Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-47785: WordPress LayerSlider plugin <= 7.7.9 - Multiple Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in LayerSlider plugin <= 7.7.9 versions.

CVE
Open in Source
#csrf#vulnerability#wordpress#auth
CVE-2023-47775: WordPress wpDiscuz plugin <= 7.6.11 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11 versions.

CVE-2023-47755: WordPress WooCommerce Product Carousel Slider plugin <= 3.3.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AazzTech WooCommerce Product Carousel Slider plugin <= 3.3.5 versions.

CVE-2023-47765: WordPress CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.9 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in CodeBard CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.9 versions.

CVE-2023-47758: WordPress Multi Step Form plugin <= 1.7.11 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Mondula GmbH Multi Step Form plugin <= 1.7.11 versions.

CVE-2023-25987: WordPress My YouTube Channel plugin <= 3.23.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Aleksandar Uroševi? My YouTube Channel plugin <= 3.23.3 versions.

CVE-2023-25986: WordPress PayGreen plugin <= 4.10.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WattIsIt PayGreen – Ancienne version plugin <= 4.10.2 versions.

WordPress UserPro 5.1.x Password Reset / Authentication Bypass / Escalation

WordPress UserPro plugin versions 5.1.1 and below suffer from an insecure password reset mechanism, information disclosure, and authentication bypass vulnerabilities. Versions 5.1.4 and below suffer from privilege escalation and shortcode execution vulnerabilities.

CVE-2023-5466: Wp anything slider <= 9.1 - Authenticated (Subscriber+) SQL Injection via Shortcode — Wordfence Intelligence

The Wp anything slider plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2023-5465: Popup with fancybox <= 3.5 - Authenticated (Subscriber+) SQL Injection via Shortcode — Wordfence Intelligence

The Popup with fancybox plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.