Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Promotion Slider plugin <= 3.3.4 at WordPress.

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Promotion Slider

Vulnerable versions

<= 3.3.4

PSID 

8b23bfdb3722

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-05-26

**Details**

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered by Ngo Van Thien (Patchstack Alliance) in the WordPress Promotion Slider plugin (versions <= 3.3.4).

**Solution**

Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-29440 Plugin page

CVE-2022-29440: WordPress Promotion Slider plugin <= 3.3.4 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities - Patchstack

Authenticated (subscriber or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Messages For WordPress <= 2.1.10 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a full review.

Wasn't getting email notifications when a message was sent to inbox. Found in send-page.php (plugins/pm4wp/inc/send-page.php) the following code... $recipient\_email = $wpdb->get\_var( "SELECT user\_email from $wpdb->users WHERE display\_name = '$rec'" ); ...on line 120 needed to be changed with... $recipient\_email = $wpdb->get\_var( "SELECT user\_email from $wpdb->users WHERE user\_login = '$rec'" ); ...as it was trying to pull with username, not display name. Hope this helps anyone running into the same issue.

Read all 11 reviews

“Private Messages For WordPress” is open source software. The following people have contributed to this plugin.

Contributors

*    Anh Tran

CVE-2022-29442: Private Messages For WordPress

Cross-Site Request Forgery (CSRF) vulnerability in API KEY for Google Maps plugin <= 1.2.1 at WordPress leading to Google Maps API key update.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

2d3ab1d81ae9

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-06-08

**Details**

CSRF vulnerability leading to Google Maps API key update discovered by Rasi Afeef (Patchstack Alliance) in WordPress API KEY for Google Maps plugin (versions <= 1.2.1).

**Solution**

Update the WordPress API KEY for Google Maps plugin to the latest available version (at least 1.2.2).

**References**

Changeset

CVE-2022-29453: WordPress API KEY for Google Maps plugin <= 1.2.1 - CSRF vulnerability leading to Google Maps API key update - Patchstack

Authenticated (author or higher user role) Persistent Cross-Site Scripting (XSS) vulnerability in Image Slider by NextCode plugin <= 1.1.2 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a full review.

This plugin provides 1 block.

*   Slider

Not possible to use youtube video

Its Very Easy – and super classy – got it on my first try – was able to adjust it exactly the way i wanted it . . I HIGHLY Recommend.

This is basically all i needed for my website.Thanks lot!

awesome support and functional plugin!

I use this plugin literally on all of my WP websites

This is one of the plugins I install for my client's websites as it is not complicated even for beginners.

Read all 9 reviews

“Image Slider by NextCode – Photo & Video SLider” is open source software. The following people have contributed to this plugin.

Contributors

*    NextCode

CVE-2022-29438: Image Slider by NextCode – Photo & Video SLider

Cross-Site Request Forgery (CSRF) vulnerability in Image Slider by NextCode plugin <= 1.1.2 at WordPress allows deleting slides.

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Image Slider by NextCode

Vulnerable versions

<= 1.1.2

PSID 

8f6d0a17dc52

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-05-26

**Details**

Slider Deletion via Cross-Site Request Forgery (CSRF) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Image Slider by NextCode plugin (versions <= 1.1.2).

**Solution**

Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-29439 Plugin page

CVE-2022-29439: WordPress Image Slider by NextCode plugin <= 1.1.2 - Slider Deletion via Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Image Slider by NextCode plugin <= 1.1.2 at WordPress.

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Image Slider by NextCode

Vulnerable versions

<= 1.1.2

PSID 

298a34c5dadc

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-05-26

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by BEE-K (Patchstack) in the WordPress Image Slider by NextCode plugin (versions <= 1.1.2).

**Solution**

Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-29437 Plugin page

CVE-2022-29437: WordPress Image Slider by NextCode plugin <= 1.1.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in Phil Baker's Age Gate plugin <= 2.17.0 at WordPress.

 Fixed

**6.1**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 2.17.0

PSID 

a28473c55146

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Publicly disclosed

2021-10-25

**Details**

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability was discovered by Nguyen Van Khanh (Patchstack Alliance) in the WordPress Age Gate plugin (versions <= 2.17.0).

**Solution**

Update the WordPress Age Gate plugin to the latest available version (at least 2.17.1).

**References**

CVE-2021-36901 Plugin changelog

CVE-2021-36901: WordPress Age Gate plugin <= 2.17.0 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in DynamicWebLab's WordPress Team Manager plugin <= 1.6.9 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of June 14, 2022 and is not available for download. This closure is temporary, pending a full review.

Great plugin, and so easy to use. I have bought two but this one is much better. Buddy

Great work here, Maidul. My only criticism is that I could not change the size of the images without upsetting ALL images in the entire site!

After trying many others that almost work it is great to have this working straight away. I like the sort order option for team members. I really like the option of different social media links for each staff members, rather than some which have every one the same. I have 'fancy' bullet points in the content section now, so reading is easy 5 Stars for me.

Love the functionality of the plugin - very flexible/modular. Have been using now for 1.5 years - not a single problem, will go easily from upgrade to upgrade, nothing brakes, no settings get lost. One afterthought: it is relatively hard to optimize team-list performance. Image sizes fully depend on WP media library settings and in many cases sub-optimal image files may be delivered. Hope 4.4+ versions of Wordpress will improve that.

Read all 22 reviews

“WordPress Team Manager” is open source software. The following people have contributed to this plugin.

Contributors

*    Maidul

CVE-2022-29406: WordPress Team Manager

Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Nicdark d.o.o. Travel Management plugin <= 2.0 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

**Description**

This plugin has been closed as of May 6, 2022 and is not available for download. This closure is temporary, pending a full review.

**Reviews**

Just started to work with it and it looks good simple. Would like to know how to hide sections like min age or duration.

Read all 1 review

**Contributors & Developers**

“Travel Management” is open source software. The following people have contributed to this plugin.

Contributors

*    nicdark

CVE-2022-27859: Travel Management

A vulnerability was found in Microsoft O365 and classified as critical. This issue affects the Conditional Access Policy which leads to improper access controls. By default the policy is not verified for every request. The attack may be initiated remotely. Exploit details have been disclosed to the public. It is recommended to change the configuration settings. NOTE: Vendor claims that pre-requisites are very high, the feature works as intended, and that configuration settings might mitigate the issue.

Tag

#wordpress