Total
277570 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-1924 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_toolbar_save_settings_callback function. This makes it possible for unauthenticated attackers to change cache settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-1925 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfc_clear_cache_of_allsites_callback function. This makes it possible for unauthenticated attackers to clear caches via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-1926 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the deleteCacheToolbar function. This makes it possible for unauthenticated attackers to perform cache deletion via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-1927 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the deleteCssAndJsCacheToolbar function. This makes it possible for unauthenticated attackers to perform cache deletion via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-1931 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the deleteCssAndJsCacheToolbar function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to perform cache deletion. | ||||
| CVE-2023-1930 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the wpfc_clear_cache_of_allsites_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to delete caches. | ||||
| CVE-2023-1929 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_purgecache_varnish_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to purge the varnish cache. | ||||
| CVE-2023-1928 | 1 Wpfastestcache | 1 Wp Fastest Cache | 2025-01-13 | 4.3 Medium |
| The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_preload_single_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to initiate cache creation. | ||||
| CVE-2023-1874 | 1 Wpdataaccess | 1 Wp Data Access | 2025-01-13 | 7.5 High |
| The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wpda_role[]' parameter during a profile update. This requires the 'Enable role management' setting to be enabled for the site. | ||||
| CVE-2023-2027 | 1 Zm Ajax Login \& Register Project | 1 Zm Ajax Login \& Register | 2025-01-13 | 9.8 Critical |
| The ZM Ajax Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.2. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. | ||||
| CVE-2023-2119 | 1 I13websolution | 1 Responsive Filterable Portfolio | 2025-01-13 | 6.1 Medium |
| The Responsive Filterable Portfolio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the search_term parameter in versions up to, and including, 1.0.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-2120 | 1 I13websolution | 1 Thumbnail Carousel Slider | 2025-01-13 | 6.1 Medium |
| The Thumbnail carousel slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the search_term parameter in versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-2168 | 1 Taxopress | 1 Taxopress | 2025-01-13 | 5.5 Medium |
| The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Suggest Terms Title field in versions up to, and including, 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-2169 | 1 Taxopress | 1 Taxopress | 2025-01-13 | 5.5 Medium |
| The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Related Posts functionality in versions up to, and including, 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-2170 | 1 Taxopress | 1 Taxopress | 2025-01-13 | 5.5 Medium |
| The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Related Posts functionality in versions up to, and including, 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-2297 | 1 Cozmoslabs | 1 Profile Builder | 2025-01-13 | 9.8 Critical |
| The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability. | ||||
| CVE-2022-4537 | 1 Wpplugins | 1 Hide My Wp Ghost | 2025-01-13 | 6.5 Medium |
| The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in. | ||||
| CVE-2023-29101 | 1 Muffingroup | 1 Betheme | 2025-01-13 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Muffingroup Betheme theme <= 26.7.5 versions. | ||||
| CVE-2023-2499 | 1 Metagauss | 1 Registrationmagic | 2025-01-13 | 9.8 Critical |
| The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during a Google social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2023-2548 | 1 Metagauss | 1 Registrationmagic | 2025-01-13 | 6.6 Medium |
| The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup. | ||||