WordPress MapSVG Lite 3.2.3 Cross Site Request Forgery

Details ================ Software: MapSVG Lite Version: 3.2.3 Homepage: https://en-gb.wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/ Advisory report: https://advisories.dxw.com/advisories/csrf-mapsvg-lite/ CVE: Awaiting assignment CVSS: 5.8 Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N Descripti...

WordPress Redirection 2.7.1 Deserialization Code Execution Vulnerability

Exploit for php platform in category web applications Details ================ Software: Redirection Version: 2.7.1 Homepage: https://wordpress.org/plugins/redirection/ Advisory report: https://advisories.dxw.com/advisories/unserialization-redirection/ CVE: Awaiting assignment CVSS: 9 High;...

WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery

WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery Press submit on a page containing the following HTML snippet: alert1" !-- In a real attack, the form can be made to autosubmit so the victim only has to follow a link. Mitigations ================ Upgrade to version 1.2.9 or...

WordPress Metronet Tag Manager 1.2.7 Plugin - Cross-Site Request Forgery Vulnerability

Exploit for php platform in category web applications Press submit on a page containing the following HTML snippet: alert1" !-- In a real attack, the form can be made to autosubmit so the victim only has to follow a link. Mitigations ================ Upgrade to version 1.2.9 or later...

WordPress WP ULike 2.8.1 / 3.1 Cross Site Scripting

Details ================ Software: WP ULike Version: 2.8.1,3.1 Homepage: https://wordpress.org/plugins/wp-ulike/ Advisory report: https://advisories.dxw.com/advisories/stored-xss-wp-ulike/ CVE: Awaiting assignment CVSS: 6.4 Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N Description ================ Stored XS...

WordPress WP ULike 2.8.1 / 3.1 Arbitrary Data Deletion

Details ================ Software: WP ULike Version: 2.8.1,3.1 Homepage: https://wordpress.org/plugins/wp-ulike/ Advisory report: https://advisories.dxw.com/advisories/wp-ulike-delete-rows/ CVE: Awaiting assignment CVSS: 5.8 Medium; AV:N/AC:M/Au:N/C:N/I:P/A:P Description ================ WP ULike...

WordPress WP User Groups plugin <=2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Tom Adams dxw in WordPress WP User Groups plugin versions =2.0.0. Solution Update the WordPress WP User Groups plugin to the latest available version at least 2.1.0...

WordPress Image Zoom 1.23 Plugin Denial Of Service Vulnerability

Exploit for php platform in category web applications Details ================ Software: WP Image Zoom Version: 1.23 Homepage: http://wordpress.org/plugins/wp-image-zoooom/ Advisory report: https://advisories.dxw.com/advisories/wp-image-zoom-dos/ CVE: Awaiting assignment CVSS: 7.5 High;...

WordPress WP Image Zoom 1.23 Denial Of Service

Details ================ Software: WP Image Zoom Version: 1.23 Homepage: http://wordpress.org/plugins/wp-image-zoooom/ Advisory report: https://advisories.dxw.com/advisories/wp-image-zoom-dos/ CVE: Awaiting assignment CVSS: 7.5 High; AV:N/AC:L/Au:S/C:N/I:P/A:C Description ================ WP Imag...

WordPress Rating-Widget: Star Review System 2.8.9 Information Disclosure

Details ================ Software: Rating-Widget: Star Review System Version: 2.8.9 Homepage: https://wordpress.org/plugins/rating-widget/ Advisory report: https://advisories.dxw.com/advisories/rating-widget-debug-mode/ CVE: Awaiting assignment CVSS: 5 Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N Descripti...

Relevanssi 3.5.12 / 3.6.0 SQL Injection

Details ================ Software: Relevanssi Version: 3.5.12,3.6.0 Homepage: https://wordpress.org/plugins/relevanssi/ Advisory report: https://advisories.dxw.com/advisories/sqli-relevanssi/ CVE: Awaiting assignment CVSS: 8.5 High; AV:N/AC:L/Au:S/C:C/I:C/A:N Description ================ SQLi in...

WordPress 4.8.2 Activation Key Failed Expiry Vulnerability

WordPress version 4.8.2 fails to have an expiration mechanism tied to activation keys allowing for eternal use. Details ================ Software: WordPress Version: 4.8.2 Homepage: https://wordpress.org/ Advisory report: https://security.dxw.com/advisories/wordpress-signups-activation/ CVE:...

WordPress Content Audit plugin <=1.9.1 - Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities

Cross-Site Scripting XSS and Cross-Site Request Forgery CSRF vulnerabilities found by DXW Security in WordPress Content Audit plugin versions =1.9.1. Solution Update the WordPress Content Audit plugin to the latest available version at least 1.9.2...

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting

Details ================ Software: Content Audit Version: 1.9.1 Homepage: https://wordpress.org/plugins/content-audit/ Advisory report: https://security.dxw.com/advisories/csrf-xss-content-audit/ CVE: Awaiting assignment CVSS: 5.8 Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N Description ================...

WordPress Content Audit 1.9.1 Cross Site Request Forgery / Cross Site Scripting Vulnerabilities

WordPress Content Audit plugin version 1.9.1 suffers from cross site request forgery and cross site scripting vulnerabilities. Details ================ Software: Content Audit Version: 1.9.1 Homepage: https://wordpress.org/plugins/content-audit/ Advisory report:...

Salutation Responsive 3.0.15 Cross Site Scripting

Details ================ Software: Salutation Responsive WordPress + BuddyPress Theme Version: 3.0.15 Homepage: https://themeforest.net/item/salutation-responsive-wordpress-buddypress-theme/548199 Advisory report: https://security.dxw.com/advisories/stored-xss-salutation-theme/ CVE: Awaiting...

WordPress YouTube Embed Plus 11.8.1 Cross Site Request Forgery

Details ================ Software: YouTube Version: 11.8.1 Homepage: https://wordpress.org/plugins/youtube-embed-plus/ Advisory report: https://security.dxw.com/advisories/csrf-in-youtube-plugin/ CVE: Awaiting assignment CVSS: 4.3 Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N Description ================ CS...

WordPress Stop User Enumeration 1.3.8 User Enumeration

Details ================ Software: Stop User Enumeration Version: 1.3.8 Homepage: https://wordpress.org/plugins/stop-user-enumeration/ Advisory report: https://security.dxw.com/advisories/stop-user-enumeration-rest-api/ CVE: Awaiting assignment CVSS: 5 Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N Descripti...

WordPress Photo Gallery 1.3.34 / 1.3.42 Path Traversal

Details ================ Software: Photo Gallery Version: 1.3.34,1.3.42 Homepage: https://wordpress.org/plugins/photo-gallery/ Advisory report: https://security.dxw.com/advisories/path-traversal-in-photo-gallery-may-allow-admins-to-read-most-files-on-the-filesystem/ CVE: Awaiting assignment CVSS:...

WordPress Firewall 2 1.3 Plugin - Cross-Site Request Forgery / Cross-Site Scripting Vulnerabilities

Exploit for php platform in category web applications alert1" !-- In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing. Mitigations ================ Disable the plugin until a new version is released that fixes this bug. Disclosure policy...