27 matches found
WordPress plugin WP Attachments Cross-Site Request Forgery Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...
PT-2023-15993 · WordPress · Download Attachments
Name of the Vulnerable Software and Affected Versions: Download Attachments WordPress plugin versions prior to 1.3 Description: The issue concerns the Download Attachments WordPress plugin, which does not validate and escape some of its shortcode attributes before outputting them back in a page o...
PT-2023-14189 · WordPress · Wp Attachments
Name of the Vulnerable Software and Affected Versions: WP Attachments WordPress plugin versions prior to 5.0.6 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in...
CVE-2022-3469
The WP Attachments WordPress plugin before 5.0.5 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup...
CVE-2015-4694
CVE-2015-4694 affects the WordPress Zip Attachments plugin (versions before 1.5.1). A directory traversal flaw in download.php (za_file parameter) allows an attacker to read arbitrary files. Public references describe this as an arbitrary file retrieval/vulnerability in the plugin. Remediation: u...
WordPress Zip Attachments Plugin Arbitrary File Download Vulnerability
WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. An arbitrary file download vulnerability exists in the WordPress Zip Attachments plugin, which allows remote attackers to exploit the vulnerability by submitting a...
UploadAttachmentsAction XSRF
The UploadAttachmentsAction action is declared to use a validatingStack interceptor chain, but does not use the RequiresSecurityToken element, leaving it open to an XSRF attack. If this were exploited, an attacker could force a user’s browser to upload files into a space they have write permissio...