Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2024-01-29 CVE-2023-6389 Open Redirect vulnerability in Abhinavsingh Wordpress Toolbar 2.2.6
The WordPress Toolbar WordPress plugin through 2.2.6 redirects to any URL via the "wptbto" parameter.
network
low complexity
abhinavsingh CWE-601
6.1
2024-01-29 CVE-2023-6390 Cross-Site Request Forgery (CSRF) vulnerability in Jonathonkemp Wordpress Users 1.4.0
The WordPress Users WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
network
low complexity
jonathonkemp CWE-352
8.8
2024-01-29 CVE-2023-6391 Cross-Site Request Forgery (CSRF) vulnerability in Jeremiahorem Custom User CSS 0.2
The Custom User CSS WordPress plugin through 0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
network
low complexity
jeremiahorem CWE-352
8.8
2024-01-29 CVE-2023-6503 Cross-Site Request Forgery (CSRF) vulnerability in Paulgriffinpetty WP Plugin Lister 2.1.0
The WP Plugin Lister WordPress plugin through 2.1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
network
low complexity
paulgriffinpetty CWE-352
5.4
2024-01-29 CVE-2023-6530 Cross-site Scripting vulnerability in Theme-Junkie TJ Shortcodes
The TJ Shortcodes WordPress plugin through 0.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
network
low complexity
theme-junkie CWE-79
5.4
2024-01-29 CVE-2023-6633 Cross-Site Request Forgery (CSRF) vulnerability in Sidenotesproject Side Notes 2.0.0
The Site Notes WordPress plugin through 2.0.0 does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks
network
low complexity
sidenotesproject CWE-352
4.3
2024-01-29 CVE-2023-6946 Cross-Site Request Forgery (CSRF) vulnerability in Unalignedcode Autotitle 1.0.3
The Autotitle for WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
network
low complexity
unalignedcode CWE-352
8.8
2024-01-29 CVE-2023-7074 Cross-Site Request Forgery (CSRF) vulnerability in Giovambattistafazioli WP Social Bookmark Menu 1.2
The WP SOCIAL BOOKMARK MENU WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
network
low complexity
giovambattistafazioli CWE-352
8.8
2024-01-29 CVE-2023-7089 Cross-site Scripting vulnerability in Benjaminzekavica Easy SVG Support 1.0
The Easy SVG Allow WordPress plugin through 1.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
network
low complexity
benjaminzekavica CWE-79
5.4
2024-01-29 CVE-2023-7199 Authorization Bypass Through User-Controlled Key vulnerability in Relevanssi
The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request
network
low complexity
relevanssi CWE-639
5.3