Auth. SQL Injection (SQLi) vulnerability in WP-TopBar <= 5.36 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

thiennv discovered and reported this SQL Injection vulnerability in WordPress WP TopBar Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has not been known to be fixed yet.

**3 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23824: WordPress WP-TopBar plugin <= 5.36 - SQL Injection - Patchstack

Auth. Stored Cross-Site Scripting (XSS) in Oi Yandex.Maps for WordPress <= 3.2.7 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Lana Codes discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Oi Yandex.Maps for WordPress Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-22721: WordPress Oi Yandex.Maps for WordPress plugin <= 3.2.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. Stored Cross-Site Scripting (XSS) vulnerability in Youtube shortcode <= 1.8.5 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Lana Codes discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Youtube shortcode Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23687: WordPress Youtube shortcode plugin <= 1.8.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

The My YouTube Channel plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the clear_all_cache function in versions up to, and including, 3.0.12.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to clear the plugin's cache.

CVE-2023-0447: Changeset 2844200 for youtube-channel – WordPress Plugin Repository

The ?????? ?????? ?????? WordPress plugin before 2.9.3 does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin.

CVE-2022-4307

The Store Locator WordPress plugin before 1.4.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVE-2022-4832

The WP Google My Business Auto Publish WordPress plugin before 3.4 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

CVE-2022-4790

The WPZOOM Portfolio WordPress plugin before 1.2.2 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

CVE-2022-4789

The GeoDirectory WordPress plugin before 2.2.22 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVE-2022-4775

The OneClick Chat to Order WordPress plugin before 1.0.4.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Tag

#wordpress