Ultimate FAQ Plugin for WordPress < 1.8.25 Multiple Vulnerabilities

The WordPress Ultimate FAQ Plugin installed on the remote host is affected by multiple vulnerabilities :\n\n - An Arbitrary Options Import.\n - An HTML Injection.\n Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number...

CVE-2022-4475 Collapse-O-Matic < 1.8.3 - Contributor+ Stored XSS

The Collapse-O-Matic WordPress plugin before 1.8.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high...

CVE-2022-4010 Image Hover Effects < 5.5 - Admin+ Stored XSS

The Image Hover Effects WordPress plugin before 5.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2022-23934 · WordPress · Blossom Recipe Maker

Name of the Vulnerable Software and Affected Versions: Blossom Recipe Maker plugin versions 1.0.7 and earlier Description: The issue concerns multiple authenticated Stored Cross-Site Scripting XSS vulnerabilities. These vulnerabilities can be exploited by contributors or users with higher...

Design/Logic Flaw

Unauthenticated Plugin Settings Change & Data Deletion vulnerabilities in WP Shop plugin = 3.9.6 at WordPress...

CVE-2022-29432 WordPress wpDataTables plugin <= 2.1.27 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated administrator or higher user role Persistent Cross-Site Scripting XSS vulnerabilities in TMS-Plugins wpDataTables plugin = 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters...

WordPress Bugs Exploded in 2021, Most Exploitable

Last year brought forth much more than a Ben Affleck-Jennifer Lopez reunion – analysts found the number of exploitable WordPress plugin vulnerabilities exploded. Researchers from RiskBased Security reported they found the number of WordPress Plugin vulnerabilities rose by triple digits in 2021...

1.6 Million WordPress Sites Under Cyberattack From Over 16,000 IP Addresses

As many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes. WordPress security company Wordfence, which disclosed details of the attacks, said...

CVE-2021-44223

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin...

WordPress Share, Print and PDF Products for WooCommerce plugin <= 2.7.1 - Multiple vulnerabilities

Multiple vulnerabilities Authenticated Arbitrary WordPress Options Change, Read and Deletion / Authenticated User Enumeration / Authenticated Plugin Settings Change, Import and Export were discovered by Jerome Bruandet NinTechNet in WordPress Share, Print and PDF Products for WooCommerce plugin...

WordPress Add Product Tabs for WooCommerce plugin <= 1.4.1 - Multiple vulnerabilities

Multiple vulnerabilities Authenticated Arbitrary WordPress Options Change, Read and Deletion / Authenticated User Enumeration / Authenticated Plugin Settings Change, Import and Export were discovered by Jerome Bruandet NinTechNet in WordPress Add Product Tabs for WooCommerce plugin versions =...

CVE-2021-36871 WordPress WP Google Maps Pro premium plugin <= 8.1.11 - Multiple Authenticated Persistent XSS vulnerabilities

Multiple Authenticated Persistent Cross-Site Scripting XSS vulnerabilities in WordPress WP Google Maps Pro premium plugin versions &attributes, Name &attributes, &icons, &names, &description, &link, &title...

Multiple cross-site scripting vulnerabilities in multiple EC-CUBE plugins provided by EC-CUBE

Overview Multiple EC-CUBE plugins provided by EC-CUBE CO.,LTD. contain multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20742 Cross-site scripting vulnerability CWE-79 - CVE-2021-20743 Cross-site scripting vulnerability CWE-79 -...

WordPress HT Mega plugin <= 1.5.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities discovered by WordFence in WordPress HT Mega plugin versions = 1.5.5. Solution Update the WordPress HT Mega plugin to the latest available version at least 1.5.7...

Jenkins 信任管理问题漏洞

Jenkins is a Jenkins open source application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project. Jenkins Core/Plugins has a trust management issue vulnerability that can be exploited by an attacker to exploit multiple...

Flaws in Two Popular WordPress Plugins Affect Over 7 Million Websites

Researchers have disclosed vulnerabilities in multiple WordPress plugins that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios. The flaws were uncovered in Elementor, a website builder plugin used on more than seven million...

WordPress Under Construction, Coming Soon, And Maintenance Mode 1.1.1 SSRF / XSS

There are SSRF and RXSS vulnerabilities in the WordPress plugin Under Construction, Coming Soon & Maintenance Mode version 1.1.1. Both vulnerabilities are fixed in version 1.1.2: https://wordpress.org/plugins/under-construction-maintenance-mode/developers 1 SSRF Here is the relevant code from fil...

Discount Rules for WooCommerce Plugin for WordPress < 2.1.0 Multiple Vulnerabilities

The WordPress Discount Rules for WooCommerce Plugin installed on the remote host is affected by SQL injection and unauthenticated stored Cross-Site Scripting XSS vulnerabilities. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported...

Advertising Plugin for WordPress Threatens Full Site Takeovers

The Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers. The plugin’s author, Tunafish, has rolled out a patched version v.1.5.6, which site...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 apikey, 2 paymentpageurl, 3 merchantid, 4 apiurl, or 5 currency parameter...