29 matches found
WordPress Newscrunch theme <= 1.8.4 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability
Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Chloe Chamberland in WordPress Theme Newscrunch versions = 1.8.4...
WordPress WordPress Announcement & Notification Banner Plugin – Bulletin Plugin <= 3.6.0 is vulnerable to Broken Access Control
Software WordPress Announcement & Notification Banner Plugin – Bulletin Type Plugin Vulnerable versions = 3.6.0 Fixed in 3.7.0 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-2066 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSI...
WordPress WP Data Access Plugin <= 5.3.7 is vulnerable to Broken Access Control
Software WP Data Access Type Plugin Vulnerable versions = 5.3.7 Fixed in 5.3.8 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-1874 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID d34193572ac0 Credits Chloe Chamberland Required...
WordPress WCFM Marketplace Plugin <= 3.4.12 is vulnerable to Cross Site Request Forgery (CSRF)
Software WCFM Marketplace Type Plugin Vulnerable versions = 3.4.12 Fixed in 3.5.0 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2022-4936 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 13c6dc4f50f8 Credits Chloe Chamberland...
WordPress Download Manager 3.2.50 Arbitrary File Deletion
Description: Authenticated Contributor+ Arbitrary File Deletion Affected Plugin: Download Manager Plugin Slug: download-manager Plugin Developer: W3 Eden, Inc. Affected Versions: = 3.2.50 CVE ID: CVE-2022-2431 CVSS Score: 8.8 High CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H...
High Severity Vulnerability Patched in Download Manager Plugin
On July 8, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Download Manager,” a WordPress plugin that is installed on over 100,000 sites. This flaw makes it possible for an authenticated attacker to delete arbitrary...
WordPress SiteGround Security plugin <= 1.2.5 - Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes vulnerability
Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes vulnerability discovered by Chloe Chamberland Wordfence in WordPress SiteGround Security plugin versions = 1.2.5. Solution Update the WordPress SiteGround Security plugin to the latest available version at...
WordPress Email Template Designer – WP HTML Mail 3.0.9 Cross Site Scripting Vulnerability
WordPress Email Template Designer – WP HTML Mail plugin versions 3.0.9 and below suffer from a cross site scripting vulnerability. Exploit makes it possible for unauthenticated attackers to achieve complete site takeover. On December 23, 2021 the Wordfence Threat Intelligence team initiated the...
WordPress WP HTML Mail plugin <= 3.0.9 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Chloe Chamberland Wordfence in WordPress WP HTML Mail plugin versions = 3.0.9. Solution Update the WordPress WP HTML Mail plugin to the latest available version at least 3.1...
WordPress Login/Signup Popup plugin <= 2.2 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update
Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Options Update discovered by Chloe Chamberland Wordfence in WordPress Login/Signup Popup plugin versions = 2.2. Solution Update the WordPress Login/Signup Popup plugin to the latest available version at least 2.3...
WordPress Side Cart Woocommerce (Ajax) plugin <= 2.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update
Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Options Update discovered by Chloe Chamberland in WordPress Side Cart Woocommerce Ajax plugin versions = 2.0. Solution Update the WordPress Side Cart Woocommerce Ajax plugin to the latest available version at least 2.1...
WordPress Variation Swatches for WooCommerce plugin <= 2.1.1 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Chloe Chamberland WordFence in WordPress Variation Swatches for WooCommerce plugin versions = 2.1.1. Solution Update the WordPress Variation Swatches for WooCommerce plugin to the latest available version at least 2.1.2...
WordPress Access Demo Importer plugin <= 1.0.6 - Authenticated Arbitrary File Upload vulnerability
Authenticated Arbitrary File Upload vulnerability discovered by Chloe Chamberland WordFence in WordPress Access Demo Importer plugin versions = 1.0.6. Solution Update the WordPress Access Demo Importer plugin to the latest available version at least 1.0.7...
WordPress Booster for WooCommerce plugin <= 5.4.3 - Authentication Bypass vulnerability
Authentication Bypass vulnerability discovered by Chloe Chamberland WordFence in WordPress Booster for WooCommerce plugin versions = 5.4.3. Solution Update the WordPress Booster for WooCommerce plugin to the latest available version at least 5.4.4...
WordPress NinjaFirewall plugin <= 4.3.3 - Authenticated PHAR Deserialization vulnerability
Authenticated PHAR Deserialization vulnerability discovered by Chloe Chamberland in WordPress NinjaFirewall plugin versions = 4.3.3. Solution Update the WordPress NinjaFirewall plugin to the latest available version at least 4.3.4...
WordPress External Media plugin <= 1.0.33 - Authenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)
Authenticated Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by Chloe Chamberland WordFence in WordPress External Media plugin versions = 1.0.33. Solution Update the WordPress External Media plugin to the latest available version at least 1.0.34...
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Administrator Open Redirect vulnerability
Administrator Open Redirect vulnerability found by Chloe Chamberland in WordPress Ninja Forms Contact Form plugin versions = 3.4.33. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.4.34...
WordPress Ninja Forms Contact Form plugin <= 3.4.33 - Authenticated OAuth Connection Key Disclosure vulnerability
Authenticated OAuth Connection Key Disclosure vulnerability found by Chloe Chamberland in WordPress Ninja Forms Contact Form plugin versions = 3.4.33. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.4.34...
WordPress Ultimate Member plugin <= 2.1.11 - Unauthenticated/Authenticated Privilege Escalation
Unauthenticated Privilege Escalation via User Meta vulnerability found by Chloe Chamberland in WordPress Ultimate Member plugin versions = 2.1.11. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.1.12...
WordPress Child Theme Creator by Orbisius plugin <= 1.5.1 - Cross-Site Request Forgery (CSRF) to Arbitrary File Modification/Creation vulnerability
Cross-Site Request Forgery CSRF to Arbitrary File Modification/Creation vulnerability found by Chloe Chamberland in WordPress Child Theme Creator by Orbisius plugin versions = 1.5.1. Solution Update the WordPress Child Theme Creator by Orbisius plugin to the latest available version at least 1.5....