CVE-2023-3182
The Membership WordPress plugin before 3.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Source: CVE-2023-3182
CVE-2023-31852
Cudy LT400 1.13.4 is vulnerable to Cross Site Scripting (XSS) in cgi-bin/luci/admin/network/wireless/config via the iface parameter.
Source: CVE-2023-31852
CVE-2023-35880
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Brands plugin <=Â 1.6.49 versions.
Source: CVE-2023-35880
CVE-2023-2959
Authentication Bypass by Primary Weakness vulnerability in Oliva Expertise Oliva Expertise EKS allows Collect Data as Provided by Users.This issue affects Oliva Expertise EKS: before 1.2.
Source: CVE-2023-2959
CVE-2023-2963
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Oliva Expertise Oliva Expertise EKS allows SQL Injection.This issue affects Oliva Expertise EKS: before 1.2.
Source: CVE-2023-2963
CVE-2023-2960
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Oliva Expertise Oliva Expertise EKS allows Cross-Site Scripting (XSS).This issue affects Oliva Expertise EKS: before 1.2.
Source: CVE-2023-2960
CVE-2023-35038
Cross-Site Request Forgery (CSRF) vulnerability in wpexperts.Io WP PDF Generator plugin <=Â 1.2.2 versions.
Source: CVE-2023-35038
CVE-2023-0439
The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.
Source: CVE-2023-0439
CVE-2023-1893
The Login Configurator WordPress plugin through 2.1 does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.
Source: CVE-2023-1893
CVE-2022-4023
The 3DPrint WordPress plugin before 3.5.6.9 does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will create an archive of any files or directories on the target server by tricking a logged in admin into submitting a form. Furthermore the created archive has a predictable location and name, allowing the attacker to download the file if they know the time at which the form was submitted, making it possible to leak sensitive files like the WordPress configuration containing database credentials and secrets.
Source: CVE-2022-4023