Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-5239

The Security & Malware scan by CleanTalk WordPress plugin before 2.121 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass bruteforce protection.

CVE
Open in Source
#wordpress
CVE-2023-5209

The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-4922

The WPB Show Core WordPress plugin through 2.2 is vulnerable to a local file inclusion via the `path` parameter.

CVE-2023-47529: WordPress Cloud Templates & Patterns collection plugin <= 1.2.2 - Sensitive Data Exposure via Log File vulnerability - Patchstack

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ThemeIsle Cloud Templates & Patterns collection.This issue affects Cloud Templates & Patterns collection: from n/a through 1.2.2.

CVE-2023-47244: WordPress Email Marketing for WooCommerce by Omnisend plugin <= 1.13.8 - Sensitive Data Exposure vulnerability - Patchstack

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Omnisend Email Marketing for WooCommerce by Omnisend.This issue affects Email Marketing for WooCommerce by Omnisend: from n/a through 1.13.8.

Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks

An active malware campaign is leveraging two zero-day vulnerabilities with remote code execution (RCE) functionality to rope routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet. “The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful,” Akamai said in an advisory

CVE-2023-47790: WordPress Pz-LinkCard plugin <= 2.4.8 - Cross Site Request Forgery (CSRF) to XSS vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in Poporon Pz-LinkCard plugin <= 2.4.8 versions.

CVE-2023-47668: WordPress Restrict Content plugin <= 3.2.7 - Sensitive Data Exposure via Log File vulnerability - Patchstack

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StellarWP Membership Plugin – Restrict Content plugin <= 3.2.7 versions.

CVE-2023-47834: WordPress Quiz And Survey Master plugin <= 8.1.13 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ExpressTech Quiz And Survey Master plugin <= 8.1.13 versions.

CVE-2023-47835: WordPress ARI Stream Quiz plugin <= 1.2.32 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder plugin <= 1.2.32 versions.