Vulnerabilities > Updraftplus
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-07 | CVE-2024-1037 | Cross-site Scripting vulnerability in Updraftplus All-In-One Security The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. | 6.1 |
| 2023-11-07 | CVE-2023-5982 | Cross-Site Request Forgery (CSRF) vulnerability in Updraftplus The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. | 5.4 |
| 2023-08-17 | CVE-2023-26530 | Cross-site Scripting vulnerability in Updraftplus Updraft Unauth. | 6.1 |
| 2023-07-10 | CVE-2023-1119 | The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability. | 6.1 |
| 2023-06-22 | CVE-2023-32960 | Cross-Site Request Forgery (CSRF) vulnerability in Updraftplus Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting (XSS). | 6.1 |
| 2023-04-10 | CVE-2023-0156 | Unspecified vulnerability in Updraftplus All-In-One Security The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access). | 4.9 |
| 2023-04-10 | CVE-2023-0157 | Cross-site Scripting vulnerability in Updraftplus All-In-One Security The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page. | 4.8 |
| 2023-01-23 | CVE-2022-4346 | Unspecified vulnerability in Updraftplus All-In-One Security The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address. | 5.3 |
| 2022-12-12 | CVE-2022-4097 | Authorization Bypass Through User-Controlled Key vulnerability in Updraftplus All-In-One Security The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | 5.3 |
| 2022-04-04 | CVE-2022-0864 | Cross-site Scripting vulnerability in Updraftplus The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. | 6.1 |