Reviews Security Vulnerabilities
Unauthenticated Sensitive Information Disclosure vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at...
7.5CVSS
7.3AI Score
0.002EPSS
The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF...
6.5CVSS
6.3AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Starfish plugin <= 1.9.14 at WordPress allows an attacker to delete...
5.4CVSS
4.6AI Score
0.001EPSS
The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it...
6.5CVSS
5.1AI Score
0.001EPSS
The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the....
4.8CVSS
4.9AI Score
0.001EPSS
Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to....
9.8CVSS
9.4AI Score
0.004EPSS
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability discovered in Ultimate Reviews WordPress plugin (versions <=...
4.8CVSS
4.8AI Score
0.001EPSS
The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool...
6.1CVSS
6AI Score
0.001EPSS
The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection...
7.2CVSS
7.1AI Score
0.001EPSS
The Reviews Plus WordPress plugin before 1.2.14 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the...
6.5CVSS
6.3AI Score
0.001EPSS
The Site Reviews WordPress plugin before 5.13.1 does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripting attacks when the unfiltered_html is...
5.4CVSS
5.2AI Score
0.001EPSS
The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL....
8.8CVSS
8.9AI Score
0.001EPSS
The WP Customer Reviews WordPress plugin before 3.5.6 did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are...
4.8CVSS
4.8AI Score
0.001EPSS
Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote attackers to inject arbitrary JavaScript code or...
6.1CVSS
6.1AI Score
0.002EPSS
plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework through 3.3.8 for WordPress allows authenticated options...
4.3CVSS
4.4AI Score
0.001EPSS
The Easy Digital Downloads (EDD) Reviews extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...
6.1CVSS
6AI Score
0.001EPSS
The Reviews Module before 2019-06-14 for OpenSource Table allows SQL injection in...
9.8CVSS
9.8AI Score
0.001EPSS
8.8CVSS
8.7AI Score
0.001EPSS
6.1CVSS
6AI Score
0.001EPSS
PHP Scripts Mall Consumer Reviews Script 4.0.3 has HTML injection via the search...
5.4CVSS
5.8AI Score
0.001EPSS
PHP Scripts Mall Consumer Reviews Script 4.0.3 has directory traversal via a direct request for a listing of an uploads directory such as the wp-content/uploads/2018/12...
6.5CVSS
6.5AI Score
0.001EPSS
Cross-site scripting vulnerability in Site Reviews versions prior to 2.15.3 allows remote attackers to inject arbitrary web script or HTML via unspecified...
6.1CVSS
6AI Score
0.002EPSS
9.8CVSS
9.9AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in the Terillion Reviews plugin before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ProfileId...
5.9AI Score
0.083EPSS
Prozilla Reviews 1.0 allows remote attackers to delete arbitrary users via a modified UserID parameter in a direct request to...
6.8AI Score
0.052EPSS
SQL injection vulnerability in index.php in the Lykos Reviews (lykos_reviews) 1.00 module for Xoops allows remote attackers to execute arbitrary SQL commands via the uid parameter in a u...
8.3AI Score
0.197EPSS