Filtered by vendor Wordpress
Subscriptions
Total
640 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-35746 | 2 Buddypress Cover Project, Wordpress | 2 Buddypress Cover, Buddypress Cover | 2024-11-21 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Asghar Hatampoor BuddyPress Cover allows Code Injection.This issue affects BuddyPress Cover: from n/a through 2.1.4.2. | ||||
| CVE-2024-33688 | 1 Wordpress | 1 Teluro Theme | 2024-11-21 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes Teluro.This issue affects Teluro: from n/a through 1.0.31. | ||||
| CVE-2024-33682 | 1 Wordpress | 1 Gdpr Compliance | 2024-11-21 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Cookie Information A/S WP GDPR Compliance.This issue affects WP GDPR Compliance: from n/a through 2.0.23. | ||||
| CVE-2024-33585 | 1 Wordpress | 1 Payment Gateway Based Fees And Discounts For Woocommerce | 2024-11-21 | 4.3 Medium |
| Missing Authorization vulnerability in Tyche Softwares Payment Gateway Based Fees and Discounts for WooCommerce.This issue affects Payment Gateway Based Fees and Discounts for WooCommerce: from n/a through 2.12.1. | ||||
| CVE-2024-33576 | 1 Wordpress | 1 Wppizza | 2024-11-21 | 6.5 Medium |
| Missing Authorization vulnerability in Ollybach WPPizza.This issue affects WPPizza: from n/a through 3.18.10. | ||||
| CVE-2024-33566 | 1 Wordpress | 1 Orderconvo | 2024-11-21 | 10 Critical |
| Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4. | ||||
| CVE-2024-32835 | 1 Wordpress | 1 Import Export Wordpress Users | 2024-11-21 | 5.4 Medium |
| Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.3. | ||||
| CVE-2024-32822 | 1 Wordpress | 1 Reviews Plus | 2024-11-21 | 4.3 Medium |
| Missing Authorization vulnerability in impleCode Reviews Plus.This issue affects Reviews Plus: from n/a through 1.3.4. | ||||
| CVE-2024-32801 | 1 Wordpress | 1 Widget Post Slider | 2024-11-21 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin Widget Post Slider allows Stored XSS.This issue affects Widget Post Slider: from n/a through 1.3.5. | ||||
| CVE-2024-32789 | 1 Wordpress | 1 Seers Plugin | 2024-11-21 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Seers allows Cross-Site Scripting (XSS).This issue affects Seers: from n/a through 8.1.0. | ||||
| CVE-2024-32781 | 1 Wordpress | 1 Email Customizer For Woocommerce | 2024-11-21 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ThemeHigh Email Customizer for WooCommerce.This issue affects Email Customizer for WooCommerce: from n/a through 2.6.0. | ||||
| CVE-2024-32604 | 1 Wordpress | 1 Adserve | 2024-11-21 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.5. | ||||
| CVE-2024-32601 | 1 Wordpress | 1 Popup Anything | 2024-11-21 | 5.3 Medium |
| Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Popup Anything.This issue affects Popup Anything: from n/a through 2.8. | ||||
| CVE-2024-31292 | 1 Wordpress | 1 Import Xml And Rss Feeds Plugin | 2024-11-21 | 7.2 High |
| Unrestricted Upload of File with Dangerous Type vulnerability in Moove Agency Import XML and RSS Feeds.This issue affects Import XML and RSS Feeds: from n/a through 2.1.5. | ||||
| CVE-2024-31210 | 1 Wordpress | 1 Wordpress-develop | 2024-11-21 | 7.7 High |
| WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable. | ||||
| CVE-2023-5561 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 5.3 Medium |
| WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack | ||||
| CVE-2023-51471 | 1 Wordpress | 1 Checkout Mestres | 2024-11-21 | 8.2 High |
| Improper Authentication vulnerability in Mestres do WP Checkout Mestres WP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Checkout Mestres WP: from n/a through 7.1.9.7. | ||||
| CVE-2023-39999 | 2 Fedoraproject, Wordpress | 2 Fedora, Wordpress | 2024-11-21 | 4.3 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38. | ||||
| CVE-2023-38000 | 1 Wordpress | 2 Gutenberg, Wordpress | 2024-11-21 | 6.5 Medium |
| Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions. | ||||
| CVE-2023-2745 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 5.4 Medium |
| WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. | ||||