» 2023 » 3월

CVE-2023-1087

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-1087

The WC Sales Notification WordPress plugin before 1.2.3 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Source: CVE-2023-1087

CVE-2023-1400

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-1400

The Modern Events Calendar Lite WordPress plugin through 5.16.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Source: CVE-2023-1400

CVE-2023-1086

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-1086

The Preview Link Generator WordPress plugin before 1.0.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Source: CVE-2023-1086

CVE-2023-1069

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-1069

The Complianz WordPress plugin before 6.4.2, Complianz Premium WordPress plugin before 6.4.2 do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Source: CVE-2023-1069

CVE-2023-0501

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-0501

The WP Insurance WordPress plugin before 2.1.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Source: CVE-2023-0501

CVE-2023-0502

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-0502

The WP News WordPress plugin through 1.1.9 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Source: CVE-2023-0502

CVE-2023-0503

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-0503

The Free WooCommerce Theme 99fy Extension WordPress plugin before 1.2.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Source: CVE-2023-0503

CVE-2023-0441

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-0441

The Gallery Blocks with Lightbox WordPress plugin before 3.0.8 has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user role.

Source: CVE-2023-0441

CVE-2023-0335

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-0335

The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment.

Source: CVE-2023-0335

CVE-2023-0491

Posted on 2023년 3월 28일2023년 3월 28일 by admin

CVE-2023-0491

The Schedulicity WordPress plugin through 2.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Source: CVE-2023-0491