WordPress MapSVG Lite 3.2.3 Cross Site Request Forgery

Details ================ Software: MapSVG Lite Version: 3.2.3 Homepage: https://en-gb.wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/ Advisory report: https://advisories.dxw.com/advisories/csrf-mapsvg-lite/ CVE: Awaiting assignment CVSS: 5.8 Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N Descripti...

WordPress Redirection 2.7.1 Deserialization Code Execution Vulnerability

Exploit for php platform in category web applications Details ================ Software: Redirection Version: 2.7.1 Homepage: https://wordpress.org/plugins/redirection/ Advisory report: https://advisories.dxw.com/advisories/unserialization-redirection/ CVE: Awaiting assignment CVSS: 9 High;...

WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery

WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery Press submit on a page containing the following HTML snippet: alert1" !-- In a real attack, the form can be made to autosubmit so the victim only has to follow a link. Mitigations ================ Upgrade to version 1.2.9 or...

WordPress Metronet Tag Manager 1.2.7 Plugin - Cross-Site Request Forgery Vulnerability

Exploit for php platform in category web applications Press submit on a page containing the following HTML snippet: alert1" !-- In a real attack, the form can be made to autosubmit so the victim only has to follow a link. Mitigations ================ Upgrade to version 1.2.9 or later...

WordPress WP ULike 2.8.1 / 3.1 Cross Site Scripting

Details ================ Software: WP ULike Version: 2.8.1,3.1 Homepage: https://wordpress.org/plugins/wp-ulike/ Advisory report: https://advisories.dxw.com/advisories/stored-xss-wp-ulike/ CVE: Awaiting assignment CVSS: 6.4 Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N Description ================ Stored XS...

WordPress WP ULike 2.8.1 / 3.1 Arbitrary Data Deletion

Details ================ Software: WP ULike Version: 2.8.1,3.1 Homepage: https://wordpress.org/plugins/wp-ulike/ Advisory report: https://advisories.dxw.com/advisories/wp-ulike-delete-rows/ CVE: Awaiting assignment CVSS: 5.8 Medium; AV:N/AC:M/Au:N/C:N/I:P/A:P Description ================ WP ULike...

WordPress WP User Groups plugin <=2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Tom Adams dxw in WordPress WP User Groups plugin versions =2.0.0. Solution Update the WordPress WP User Groups plugin to the latest available version at least 2.1.0...

WordPress WP Image Zoom 1.23 Denial Of Service

Details ================ Software: WP Image Zoom Version: 1.23 Homepage: http://wordpress.org/plugins/wp-image-zoooom/ Advisory report: https://advisories.dxw.com/advisories/wp-image-zoom-dos/ CVE: Awaiting assignment CVSS: 7.5 High; AV:N/AC:L/Au:S/C:N/I:P/A:C Description ================ WP Imag...

WordPress Image Zoom 1.23 Plugin Denial Of Service Vulnerability

Exploit for php platform in category web applications Details ================ Software: WP Image Zoom Version: 1.23 Homepage: http://wordpress.org/plugins/wp-image-zoooom/ Advisory report: https://advisories.dxw.com/advisories/wp-image-zoom-dos/ CVE: Awaiting assignment CVSS: 7.5 High;...

Relevanssi 3.5.12 / 3.6.0 SQL Injection

Details ================ Software: Relevanssi Version: 3.5.12,3.6.0 Homepage: https://wordpress.org/plugins/relevanssi/ Advisory report: https://advisories.dxw.com/advisories/sqli-relevanssi/ CVE: Awaiting assignment CVSS: 8.5 High; AV:N/AC:L/Au:S/C:C/I:C/A:N Description ================ SQLi in...

WordPress Rating-Widget: Star Review System 2.8.9 Information Disclosure

Details ================ Software: Rating-Widget: Star Review System Version: 2.8.9 Homepage: https://wordpress.org/plugins/rating-widget/ Advisory report: https://advisories.dxw.com/advisories/rating-widget-debug-mode/ CVE: Awaiting assignment CVSS: 5 Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N Descripti...

WordPress 4.8.2 Activation Key Failed Expiry Vulnerability

WordPress version 4.8.2 fails to have an expiration mechanism tied to activation keys allowing for eternal use. Details ================ Software: WordPress Version: 4.8.2 Homepage: https://wordpress.org/ Advisory report: https://security.dxw.com/advisories/wordpress-signups-activation/ CVE:...

WordPress Content Audit plugin <=1.9.1 - Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities

Cross-Site Scripting XSS and Cross-Site Request Forgery CSRF vulnerabilities found by DXW Security in WordPress Content Audit plugin versions =1.9.1. Solution Update the WordPress Content Audit plugin to the latest available version at least 1.9.2...

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting Vulnerabilities

WordPress Content Audit plugin version 1.9.1 suffers from cross site request forgery and cross site scripting vulnerabilities. Details ================ Software: Content Audit Version: 1.9.1 Homepage: https://wordpress.org/plugins/content-audit/ Advisory report:...

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

Details ================ Software: Content Audit Version: 1.9.1 Homepage: https://wordpress.org/plugins/content-audit/ Advisory report: https://security.dxw.com/advisories/csrf-xss-content-audit/ CVE: Awaiting assignment CVSS: 5.8 Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N Description ================...

Salutation Responsive 3.0.15 Cross Site Scripting

Details ================ Software: Salutation Responsive WordPress + BuddyPress Theme Version: 3.0.15 Homepage: https://themeforest.net/item/salutation-responsive-wordpress-buddypress-theme/548199 Advisory report: https://security.dxw.com/advisories/stored-xss-salutation-theme/ CVE: Awaiting...

WordPress Stop User Enumeration 1.3.8 User Enumeration

Details ================ Software: Stop User Enumeration Version: 1.3.8 Homepage: https://wordpress.org/plugins/stop-user-enumeration/ Advisory report: https://security.dxw.com/advisories/stop-user-enumeration-rest-api/ CVE: Awaiting assignment CVSS: 5 Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N Descripti...

WordPress YouTube Embed Plus 11.8.1 Cross Site Request Forgery

Details ================ Software: YouTube Version: 11.8.1 Homepage: https://wordpress.org/plugins/youtube-embed-plus/ Advisory report: https://security.dxw.com/advisories/csrf-in-youtube-plugin/ CVE: Awaiting assignment CVSS: 4.3 Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N Description ================ CS...

WordPress Photo Gallery 1.3.34 / 1.3.42 Path Traversal

Details ================ Software: Photo Gallery Version: 1.3.34,1.3.42 Homepage: https://wordpress.org/plugins/photo-gallery/ Advisory report: https://security.dxw.com/advisories/path-traversal-in-photo-gallery-may-allow-admins-to-read-most-files-on-the-filesystem/ CVE: Awaiting assignment CVSS:...

WordPress Firewall 2 1.3 Plugin - Cross-Site Request Forgery / Cross-Site Scripting Vulnerabilities

Exploit for php platform in category web applications alert1" !-- In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing. Mitigations ================ Disable the plugin until a new version is released that fixes this bug. Disclosure policy...