Details
Software: MapSVG Lite
Version: 3.2.3
Homepage:
https://en-gb.wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/
Advisory report: https://advisories.dxw.com/advisories/csrf-mapsvg-lite/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Details
Software: Redirection
Version: 2.7.1
Homepage: https://wordpress.org/plugins/redirection/
Advisory report:
https://advisories.dxw.com/advisories/unserialization-redirection/
CVE: Awaiting assignment
CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C)
Description
Details
Software: Tooltipy (tooltips for WP)
Version: 5.0
Homepage: https://wordpress.org/plugins/bluet-keywords-tooltip-generator/
Advisory report: https://advisories.dxw.com/advisories/csrf-in-tooltipy/
CVE: Awaiting assignment
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Details
Software: Tooltipy (tooltips for WP)
Version: 5.0
Homepage: https://wordpress.org/plugins/bluet-keywords-tooltip-generator/
Advisory report: https://advisories.dxw.com/advisories/xss-in-tooltipy/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Details
Software: Redirection
Version: 2.7.3
Homepage: https://wordpress.org/plugins/redirection/
Advisory report:
https://advisories.dxw.com/advisories/ace-file-inclusion-redirection/
CVE: Awaiting assignment
CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C)
Description
Details
Software: Metronet Tag Manager
Version: 1.2.7
Homepage: https://wordpress.org/plugins/metronet-tag-manager/
Advisory report:
https://advisories.dxw.com/advisories/csrf-metronet-tag-manager/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Details
Software: WP ULike
Version: 2.8.1,3.1
Homepage: https://wordpress.org/plugins/wp-ulike/
Advisory report: https://advisories.dxw.com/advisories/wp-ulike-delete-rows/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:P)
Description
WP
Details
Software: WP ULike
Version: 2.8.1,3.1
Homepage: https://wordpress.org/plugins/wp-ulike/
Advisory report: https://advisories.dxw.com/advisories/stored-xss-wp-ulike/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)
Description
Stored
Details
Software: WP User Groups
Version: 2.0.0
Homepage: https://wordpress.org/plugins/wp-user-groups/
Advisory report: https://advisories.dxw.com/advisories/csrf-wp-user-groups/
CVE: Awaiting assignment
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description
Details
Software: WP Image Zoom
Version: 1.23
Homepage: http://wordpress.org/plugins/wp-image-zm/
Advisory report: https://advisories.dxw.com/advisories/wp-image-zoom-dos/
CVE: Awaiting assignment
CVSS: 7.5 (High; AV:N/AC:L/Au:S/C:N/I:P/A:C)
Description
WP
Details
Software: Rating-Widget: Star Review System
Version: 2.8.9
Homepage: https://wordpress.org/plugins/rating-widget/
Advisory report: https://advisories.dxw.com/advisories/rating-widget-debug-mode/
CVE: Awaiting assignment
CVSS: 5 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:N)
Details
Software: Like Button Rating ♥ LikeBtn
Version: 2.5.3
Homepage: https://wordpress.org/plugins/likebtn-like-button/
Advisory report: https://advisories.dxw.com/advisories/likebtn-set-any-option/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)
Details
Software: Relevanssi
Version: 3.5.12,3.6.0
Homepage: https://wordpress.org/plugins/relevanssi/
Advisory report: https://advisories.dxw.com/advisories/sqli-relevanssi/
CVE: Awaiting assignment
CVSS: 8.5 (High; AV:N/AC:L/Au:S/C:C/I:C/A:N)
Description
SQLi
Details
Software: WordPress
Version: 4.8.2
Homepage: https://wordpress.org/
Advisory report:
https://security.dxw.com/advisories/wordpress-signups-activation/
CVE: CVE-2017-14990
CVSS: 0 (Low; AV:L/AC:H/Au:M/C:N/I:N/A:N)
Description
WordPress does not hash or
Details
Software: Content Audit
Version: 1.9.1
Homepage: https://wordpress.org/plugins/content-audit/
Advisory report: https://security.dxw.com/advisories/csrf-xss-content-audit/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
Details
Software: Salutation Responsive WordPress + BuddyPress Theme
Version: 3.0.15
Homepage:
https://themeforest.net/item/salutation-responsive-wordpress-buddypress-theme/548199
Advisory report:
https://security.dxw.com/advisories/stored-xss-salutation-theme/
CVE: Awaiting
Details
Software: WordPress Download Manager
Version: 2.9.46,2.9.51
Homepage: https://wordpress.org/plugins/download-manager/
Advisory report: https://security.dxw.com/advisories/xss-download-manager/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Details
Software: MSMC - Redirect After Comment
Version: 2.1.2
Homepage: https://wordpress.org/plugins/msmc-redirect-after-comment/
Advisory report:
https://security.dxw.com/advisories/csrf-stored-xss-in-msmc-redirect-after-comment/
CVE: Awaiting assignment
CVSS: 5.8 (Medium;
Details
Software: Image Slider
Version: 1.1.41,1.1.89
Homepage: http://wordpress.org/plugins/image-slider-widget/
Advisory report:
https://security.dxw.com/advisories/arbitrary-file-deletion-vulnerability-in-image-slider-allows-authenticated-users-to-delete-files/
CVE: Awaiting
Details
Software: copy-me
Version: 1.0.0
Homepage: http://wordpress.org/plugins/copy-me/
Advisory report:
https://security.dxw.com/advisories/copy-me-vulnerable-to-csrf-allowing-unauthenticated-attacker-to-copy-posts/
CVE: Awaiting assignment
CVSS: 4.3 (Medium;
Details
Software: Quiz And Survey Master (Formerly Quiz Master Next)
Version: 4.5.4,4.7.8
Homepage: https://wordpress.org/plugins/quiz-master-next/
Advisory report:
Details
Software: MailChimp for WordPress
Version: 3.1.5,4.0.10
Homepage: http://wordpress.org/plugins/mailchimp-for-wp/
Advisory report:
https://security.dxw.com/advisories/reflected-xss-in-mailchimp-for-wordpress-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/
Details
Software: Multisite Post Duplicator
Version: 0.9.5.1
Homepage: http://wordpress.org/plugins/multisite-post-duplicator/
Advisory report:
Details
Software: Relevanssi Premium
Version: v1.14.4
Homepage: https://www.relevanssi.com/
Advisory report:
Details
Software: Relevanssi Premium
Version: v1.14.4
Homepage: https://www.relevanssi.com/
Advisory report:
https://security.dxw.com/advisories/unserialization-vulnerability-in-relevanssi-premium-could-allow-admins-to-execute-arbitrary-code-in-some-circumstances/
CVE: Awaiting
Details
Software: Post Indexer
Version: 3.0.6.1
Homepage: http://premium.wpmudev.org/project/post-indexer/
Advisory report:
https://security.dxw.com/advisories/unserialisation-in-post-indexer-could-allow-man-in-the-middle-to-execute-arbitrary-code-in-some-circumstances/
CVE:
Details
Software: Post Indexer
Version: 3.0.6.1
Homepage: http://premium.wpmudev.org/project/post-indexer/
Advisory report:
https://security.dxw.com/advisories/sql-injection-in-post-indexer-allows-super-admins-to-read-the-contents-of-the-database/
CVE: Awaiting assignment
CVSS: 4
Details
Software: Advanced Custom Fields: Table Field
Version: 1.1.12
Homepage: https://wordpress.org/plugins/advanced-custom-fields-table-field/
Advisory report:
Details
Software: JM Twitter Cards
Version: 6.0
Homepage: https://wordpress.org/plugins/jm-twitter-cards
Advisory report:
https://security.dxw.com/advisories/full-path-disclosure-vulnerability-in-jm-twitter-cards-reveals-the-location-of-the-wordpress-installation-on-the-server/
Details
Software: Navis DocumentCloud
Version: 0.1
Homepage: https://wordpress.org/plugins/navis-documentcloud/
Advisory report:
https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
CVE: CVE-2015-2807
CVSS: 6.4 (Medium;
Details
Software: Private Only
Version: 3.5.1
Homepage: http://wordpress.org/plugins/private-only/
Advisory report:
https://security.dxw.com/advisories/csrfxss-vulnerability-in-private-only-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/
CVE: CVE-2015-5483
CVSS:
Details
Software: Google Analytics by Yoast Premium
Version: 5.4.4
Homepage: https://yoast.com/wordpress/plugins/google-analytics/
Advisory report:
https://security.dxw.com/advisories/xss-in-google-analytics-by-yoast-premium-by-privileged-users/
CVE: Awaiting assignment
CVSS: 5.5
Details
Software: iframe
Version: 3.0
Homepage: http://wordpress.org/plugins/iframe/
Advisory report:
https://security.dxw.com/advisories/reflected-xss-in-iframe-allows-unauthenticated-users-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium;
Details
Software: iframe
Version: 3.0
Homepage: http://wordpress.org/plugins/iframe/
Advisory report:
https://security.dxw.com/advisories/stored-xss-in-iframe-allows-less-privileged-users-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.5 (Medium;
, 2015 at 2:16 PM, dxw Security secur...@dxw.com wrote:
Timeline
2015-07-21: Discovered
2015-07-22: Reported to vendor via email
2015-07-22: Requested CVE
2015-07-10: Vendor confirmed fixed in version 5.4.5
2015-07-10: Published
After the fact, of course, but I guess 2015
Details
Software: OAuth2 Complete For WordPress
Version: 3.1.3
Homepage: http://wordpress.org/plugins/oauth2-provider/
Advisory report:
Details
Software: WordPress
Version: 3.8.1,3.8.2,4.2.2
Homepage: http://wordpress.org/
Advisory report:
https://security.dxw.com/advisories/comment-form-csrf-allows-admin-impersonation-via-comments-in-wordpress-4-2-2/
CVE: Awaiting assignment
CVSS: 4.3 (Medium;
Details
Software: Flickr Justified Gallery
Version: 3.3.6
Homepage: https://wordpress.org/plugins/flickr-justified-gallery/
Advisory report:
Details
Software: Subscribe to Comments
Version: 2.1.2
Homepage: http://wordpress.org/plugins/subscribe-to-comments/
Advisory report:
https://security.dxw.com/advisories/admin-only-local-file-inclusion-and-arbitrary-code-execution-in-subscribe-to-comments-2-1-2/
CVE: Awaiting
Details
Software: The Events Calendar: Eventbrite Tickets
Version: 3.9.6
Homepage: https://theeventscalendar.com/product/wordpress-eventbrite-tickets/
Advisory report:
Details
Software: GD bbPress Attachments
Version: 2.1
Homepage: http://wordpress.org/plugins/gd-bbpress-attachments/
Advisory report:
https://security.dxw.com/advisories/reflected-xss-in-gd-bbpress-attachments-allows-an-attacker-to-do-almost-anything-an-admin-can/
CVE: Awaiting
Details
Software: Wordpress Content Slide
Version: 1.4.2
Homepage: http://wordpress.org/plugins/content-slide/
Advisory report:
https://security.dxw.com/advisories/csrf-and-stored-xss-in-wordpress-content-slide-allow-an-attacker-to-have-full-admin-privileges/
CVE: Awaiting
Details
Software: Contact Form DB
Version: 2.8.29
Homepage: https://wordpress.org/plugins/contact-form-7-to-database-extension/
Advisory report:
https://security.dxw.com/advisories/csrf-in-contact-form-db-allows-attacker-to-delete-all-stored-form-submissions/
CVE: CVE-2015-1874
Details
Software: Content Audit
Version: 1.6
Homepage: http://wordpress.org/plugins/content-audit/
Advisory report:
https://security.dxw.com/advisories/blind-sqli-vulnerability-in-content-audit-could-allow-a-privileged-attacker-to-exfiltrate-password-hashes/
CVE: CVE-2014-5389
Details
Software: WordPress Mobile Pack
Version: 2.0.1
Homepage: http://wordpress.org/plugins/wordpress-mobile-pack/
Advisory report:
https://security.dxw.com/advisories/information-disclosure-vulnerability-in-wordpress-mobile-pack-allows-anybody-to-read-password-protected-posts/
Details
Software: Theme My Login
Version: 6.3.9
Homepage: http://wordpress.org/plugins/theme-my-login/
Advisory report: https://security.dxw.com/advisories/lfi-in-theme-my-login/
CVE: Awaiting assignment
CVSS: 6.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:P)
Description
Details
Software: Member Approval
Version: 131109
Homepage: http://wordpress.org/plugins/member-approval/
Advisory ID: dxw-1970-1172
CVE: CVE-2014-3850
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
CSRF in Member Approval 131109 permits unapproved
Details
Software: File Gallery
Version: 1.7.7,1.7.9
Homepage: http://wordpress.org/plugins/file-gallery/
Advisory ID: dxw-1970-638
CVE: CVE-2014-2558
CVSS: 8 (High; AV:N/AC:L/Au:S/C:C/I:P/A:P)
Description
Arbitrary code execution by admins in File Gallery 1.7.7
48 matches
Mail list logo