Auth. Reflected Cross-Site Scripting (XSS) vulnerability in 5 Anker Connect plugin <= 1.2.6 on WordPress.

 Verified

 Fixed

**4.8**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.2.6

PSID 

7cf4a77afef5

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires high role user authentication like admin.

Publicly disclosed

2022-10-12

**Details**

Reflected Cross-Site Scripting (XSS) vulnerability discovered by ptsfence (Patchstack Alliance) in WordPress 5 Anker Connect plugin (versions <= 1.2.6).

**Solution**

Update the WordPress 5 Anker Connect plugin to the latest available version (at least 1.2.7).

**References**

CVE-2022-30545: WordPress 5 Anker Connect plugin <= 1.2.6 - Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in CodeAndMore WP Page Widget plugin <= 3.9 on WordPress leading to plugin settings change.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 3.9

PSID 

14a0f5ad99e0

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-09-26

**Details**

Cross-Site Request Forgery (CSRF) vulnerability was discovered by Muhammad Daffa (Patchstack Alliance) in the WordPress WP Page Widget plugin (versions <= 3.9).

**Solution**

Update the WordPress WP Page Widget plugin to the latest available version (at least 4.0).

**References**

CVE-2022-32587: WordPress WP Page Widget plugin <= 3.9 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change.

CVE-2022-40223: Changelog (v4) - SearchWP

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.

CVE-2022-43491: Advanced Dynamic Pricing for WooCommerce

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 4.5

PSID 

3b127f9dd3e7

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-30

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to Notice Dismissal discovered by Muhammad Daffa (Patchstack Alliance) in WordPress Advanced Coupons for WooCommerce Coupons plugin (versions <= 4.5).

**Solution**

Update the WordPress Advanced Coupons for WooCommerce Coupons plugin to the latest available version (at least 4.5.0.1).

**References**

CVE-2022-43481: WordPress Advanced Coupons for WooCommerce Coupons plugin <= 4.5 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress.

CVE-2022-42494: AIOSEO Changelog - AIOSEO

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Mantenimiento web plugin <= 0.13 on WordPress.

 Verified

 Fixed

**4.8**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 0.13

PSID 

371465969b50

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires high role user authentication like admin.

Publicly disclosed

2022-10-20

**Details**

Auth. Cross-Site Scripting (XSS) vulnerability discovered by Mika (Patchstack Alliance) in the WordPress Mantenimiento web plugin (versions <= 0.13).

**Solution**

Update the WordPress Mantenimiento web plugin to the latest available version (at least 0.14).

**References**

CVE-2022-41980: WordPress Mantenimiento web plugin <= 0.13 - Auth. Cross-Site Scripting (XSS) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Shortcodes Ultimate plugin <= 5.12.0 on WordPress.

 Verified

 Fixed

**6.1**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.12.0

PSID 

42eec00642ac

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-10-13

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) vulnerability discovered by Dave Jong (Patchstack) in WordPress Shortcodes Ultimate plugin (versions <= 5.12.0).

**Solution**

Update the WordPress Shortcodes Ultimate plugin to the latest available version (at least 5.12.1).

**References**

CVE-2022-41136: WordPress Shortcodes Ultimate plugin <= 5.12.0 - CSRF vulnerability leading to Stored XSS - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) in David Anderson Testimonial Slider plugin <= 1.3.1 on WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of November 7, 2022 and is not available for download. This closure is temporary, pending a full review.

worked first time, no issues, thank you 🙂

Its Awesome plugin. I highly recommend this.

Es facil de usar, cómodo y cumple su cometido con creces. Gracias por hacerlo

I have used this plugin for close to a year. It is the only one that I have used flawlessly with all my websites. I would recommend it to anyone who wants a simple plugin that creates wonderful testimonial sliders

They should tell you the free version is not responsive before you spend an hour setting it up.

Read all 68 reviews

“Testimonial Slider” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2022-44741: Testimonial Slider

Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.

Tag

#wordpress