Searching...
Please wait while we search the database
| CVE ID | Severity | Description | Published | Actions |
|---|---|---|---|---|
|
CVE-2023-0262
|
N/A |
The WP Airbnb Review Slider WordPress plugin before 3.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
|
13 Feb 2023
|
|
|
CVE-2022-4682
|
N/A |
The Lightbox Gallery WordPress plugin before 0.9.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
13 Feb 2023
|
|
|
CVE-2022-3891
|
N/A |
The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones.
|
13 Feb 2023
|
|
|
CVE-2022-4745
|
N/A |
The WP Customer Area WordPress plugin before 8.1.4 does not have CSRF checks when performing some actions such as chmod, mkdir and copy, which could allow attackers to make a logged-in admin perform them and create arbitrary folders, copy file for example.
|
13 Feb 2023
|
|
|
CVE-2023-0075
|
N/A |
The Amazon JS WordPress plugin through 0.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
13 Feb 2023
|
|
|
CVE-2023-0405
|
N/A |
The GPT AI Power: Content Writer & ChatGPT & Image Generator & WooCommerce Product Writer & AI Training WordPress plugin before 1.4.38 does not perform any kind of nonce or privilege checks before letting logged-in users modify arbitrary posts.
|
13 Feb 2023
|
|
|
CVE-2023-0151
|
N/A |
The uTubeVideo Gallery WordPress plugin before 2.0.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
13 Feb 2023
|
|
|
CVE-2023-0080
|
N/A |
The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability.
|
13 Feb 2023
|
|
|
CVE-2023-0255
|
N/A |
The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
|
13 Feb 2023
|
|
|
CVE-2023-0166
|
N/A |
The Product Slider for WooCommerce by PickPlugins WordPress plugin before 1.13.42 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
13 Feb 2023
|
|
|
CVE-2023-0259
|
N/A |
The WP Google Review Slider WordPress plugin before 11.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
|
13 Feb 2023
|
|
|
CVE-2022-4656
|
N/A |
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.5 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
|
13 Feb 2023
|
|
|
CVE-2023-0275
|
N/A |
The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
13 Feb 2023
|
|
|
CVE-2023-0263
|
N/A |
The WP Yelp Review Slider WordPress plugin before 7.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
|
13 Feb 2023
|
|
|
CVE-2022-4512
|
N/A |
The Better Font Awesome WordPress plugin before 2.0.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
13 Feb 2023
|
|
|
CVE-2023-0098
|
N/A |
The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber.
|
13 Feb 2023
|
|
|
CVE-2023-0061
|
N/A |
The Judge.me Product Reviews for WooCommerce WordPress plugin before 1.3.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
13 Feb 2023
|
|
|
CVE-2023-0333
|
N/A |
The TemplatesNext ToolKit WordPress plugin before 3.2.9 does not validate some of its shortcode attributes before using them to generate an HTML tag, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
13 Feb 2023
|
|
|
CVE-2022-4546
|
N/A |
The Mapwiz WordPress plugin through 1.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
|
13 Feb 2023
|
|
|
CVE-2023-0260
|
N/A |
The WP Review Slider WordPress plugin before 12.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
|
13 Feb 2023
|
|
|
CVE-2023-0169
|
N/A |
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
|
13 Feb 2023
|
|
|
CVE-2022-4458
|
N/A |
The amr shortcode any widget WordPress plugin through 4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
|
13 Feb 2023
|
|
|
CVE-2023-0261
|
N/A |
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
|
13 Feb 2023
|
|
|
CVE-2023-0373
|
N/A |
The Lightweight Accordion WordPress plugin before 1.5.15 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
13 Feb 2023
|
|
|
CVE-2022-4551
|
N/A |
The Rich Table of Contents WordPress plugin before 1.3.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
13 Feb 2023
|
CVE-2023-0262
N/A
13 Feb 2023
The WP Airbnb Review Slider WordPress plugin before 3.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
CVE-2022-4682
N/A
13 Feb 2023
The Lightbox Gallery WordPress plugin before 0.9.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2022-3891
N/A
13 Feb 2023
The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones.
CVE-2022-4745
N/A
13 Feb 2023
The WP Customer Area WordPress plugin before 8.1.4 does not have CSRF checks when performing some actions such as chmod, mkdir and copy, which could allow attackers to make a logged-in admin perform them and create arbitrary folders, copy file for example.
CVE-2023-0075
N/A
13 Feb 2023
The Amazon JS WordPress plugin through 0.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2023-0405
N/A
13 Feb 2023
The GPT AI Power: Content Writer & ChatGPT & Image Generator & WooCommerce Product Writer & AI Training WordPress plugin before 1.4.38 does not perform any kind of nonce or privilege checks before letting logged-in users modify arbitrary posts.
CVE-2023-0151
N/A
13 Feb 2023
The uTubeVideo Gallery WordPress plugin before 2.0.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2023-0080
N/A
13 Feb 2023
The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability.
CVE-2023-0255
N/A
13 Feb 2023
The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
CVE-2023-0166
N/A
13 Feb 2023
The Product Slider for WooCommerce by PickPlugins WordPress plugin before 1.13.42 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2023-0259
N/A
13 Feb 2023
The WP Google Review Slider WordPress plugin before 11.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
CVE-2022-4656
N/A
13 Feb 2023
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.5 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
CVE-2023-0275
N/A
13 Feb 2023
The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2023-0263
N/A
13 Feb 2023
The WP Yelp Review Slider WordPress plugin before 7.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
CVE-2022-4512
N/A
13 Feb 2023
The Better Font Awesome WordPress plugin before 2.0.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2023-0098
N/A
13 Feb 2023
The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber.
CVE-2023-0061
N/A
13 Feb 2023
The Judge.me Product Reviews for WooCommerce WordPress plugin before 1.3.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2023-0333
N/A
13 Feb 2023
The TemplatesNext ToolKit WordPress plugin before 3.2.9 does not validate some of its shortcode attributes before using them to generate an HTML tag, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2022-4546
N/A
13 Feb 2023
The Mapwiz WordPress plugin through 1.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
CVE-2023-0260
N/A
13 Feb 2023
The WP Review Slider WordPress plugin before 12.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
CVE-2023-0169
N/A
13 Feb 2023
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2022-4458
N/A
13 Feb 2023
The amr shortcode any widget WordPress plugin through 4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVE-2023-0261
N/A
13 Feb 2023
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
CVE-2023-0373
N/A
13 Feb 2023
The Lightweight Accordion WordPress plugin before 1.5.15 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2022-4551
N/A
13 Feb 2023
The Rich Table of Contents WordPress plugin before 1.3.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Page 550 of 626
Page 550 of 626