CVE-2023-5429

The Information Reel plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2023-5435

The Up down image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...

PT-2023-32097 · WordPress · Image Vertical Reel Scroll Slideshow Plugin

Name of the Vulnerable Software and Affected Versions: Image vertical reel scroll slideshow plugin for WordPress versions up to, and including, 9.0 Description: The issue arises from insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query ...

PT-2023-32105 · WordPress · Vertical Marquee Plugin

Name of the Vulnerable Software and Affected Versions: Vertical marquee plugin for WordPress versions up to, and including, 7.1 Description: The issue arises from insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the plugin's...

CVE-2023-5315

The Google Maps made Simple plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2023-5252

The FareHarbor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level...

CVE-2023-5745

The Reusable Text Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text-blocks' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2023-5126

The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'plugindeleteme' shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

PT-2023-32294 · WordPress · Live Chat With Facebook Messenger

Name of the Vulnerable Software and Affected Versions: Live Chat with Facebook Messenger plugin for WordPress versions up to, and including, 1.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'messenger' shortcode due to insufficient input sanitization and outpu...

CVE-2023-4796

The Booster for WooCommerce for WordPress is vulnerable to Information Disclosure via the 'wcjwpoption' shortcode in versions up to, and including, 7.1.0 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with...

CVE-2023-5308

The Podcast Subscribe Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'podcastsubscribe' shortcode in versions up to, and including, 1.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

PT-2023-32055 · WordPress · Avirtum Ipanorama 360 Wordpress Virtual Tour Builder

Name of the Vulnerable Software and Affected Versions: iPanorama 360 – WordPress Virtual Tour Builder plugin versions up to, and including, 1.8.0 Description: The issue is related to SQL Injection via the plugin's shortcode due to insufficient escaping on the user supplied parameter and lack of...

WordPress 6.3.2 Security Release – What You Need to Know

WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While all of the vulnerabilities are of Medium severity, several of them are impactful enough to potentially allow site takeove...

CVE-2023-5470

The Etsy Shop plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'etsy-shop' shortcode in versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-5135

The Simple Cloudflare Turnstile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gravity-simple-turnstile' shortcode in versions up to, and including, 1.23.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-4963

The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

Simple Blog Card < 1.32 - Subscriber+ Arbitrary Post Access

Description The plugin does not ensure that posts to be displayed via a shortcode are public, allowing any authenticated users, such as subscriber, to retrieve arbitrary post title and their content such as draft, private and password protected ones PoC Run the below command in the developer...

CVE-2023-3387 Lana Text to Image <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Lana Text to Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lanatexttoimage' and 'lanatexttoimg' shortcode in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

WordPress plugin Simple Vimeo Shortcode 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2023-0708

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mffirstname' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inje...