CVE-2023-2500

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.3.19 via deserialization of untrusted input from the 'gopricing' shortcode 'data' parameter. This allows authenticated attackers, with subscriber-lev...

PT-2023-15322 · WordPress · Viadat Creations Store Locator For Wordpress With Google Maps – Lotsoflocales

Name of the Vulnerable Software and Affected Versions: Viadat Creations Store Locator for WordPress with Google Maps – LotsOfLocales plugin versions = 3.98.7 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. This means an attacker can trick a user into performing unintend...

PT-2023-19153 · WordPress · Manoj Thulasidas Theme Tweaker

Name of the Vulnerable Software and Affected Versions: Manoj Thulasidas Theme Tweaker plugin versions = 5.20 Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This means an attacker could potentially trick a user into performing unintended actions on a web...

CVE-2023-32986

Jenkins File Parameter Plugin 285.v757c5b67ac25 and earlier does not restrict the name and resulting uploaded file name of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified...

CVE-2023-0600 WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi

The WP Visitor Statistics Real Time Traffic WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks...

Quiz Maker < 6.4.2.7 - Reflected XSS

The plugin does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below other URL are also affected...

Cross site scripting

Unauth. Reflected Cross-Site Scripting XSS vulnerability in Maui Marketing Update Image Tag Alt Attribute plugin = 2.4.5 versions...

CVE-2023-23793

Eightweb Interactive Read More Without Refresh plugin (WordPress) versions

OSM – OpenStreetMap <= 6.01 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC osmmap mapborder='3px solid black;background:red;width:100px;height:100px;" onmouseover="alert1"'...

JVN#00971105: WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting

WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" provided by TMS contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in the WordPress where the product is installed. Solution...

CVE-2023-27614

CVE-2023-27614 is a confirmed XSS vulnerability in the WordPress plugin “Motor Racing League” (versions

PT-2023-21114 · Unknown · James Irving-Swift Electric Studio Client Login

Name of the Vulnerable Software and Affected Versions: James Irving-Swift Electric Studio Client Login plugin versions prior to 0.8.2 Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability that affects users with admin+ authentication. This type of vulnerability allo...

Stream < 3.9.3 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2023-0893

The Time Sheets WordPress plugin before 1.29.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Health Check & Troubleshooting < 1.6.0 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

Jetpack 11.4 - Cross Site Scripting (XSS)

Exploit Title: Jetpack 11.4 - Cross Site Scripting XSS Date: 2022-10-19 Author: Behrouz Mansoori Software Link: https://wordpress.org/plugins/jetpack Version: 11.4 Tested on: Mac m1 CVE: N/A 1. Description: This plugin creates a Jetpack from any post types. The slider import search feature and ta...

CVE-2023-0498 WP Education < 1.2.7 - Arbitrary Plugin Activation via CSRF

The WP Education WordPress plugin before 1.2.7 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...

PT-2023-16189 · WordPress · Ooohboi Steroids For Elementor

Name of the Vulnerable Software and Affected Versions: OoohBoi Steroids for Elementor WordPress plugin versions prior to 2.1.5 Description: The issue concerns CSRF and broken access control vulnerabilities. These vulnerabilities allow a user with a role as low as a subscriber to delete attachment...

CVE-2023-28684

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

W4 Post List < 2.4.6 - Reflected XSS

The plugin does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting PoC Make a logged in admin open https://example.com/wp-admin/edit.php?posttype=w4pl=w4pl-docs" On a page where there is a list with navigation displayed put a nav in the template o...