Vulnerabilities > Automattic
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-12 | CVE-2022-3919 | Unspecified vulnerability in Automattic Jetpack CRM The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 4.8 |
| 2022-11-17 | CVE-2022-45069 | Unspecified vulnerability in Automattic Crowdsignal Dashboard Auth. | 8.8 |
| 2022-08-29 | CVE-2022-2034 | Authorization Bypass Through User-Controlled Key vulnerability in Automattic Sensei LMS The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers | 5.3 |
| 2022-08-29 | CVE-2022-2080 | Authorization Bypass Through User-Controlled Key vulnerability in Automattic Sensei LMS The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. | 4.3 |
| 2022-08-08 | CVE-2022-2386 | Cross-site Scripting vulnerability in Automattic Crowdsignal Dashboard The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | 6.1 |
| 2022-06-23 | CVE-2017-20086 | Code Injection vulnerability in Automattic Vaultpress 1.8.4 A vulnerability, which was classified as critical, was found in VaultPress Plugin 1.8.4. | 7.5 |
| 2021-07-26 | CVE-2021-32789 | SQL Injection vulnerability in Automattic Woocommerce Blocks woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. | 7.5 |
| 2021-06-21 | CVE-2021-24374 | Authorization Bypass Through User-Controlled Key vulnerability in Automattic Jetpack The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. | 5.3 |
| 2021-06-01 | CVE-2021-24312 | OS Command Injection vulnerability in Automattic WP Super Cache The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. | 7.2 |
| 2021-06-01 | CVE-2021-24329 | Cross-site Scripting vulnerability in Automattic WP Super Cache The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | 5.4 |