Filtered by vendor Automattic
Subscriptions
Total
59 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-10763 | 1 Automattic | 1 Camptix Event Ticketing | 2024-08-06 | N/A |
| The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body. | ||||
| CVE-2017-20086 | 1 Automattic | 1 Vaultpress | 2024-08-05 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in VaultPress Plugin 1.8.4. This affects an unknown part. The manipulation leads to code injection. It is possible to initiate the attack remotely. | ||||
| CVE-2017-18356 | 1 Automattic | 1 Woocommerce | 2024-08-05 | N/A |
| In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes. | ||||
| CVE-2017-17058 | 1 Automattic | 1 Woocommerce | 2024-08-05 | 7.5 High |
| The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template files have "if (!defined('ABSPATH')) {exit;}" code | ||||
| CVE-2020-8215 | 1 Automattic | 1 Canvas | 2024-08-04 | 8.8 High |
| A buffer overflow is present in canvas version <= 1.6.9, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image. | ||||
| CVE-2021-32789 | 1 Automattic | 1 Woocommerce Blocks | 2024-08-03 | 7.5 High |
| woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-24374 | 1 Automattic | 1 Jetpack | 2024-08-03 | 5.3 Medium |
| The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked. | ||||
| CVE-2021-24329 | 1 Automattic | 1 Wp Super Cache | 2024-08-03 | 5.4 Medium |
| The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | ||||
| CVE-2021-24312 | 1 Automattic | 1 Wp Super Cache | 2024-08-03 | 7.2 High |
| The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. This is due to an incomplete fix of CVE-2021-24209. | ||||
| CVE-2021-24209 | 1 Automattic | 1 Wp Super Cache | 2024-08-03 | 7.2 High |
| The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection. | ||||
| CVE-2022-4497 | 1 Automattic | 1 Jetpack Crm | 2024-08-03 | 5.4 Medium |
| The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins | ||||
| CVE-2022-3919 | 1 Automattic | 1 Jetpack Crm | 2024-08-03 | 4.8 Medium |
| The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2022-2386 | 1 Automattic | 1 Crowdsignal Dashboard | 2024-08-03 | 6.1 Medium |
| The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2022-2080 | 1 Automattic | 1 Sensei Lms | 2024-08-03 | 4.3 Medium |
| The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student | ||||
| CVE-2022-2034 | 1 Automattic | 1 Sensei Lms | 2024-08-03 | 5.3 Medium |
| The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers | ||||
| CVE-2023-52211 | 1 Automattic | 1 Wp Job Manager | 2024-08-02 | 5.3 Medium |
| Missing Authorization vulnerability in Automattic WP Job Manager.This issue affects WP Job Manager: from n/a through 2.0.0. | ||||
| CVE-2023-51488 | 1 Automattic | 1 Crowdsignal Dashboard | 2024-08-02 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic, Inc. Crowdsignal Dashboard – Polls, Surveys & more allows Reflected XSS.This issue affects Crowdsignal Dashboard – Polls, Surveys & more: from n/a through 3.0.11. | ||||
| CVE-2023-50875 | 1 Automattic | 1 Sensei Lms | 2024-08-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Sensei LMS – Online Courses, Quizzes, & Learning allows Stored XSS.This issue affects Sensei LMS – Online Courses, Quizzes, & Learning: from n/a through 4.17.0. | ||||
| CVE-2023-50879 | 1 Automattic | 1 Wordpress.com Editing Toolkit | 2024-08-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress.Com Editing Toolkit allows Stored XSS.This issue affects WordPress.Com Editing Toolkit: from n/a through 3.78784. | ||||
| CVE-2023-49828 | 1 Automattic | 1 Woopayments | 2024-08-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo allows Stored XSS.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 6.4.2. | ||||