Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2023-47670: WordPress Korea SNS plugin <= 1.6.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Jongmyoung Kim Korea SNS.This issue affects Korea SNS: from n/a through 1.6.3.

CVE
Open in Source
#csrf#vulnerability#wordpress#auth
CVE-2023-6187: Paid Memberships Pro <= 2.12.3 - Authenticated (Subscriber+) Arbitrary File Upload — Wordfence Intelligence

The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. This makes it possible for authenticated attackers with subscriber privileges or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if 2Checkout (deprecated since version 2.6) or PayPal Express is set as the payment method and a custom user field is added that is only visible at profile, and not visible at checkout according to its settings.

CVE-2023-4214: AppPresser <= 4.2.5 - Insecure Password Reset Mechanism — Wordfence Intelligence

The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead. Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER. “The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com, which redirects the

CVE-2023-47757: WordPress AWeber plugin <= 7.3.9 - Broken Access Control vulnerability - Patchstack

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in AWeber AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth allows Accessing Functionality Not Properly Constrained by ACLs, Cross-Site Request Forgery.This issue affects AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth: from n/a through 7.3.9.

CVE-2023-47687: WordPress Woo Custom and Sequential Order Number plugin <= 2.6.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in VJInfotech Woo Custom and Sequential Order Number plugin <= 2.6.0 versions.

CVE-2023-47686: WordPress Arigato Autoresponder and Newsletter plugin <= 2.7.2.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Kiboko Labs Arigato Autoresponder and Newsletter plugin <= 2.7.2.2 versions.

CVE-2023-32957: WordPress Team Members Showcase plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Dazzlersoft Team Members Showcase plugin <= 1.3.4 versions.

CVE-2023-32796: WordPress WooCommerce Product Enquiry plugin <= 2.3.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in MingoCommerce WooCommerce Product Enquiry plugin <= 2.3.4 versions.