Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

The maintainers of the Jetpack WordPress plugin have released a security update to remediate a critical vulnerability that could allow logged-in users to access forms submitted by others on a site. Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that offers a comprehensive suite of tools to improve site safety, performance, and traffic growth. It's used on 27 million

The Hacker News
Open in Source
#vulnerability#web#wordpress#The Hacker News
WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload

WordPress File Manager Advanced Shortcode plugin version 2.3.2 suffers from a code injection vulnerability that allows for remote shell upload.

GHSA-v66g-p9x6-v98p: PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file

### Summary One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. ### Details The following [code](https://github.com/PHPOffice/PhpSpreadsheet/blob/d50b8b5de7e30439fb57eae7df9ea90e79fa0f2d/samples/Basic/45_Quadratic_equation_solver.php#L56) in `45_Quadratic_equation_solver.php` concatenates the user supplied parameters directly into spreadsheet formulas. This allows an attacker to take control over the formula and output unsanitized data into the page, resulting in JavaScript execution. ``` $discriminantFormula = '=POWER(' . $_POST['B'] . ',2) - (4 * ' . $_POST['A'] . ' * ' . $_POST['C'] . ')'; $discriminant = Calculation::getInstance()->calculateFormula($discriminantFormula); $r1Formula = '=IMDIV(IMSUM(-' . $_POST['B'] . ',IMSQRT(' . $discriminant . ')),2 * ' . $_POST['A'] . ')'; $r2Formula = '=IF(' . $discriminant . '=0,"Only one root",IMDIV...

Single HTTP Request Can Exploit 6M WordPress Sites

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions. The flaw, tracked as CVE-2024-47374 (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2. It was

WordPress Bricks Builder Theme 1.9.6 Code Injection

WordPress Bricks Builder Theme version 1.9.6 suffers from a PHP code injection vulnerability.

WordPress Hash Form 1.1.0 Code Injection

WordPress Hash Form plugin version 1.1.0 suffers from a PHP code injection vulnerability.

WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection

WordPress GiveWP Donation Fundraising Platform version 3.14.1 suffers from a PHP code injection vulnerability.

Facial DNA provider leaks biometric data via WordPress folder

ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress…

WordPress LMS 4.2.7 SQL Injection

WordPress LMS plugin versions 4.2.7 and below suffer from a remote SQL injection vulnerability.