The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

CVE-2022-3125

The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server

CVE-2022-3124

The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.

CVE-2022-2839

The WP Socializer WordPress plugin before 7.3 does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2763

The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2628

By Owais Sultan
Patience is no longer a virtue when talking about website or app performance. Users get frustrated after waiting for…
This is a post from HackRead.com Read the original post: MySQL Performance Tuning: Top 5 Tips for Blazing Fast Queries

MySQL Performance Tuning: Top 5 Tips for Blazing Fast Queries

Insecure direct object references (IDOR) vulnerability in ExpressTech Quiz And Survey Master plugin <= 7.3.4 at WordPress allows attackers to change the content of the quiz.

CVE-2021-36865: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Comment Guestbook plugin <= 0.8.0 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a full review.

A really clever plugin that utilizes WordPress's built-in comments per page, and gives you flexibility and control over how and where the comments can be implemented with a simple shortcode.

Very good and handy tool to have guestbook-comments well organised and separated from blog comments. It fits my site very well. It just seems as if the author has abandoned/orphaned the the tool. That would be a pity. @mibuthu: it would be nice to have some sign of life or indication whether you will maintain the guestbook (WP version upgrade or so). Thnx.

This is exactly what I need! Simple, no questionable/site conflicting designs, no function conflicts with my billion other plugins. I have 8 sites, lots of plugins - on 2 MultiSites. I don't network activate plugins as a rule. I had already created some guestbooks with other plugins to have comments on my sites restricted to one page...with varying results, ugly or odd, no threads, etc. Because this plugin integrates into WP comments, I don't have to disable comments or other plugins, or configure guestbooks and log-in methods. It is simply a part of the site function, with flexible features. I use Super Socializer for comment log-in - I don't want spam, users have no reason to register - I don't do anything with it. Comment Guestbook works without any special configuration in the site admin or settings with Super Socializer. It's fantastic! Thank you for a great plugin! Your hard work is greatly appreciated. Cheers!

Hi, i tried the anti spam catcha you suggested, it dodnt work for me, issue with that plugin. so i thought i'd ask, how else could i include a simple catcha to your plugin / comment guest book. could i use 'Really Simple CAPTCHA' and how could i apply it? thank you. joan

Exactly what i needed, simple and customizable. Great plug-in Thanks!

Good, but you have to fix some form double visibility on WP 4.0. The settings don't affect the visualization.

Read all 13 reviews

“Comment Guestbook” is open source software. The following people have contributed to this plugin.

Contributors

*    mibuthu

CVE-2021-36830: Comment Guestbook

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Social Media Follow Buttons Bar plugin <= 4.73 at WordPress.

 Verified

 Not fixed

**4.8**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 4.73

PSID 

6709934856e1

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires high role user authentication like admin.

Publicly disclosed

2022-09-27

**Details**

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas (Patchstack Alliance) in WordPress Social Media Follow Buttons Bar plugin (versions <= 4.73).

**Solution**

No patched version is available. No reply from the vendor.

**References**

CVE-2021-36839: WordPress Social Media Follow Buttons Bar plugin <= 4.73 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Booking Ultra Pro plugin <= 1.1.4 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 1.1.4

PSID 

6047983f49fe

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-09-28

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Ngo Van Thien (Patchstack Alliance) in the WordPress Booking Ultra Pro plugin (versions <= 1.1.4)

**Solution**

No patched version is available.

**References**

Tag

#wordpress