Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

What GoDaddy's Years-Long Breach Means for Millions of Clients

The same "sophisticated" threat actor has pummeled the domain host on an ongoing basis since 2020, making off with customer logins, source code, and more. Here's what to do.

DARKReading
Open in Source
#vulnerability#web#git#wordpress#intel#backdoor#botnet#ssl
CVE-2023-1155: Cost Calculator <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting — Wordfence Intelligence Community Edition

The Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the nd_cc_meta_box_cc_price_icon parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0085: Metform Elementor Contact Form Builder <= 3.2.1 - reCaptcha Protection Bypass — Wordfence Intelligence Community Edition

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to reCaptcha Bypass in versions up to, and including, 3.2.1. This is due to insufficient server side checking on the captcha value submitted during a form submission. This makes it possible for unauthenticated attackers to bypass Captcha restrictions and for attackers to utilize bots to submit forms.

CVE-2022-47148: WordPress PDF Invoices & Packing Slips for WooCommerce plugin <= 3.2.5 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WP Overnight PDF Invoices & Packing Slips for WooCommerce plugin <= 3.2.5 leading to popup dismiss.

CVE-2022-46805: WordPress Conditional Payments for WooCommerce plugin <= 2.3.1 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Lauri Karisola / WP Trio Conditional Shipping for WooCommerce plugin <= 2.3.1 leading to activation/deactivation of plugin rulesets.

CVE-2022-46806: WordPress Cart All In One For WooCommerce plugin <= 1.1.10 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Cart All In One For WooCommerce plugin <= 1.1.10 leading to cart modification.

CVE-2022-46798: WordPress WooLentor plugin <= 2.5.1 - CSRF Leading to Plugin Settings Change Vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in HasThemes ShopLentor plugin <= 2.5.1 leading to plugin settings change.

CVE-2022-46797: WordPress Actionable Google Analytics and Google Shopping plugin for WooCommerce plugin <= 5.2.3 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Conversios All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce plugin <= 5.2.3 leads to plugin settings change.

CVE-2022-45804: WordPress Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.9 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in RoboSoft Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.9 leading to galleries hierarchy change, included plugin deactivate & activate.

CVE-2022-45068: WordPress Mercado Pago payments for WooCommerce plugin <= 6.3.1 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Mercado Pago Mercado Pago payments for WooCommerce plugin <= 6.3.1.