu (

CVE-2023-22682: WordPress Camera slideshow plugin <= 1.4.0.1 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Reflected Cross-Site Scripting (XSS) vulnerability in Manuel Masia | Pixedelic.Com Camera slideshow plugin <= 1.4.0.1 versions.

CVE-2023-22680: WordPress No API Amazon Affiliate plugin <= 4.2.2 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Altanic No API Amazon Affiliate plugin <= 4.2.2 versions.

CVE-2023-22678: WordPress Superior FAQ plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Rafael Dery Superior FAQ plugin <= 1.0.2 versions.

CVE-2022-47592: WordPress MagicForm plugin <= 0.1 - Reflected Cross Site Scripting (XSS) Vulnerability - Patchstack

Reflected Cross-Site Scripting (XSS) vulnerability in Dmytriy.Cooperman MagicForm plugin <= 0.1 versions.