Vulnerabilities > Automattic
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-12 | CVE-2023-28121 | Improper Authentication vulnerability in Automattic Woocommerce Payments An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. | 9.8 |
| 2023-01-09 | CVE-2022-4497 | Cross-site Scripting vulnerability in Automattic Jetpack CRM The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins | 5.4 |
| 2022-12-12 | CVE-2022-3919 | Cross-site Scripting vulnerability in Automattic Jetpack CRM The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
| 2022-11-17 | CVE-2022-45069 | Improper Privilege Management vulnerability in Automattic Crowdsignal Dashboard Auth. | 8.8 |
| 2022-06-23 | CVE-2017-20086 | Code Injection vulnerability in Automattic Vaultpress 1.8.4 A vulnerability, which was classified as critical, was found in VaultPress Plugin 1.8.4. | 6.0 |
| 2021-07-26 | CVE-2021-32789 | SQL Injection vulnerability in Automattic Woocommerce Blocks woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. | 5.0 |
| 2021-06-21 | CVE-2021-24374 | Authorization Bypass Through User-Controlled Key vulnerability in Automattic Jetpack The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. | 5.3 |
| 2021-06-01 | CVE-2021-24312 | OS Command Injection vulnerability in Automattic WP Super Cache The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. | 6.5 |
| 2021-06-01 | CVE-2021-24329 | Cross-site Scripting vulnerability in Automattic WP Super Cache The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | 3.5 |
| 2021-04-05 | CVE-2021-24209 | Improper Input Validation vulnerability in Automattic WP Super Cache The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. | 9.0 |