WordPress Quick Contact Form Plugin <= 8.0.3.1 is vulnerable to Cross Site Scripting (XSS)

Software Quick Contact Form Type Plugin Vulnerable versions = 8.0.3.1 Fixed in 8.0.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-23885 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 1ea94a82999e Credits yuyudhn Required...

WordPress Email Subscribers & Newsletters Plugin <= 5.5.2 is vulnerable to CSV Injection

Software Email Subscribers & Newsletters Type Plugin Vulnerable versions = 5.5.2 Fixed in 5.5.3 OWASP Top 10 A1: Injection Classification CSV Injection CVE CVE-2022-45810 Patch priority Low CVSS severity Low 6.1 Developer Claim ownership PSID bc18fb9ece3e Credits Mika Required privilege...

WordPress Podlove Podcast Publisher Plugin <= 3.8.2 is vulnerable to Cross Site Scripting (XSS)

Software Podlove Podcast Publisher Type Plugin Vulnerable versions = 3.8.2 Fixed in 3.8.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-25046 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 491cd1d794bf Credits yuyudhn...

WordPress Kraken.io Image Optimizer Plugin <= 2.6.8 is vulnerable to Broken Access Control

Software Kraken.io Image Optimizer Type Plugin Vulnerable versions = 2.6.8 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-0619 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID b987322713b6 Credits Marco Wotschka -...

WordPress Posts and Users Stats Plugin <= 1.1.3 is vulnerable to CSV Injection

Software Posts and Users Stats Type Plugin Vulnerable versions = 1.1.3 Fixed in 1.1.4 OWASP Top 10 A1: Injection Classification CSV Injection CVE CVE-2022-44738 Patch priority Low CVSS severity Low 5.8 Developer Claim ownership PSID adb9c8d12136 Credits Mika Required privilege Subscriber Publishe...

WordPress Jobs for WordPress Plugin <= 2.5.11.2 is vulnerable to Cross Site Scripting (XSS)

Software Jobs for WordPress Type Plugin Vulnerable versions = 2.5.11.2 Fixed in 2.6.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-44743 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 9031f3e3273b Credits thiennv Required...

Magazine Edge <= 1.13 - Subscriber+ Arbitrary Plugin Activation

The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins Run the below command in the developer console of the web browser while being on the blog as a subscriber user...

WordPress 1003 Mortgage Application Plugin <= 1.75 is vulnerable to Arbitrary File Download

Software 1003 Mortgage Application Type Plugin Vulnerable versions = 1.75 Fixed in 1.80 OWASP Top 10 A5: Broken Access Control Classification Arbitrary File Download CVE CVE-2022-45368 Patch priority High CVSS severity High 7.7 Developer Claim ownership PSID 541a2fe842ed Credits Rodrigo Escobar...

WordPress Multi Rating Plugin <= 5.0.5 is vulnerable to Cross Site Request Forgery (CSRF)

Software Multi Rating Type Plugin Vulnerable versions = 5.0.5 Fixed in 5.0.6 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2022-47443 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 1dcbbd6b8544 Credits rezaduty Required...

WordPress Auto Affiliate Links Plugin <= 6.3 is vulnerable to Cross Site Request Forgery (CSRF)

Software Auto Affiliate Links Type Plugin Vulnerable versions = 6.3 Fixed in 6.3.0.1 OWASP Top 10 A8: Cross Site Request Forgery CSRF Classification Cross Site Request Forgery CSRF CVE CVE-2023-22689 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 6689a92a0421 Credits...

DRUPAL-CONTRIB-2023-005

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places...

GitHub revokes several certificates after unauthorized access

In a call to action, GitHub warned users of GitHub Desktop for Mac and Atom that it will revoke certificates which were exposed during unauthorized access to a set of repositories used in the planning and development of GitHub Desktop and Atom. Revoking these certificates will invalidate some...

WordPress Beautiful Cookie Consent Banner Plugin <= 2.10.0 is vulnerable to Cross Site Scripting (XSS)

Software Beautiful Cookie Consent Banner Type Plugin Vulnerable versions = 2.10.0 Fixed in 2.10.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE N/A Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID 90e192c918ce Credits Wordfence...

GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom

GitHub on Monday disclosed that unknown threat actors managed to exfiltrate encrypted code signing certificates pertaining to some versions of GitHub Desktop for Mac and Atom apps. As a result, the company is taking the step of revoking the exposed certificates out of abundance of caution. The...

This Week in Spring - January 31st, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm not going to spend too much time here in the preamble because a today's both my birthday and my late father's birthday and b I got the worst gift ever: COVID-19. Sigh. So, I'm going back to bed. Without further ado, let's...

WordPress GS Portfolio for Envato Plugin < 1.4.0 is vulnerable to Cross Site Scripting (XSS)

Software GS Portfolio for Envato Type Plugin Vulnerable versions 1.4.0 Fixed in 1.4.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0559 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID abe3328dc56e Credits István Márto...

WordPress GS Filterable Portfolio Plugin < 1.6.1 is vulnerable to Cross Site Scripting (XSS)

Software GS Filterable Portfolio Type Plugin Vulnerable versions 1.6.1 Fixed in 1.6.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0540 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 0a94bc0a776f Credits István Márto...

WordPress Easy Digital Downloads Plugin < 3.1.0.5 is vulnerable to Cross Site Scripting (XSS)

Software Easy Digital Downloads Type Plugin Vulnerable versions 3.1.0.5 Fixed in 3.1.0.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0380 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 553ace90a817 Credits István...

This Week in Spring - January 31st, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm not going to spend too much time here in the preamble because a today's both my birthday and my late father's birthday and b I got the worst gift ever: COVID-19. Sigh. So, I'm going back to bed. Without further ado, let's...

WordPress WP Dark Mode Plugin < 4.0.0 is vulnerable to Cross Site Scripting (XSS)

Software WP Dark Mode Type Plugin Vulnerable versions 4.0.0 Fixed in 4.0.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-4714 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 41e59045340d Credits István Márton Required...