WordPress Plugin Post Grid Combo Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

Blossom Spa < 1.3.5 - Sensitive Information Exposure

Description The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.4 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled...

PT-2024-15200 · WordPress · The Post Grid Combo – 36+ Gutenberg Blocks

Name of the Vulnerable Software and Affected Versions: The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress versions up to, and including, 2.2.68 Description: The issue allows unauthenticated attackers to extract sensitive data, including full draft posts and password-protected posts, ...

WordPress Ultimate Posts Widget Plugin < 2.3.1 is vulnerable to Cross Site Scripting (XSS)

Software Ultimate Posts Widget Type Plugin Vulnerable versions 2.3.1 Fixed in 2.3.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0561 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 4601be1431bf Credits Dmitrii ignatyev...

CVE-2024-0561

The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2024-0561

The CVE-2024-0561 entry concerns the Ultimate Posts Widget WordPress plugin prior to 2.3.1, where the plugin does not validate and escape several Widget options before outputting them in attributes. This underpins a Stored XSS risk reported to affect admin-level users (and higher) in multisite co...

CVE-2024-0561 Ultimate Posts Widget < 2.3.1 - Admin+ Stored XSS

The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2024-0561 Ultimate Posts Widget < 2.3.1 - Admin+ Stored XSS

The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

PT-2024-15659 · WordPress · The Ultimate Posts Widget

Name of the Vulnerable Software and Affected Versions: The Ultimate Posts Widget WordPress plugin versions prior to 2.3.1 Description: The issue concerns the Ultimate Posts Widget WordPress plugin, where it fails to validate and escape some of its widget options before outputting them back in...

WordPress Plugin Ultimate Posts Widget Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

CVE-2024-1125 EventPrime – Events Calendar, Bookings and Tickets <= 3.4.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the calendareventsdelete function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with...

CVE-2024-1123 EventPrime – Events Calendar, Bookings and Tickets <= 3.4.2 - Missing Authorization to Arbitrary Post Overwrite

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savefrontendeventsubmission function in all versions up to, and including, 3.4.2. This makes it possible for authenticated...

CVE-2024-26131

creationtimestamp| type| source ---|---|--- 2024-03-08 18:27:04+00:00| seen| https://t.me/ctinow/203496 2024-05-02 14:59:01+00:00| seen| https://t.me/CNArsenal/2414 2024-05-02 16:09:53+00:00| published-proof-of-concept| https://t.me/darkcommunityofficial/596 2024-05-02 20:34:02+00:00|...

EventPrime – Events Calendar, Bookings and Tickets < 3.4.3 - Missing Authorization to Arbitrary Post Overwrite

Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savefrontendeventsubmission function in all versions up to, and including, 3.4.2. This makes it possible for...

BIT-WORDPRESS-2020-11028 Unauthenticated disclosure of certain private posts in WordPress

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release 5.3.3, 5.2.6, 5.1.5, 5.0.9,...

BIT-WORDPRESS-MULTISITE-2020-11028 Unauthenticated disclosure of certain private posts in WordPress

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release 5.3.3, 5.2.6, 5.1.5, 5.0.9,...

BIT-WORDPRESS-MULTISITE-2021-29450 WordPress Authenticated disclosure of password-protected posts and pages

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases...

BIT-MATTERMOST-2023-7113

Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client...

BIT-GHOST-2023-26510

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no...

Design/Logic Flaw

The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'gambitbuildersavecontent' function in all versions up to, and including, 5.1.0. This makes it possible for...