WordPress Sirv Plugin <= 7.1.2 is vulnerable to Broken Access Control

Software Sirv Type Plugin Vulnerable versions = 7.1.2 Fixed in 7.1.3 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-50898 Patch priority Low CVSS severity Low 5.4 Developer Sirv PSID 96bd93b7e6bb Credits Abdi Pranata Required privilege Subscriber Publishe...

WordPress Essential Blocks for Gutenberg Plugin <= 4.2.0 is vulnerable to Broken Access Control

Software Essential Blocks for Gutenberg Type Plugin Vulnerable versions = 4.2.0 Fixed in 4.2.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-51360 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID aa89b26b64fb Credits Rafie Muhamm...

WordPress EmbedPress Plugin <= 3.8.3 is vulnerable to Broken Access Control

Software EmbedPress Type Plugin Vulnerable versions = 3.8.3 Fixed in 3.8.4 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-51375 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID b1e657828f4d Credits Abdi Pranata Required...

JVN#32646742: Multiple vulnerabilities in PowerCMS

PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in the management screen CWE-79 - CVE-2023-49117 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4 CVSS v2|...

WordPress User Feedback Plugin <= 1.0.10 is vulnerable to Broken Access Control

Software User Feedback Type Plugin Vulnerable versions = 1.0.10 Fixed in 1.0.11 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-50887 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 72613a1d0e22 Credits Revan Arifio Required privile...

WordPress Product Filter by WBW Plugin <= 2.5.0 is vulnerable to Broken Access Control

Software Product Filter by WBW Type Plugin Vulnerable versions = 2.5.0 Fixed in 2.5.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-50877 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID b4377cfc0c43 Credits Abdi Pranata...

Estatik Real Estate Plugin < 4.1.1 - Unauthenticated PHP Object Injection

Description The plugin unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup...

Estatik Real Estate Plugin < 4.1.1 - Subscriber+ Arbitrary Option Update

Description The plugin does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset Run the below command in the developer console of the web browser while...

WordPress Add Any Extension to Pages Plugin <= 1.4 is vulnerable to Cross Site Request Forgery (CSRF)

Software Add Any Extension to Pages Type Plugin Vulnerable versions = 1.4 Fixed in 1.5 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-50873 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID b3821f100fa4 Credits Nguyen Xuan...

WordPress RegistrationMagic Plugin <= 5.2.4.5 is vulnerable to SQL Injection

Software RegistrationMagic Type Plugin Vulnerable versions = 5.2.4.5 Fixed in 5.2.4.6 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2023-50846 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 9ebe43b2d455 Credits Muhammad Daffa Required privilege...

WordPress Simply Schedule Appointments Plugin < 1.6.6.1 is vulnerable to SQL Injection

Software Simply Schedule Appointments Type Plugin Vulnerable versions 1.6.6.1 Fixed in 1.6.6.1 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2023-50851 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID a0f5e904e5c2 Credits Muhammad Daffa Required privilege...

WordPress Welcart e-Commerce Plugin <= 2.9.3 is vulnerable to SQL Injection

Software Welcart e-Commerce Type Plugin Vulnerable versions = 2.9.3 Fixed in 2.9.4 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2023-50847 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 04a7c6fd4f27 Credits Muhammad Daffa Required privilege Editor...

WordPress Limit Login Attempts Reloaded Plugin <= 2.25.26 is vulnerable to Cross Site Scripting (XSS)

Software Limit Login Attempts Reloaded Type Plugin Vulnerable versions = 2.25.26 Fixed in 2.25.27 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6934 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 2de2d139dd65 Credits Hung...

WordPress Photo Gallery by 10Web Plugin <= 1.8.18 is vulnerable to Cross Site Scripting (XSS)

Software Photo Gallery by 10Web Type Plugin Vulnerable versions = 1.8.18 Fixed in 1.8.19 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6924 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 0bcf8b758508 Credits István Márton...

WordPress MF Gig Calendar Plugin <= 1.2.1 is vulnerable to SQL Injection

Software MF Gig Calendar Type Plugin Vulnerable versions = 1.2.1 Fixed in N/A OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2023-50842 Patch priority Medium CVSS severity Medium 8.5 Developer Claim ownership PSID 54f1b98a01c0 Credits Khalid Yusuf Required privilege Contributor...

CVE-2023-6944

A flaw was found in the Red Hat Developer Hub RHDH. The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gainin...

WordPress Image horizontal reel scroll slideshow Plugin <= 13.3 is vulnerable to Cross Site Scripting (XSS)

Software Image horizontal reel scroll slideshow Type Plugin Vulnerable versions = 13.3 Fixed in 13.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-5413 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID f4bff9d695d5 Credits...

WordPress WP Edit Username Plugin <= 1.0.5 is vulnerable to Cross Site Scripting (XSS)

Software WP Edit Username Type Plugin Vulnerable versions = 1.0.5 Fixed in 1.0.6 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-47527 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 3874545cb784 Credits Jeongwoo-LeeRoronoa Required privileg...

WordPress Accredible Certificates & Open Badges Plugin <= 1.4.8 is vulnerable to Cross Site Scripting (XSS)

Software Accredible Certificates & Open Badges Type Plugin Vulnerable versions = 1.4.8 Fixed in 1.4.9 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-50827 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID dce9609936de Credits emad Required...

Backstage Information Disclosure Vulnerability

Backstage is a software application. Backstage is an open platform for building developer portals. A security vulnerability exists in Backstage that stems from the GitlabDiscoveryEntityProvider leaking gitlab integration tokens in logs when tokens with newlines are supplied...