Topic

WordPress

A collection of 43 issues

CVE-2022-38704 The SEO Redirection plugin has CSRF vulnerability, leading to deletion of 404 errors and redirection history.

This type of vulnerability occurs when a website administrator or user can request a specific action on another website, without the knowledge of the owner of the target website. For example, an attacker can send a request to delete an entry from a WordPress website, without the knowledge of the

CVE-2022-38454 CSRF vulnerability in Kraken.io Image Optimizer plugin = 2.6.5 at WordPress.

This bug can be exploited by an attacker to hijack user credentials by sending them a request to a board, post or comment on a blog or forum that the user belongs to. Since WordPress sites allow users to register new posts and comments through a login, an attacker can

CVE-2022-40194 An Unauthenticated SSI vulnerability in the WooCommerce plugin = 5.3.5.

An attacker can exploit the unauthenticated vulnerability to retrieve the customer’s email address and other personally identifiable information. Unauthenticated information disclosure vulnerabilities occur when the software does not properly sanitize user input before using it in the application or before returning it in the form of output. This makes

CVE-2022-36386 Soflyy Import any XML or CSV File to WordPress plugin 3.6.7 is vulnerable to Arbitrary Code Execution.

XML or CSV files are very common and used in many websites and online service providers. This plugin is used to import data from CSV or XML file into WordPress. This is a must-have plugin for most of the WordPress users. If you are using another WordPress plugin to import

CVE-2022-2799 The Affiliates Manager WordPress plugin before 2.9.14 has unsafe settings that allow attackers to do Cross-Site Scripting.

Plugin writers are encouraged to review the settings they have access to to make sure they are only accessible to the WordPress roles that they should have access to. This update also removes the unfiltered_html capability from the Affiliates Manager settings page, which is not recommended to leave enabled

CVE-2022-36258 An SQL injection vulnerability in CustomerDAO.java in InventoryManagementSystem 1.0 allows attackers to execute arbitrary SQL commands.

In the following example, we have attempted to inject the command "-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

CVE-2022-36793 Vulnerabilities in WP Shop plugin = 3.9.6 at WordPress END>

A user with an account could change any data, leading to a potential data breach. Data integrity issues in WP Shop plugin = 3.9.6 at WordPress. Incorrect data being stored can lead to a data breach. CVE# Issue WP Shop plugin 3.9.6 or older. Unauthenticated Plugin Settings

CVE-2022-38268 An SQL injection vulnerability was found in the School Activity Updates with SMS Notification v1.0 component.

2018-06-26: This version was updated to version 1.2.2, fixing the SQL injection vulnerability. The researcher who discovered this vulnerability states that the module is not actively maintained, which can be exploited to create custom config parameters that execute code on the server. Furthermore, the researcher discovered that the

CVE-2022-38260 The Interview Management System v1.0 had a SQL injection vulnerability.

A remote user or attacker can inject arbitrary SQL commands to the system, and the system will execute the command. If SQL injection is not blocked, it can lead to the information leak, data manipulation, or even the system denial and crashing. Recommended precautionary measures to prevent SQL injection attacks

CVE-2022-2597 The Visual Portfolio, Photo Gallery & Post Grid plugin before 2.19.0 had some security issues, allowing users with a low role to inject arbitrary CSS.

This is possible because the plugin does not have an ACL on its endpoints. An attacker can send requests to the affected REST APIs as high as they want, as long as they are a member of the contributor role. NOTE: Earlier versions of this plugin are also affected, but