Security

WordPress Plugin Vulnerability Report – Drag and Drop Multiple File Upload– Contact Form 7 – Unauthenticated Arbitrary File Upload – CVE-2023-5822

By Your WP Guy / Nov 1, 2023

Plugin Name: Drag and Drop Multiple File Upload- Contact Form 7 Key Information: Software Type: Plugin Software Slug: drag-and-drop-multiple-file-upload-contact-form-7 Software Status: Active Software Author: glenwpcoder Software Downloads: 575,808 Active Installs: 50,000 Last Updated: November 1, 2023 Patched Versions: 1.3.7.4 Affected Versions: <= 1.3.7.3 Vulnerability Details: Name: Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.3 – Unauthenticated Arbitrary File Upload Title: Unauthenticated Arbitrary…

WordPress Plugin Vulnerability Report – GiveWP – Cross-Site Request Forgery – CVE-2023-4247, CVE-2023-4248

By Your WP Guy / Oct 31, 2023

Plugin Name: GiveWP Key Information: Software Type: Plugin Software Slug: give Software Status: Active Software Author: webdevmattcrom Software Downloads: 6,043,447 Active Installs: 100,000 Last Updated: October 31, 2023 Patched Versions: 2.33.4 Affected Versions: <= 2.33.3 Vulnerability 1 Details: Name: GiveWP <= 2.33.3 – Cross-Site Request Forgery to plugin deactivation Title: Cross-Site Request Forgery to plugin deactivation Type: Cross-Site Request Forgery (CSRF) CVE: CVE-2023-4247 CVSS Score: 5.4 (Medium) Publicly Published: October…

WordPress Plugin Vulnerability Report – WP Customer Reviews – Authenticated (Subscriber+) Sensitive Information Exposure – CVE-2023-4686

By Your WP Guy / Oct 31, 2023

Plugin Name: WP Customer Reviews Key Information: Software Type: Plugin Software Slug: wp-customer-reviews Software Status: Active Software Author: bompus Software Downloads: 1,108,443 Active Installs: 30,000 Last Updated: October 31, 2023 Patched Versions: No Patched Version Affected Versions: <= 3.6.8 Vulnerability Details: Name: WP Customer Reviews <= 3.6.8 – Authenticated (Subscriber+) Sensitive Information Exposure Title: Authenticated (Subscriber+) Sensitive Information Exposure Type: Missing Authorization CVE: CVE-2023-4686 CVSS Score: 4.3 (Medium) Publicly…

WordPress Plugin Vulnerability Report – 10Web Booster – Unauthenticated Arbitrary Option Deletion

By Your WP Guy / Oct 29, 2023

Plugin Name: 10Web Booster Key Information: Software Type: Plugin Software Slug: tenweb-speed-optimizer Software Status: Active Software Author: 10web Software Downloads: 864,591 Active Installs: 80,000 Last Updated: October 29, 2023 Patched Versions: 2.24.18 Affected Versions: <= 2.24.14 Vulnerability Details: Name: 10Web Booster <= 2.24.14 – Unauthenticated Arbitrary Option Deletion Type: Authorization Bypass Through User-Controlled Key CVSS Score: 6.5 (Medium) Publicly Published: Description: The 10Web Booster – Website speed optimization,…

WordPress Plugin Vulnerability Report – News & Blog Designer Pack – Unauthenticated Remote Code Execution via Local File Inclusion – CVE-2023-5815

By Your WP Guy / Oct 26, 2023

Plugin Name: News & Blog Designer Pack Key Information: Software Type: Plugin Software Slug: blog-designer-pack Software Status: Active Software Author: infornweb Software Downloads: 408,098 Active Installs: 30,000 Last Updated: October 26, 2023 Patched Versions: 3.4.2 Affected Versions: <=3.4.1 Vulnerability Details: Name: News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 – Unauthenticated Remote Code Execution via Local File Inclusion Title: Unauthenticated Remote Code Execution…

WordPress Plugin Vulnerability Report – VK Blocks – Authenticated (Contributor+) Stored Cross-Site Scripting via Block – CVE-2023-5706

By Your WP Guy / Oct 24, 2023

Plugin Name: VK Blocks Key Information: Software Type: Plugin Software Slug: vk-blocks Software Status: Active Software Author: vektor-inc Software Downloads: 2,017,789 Active Installs: 80,000 Last Updated: October 24, 2023 Patched Versions: 1.64.0.0 Affected Versions: <= 1.63.0.1 Vulnerability Details: Name: VK Blocks <= 1.63.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Block Type: Improper Neutralization of Input…

Deciphering Error Messages on Your WordPress Home Screen: A Beginner’s Guide

By Your WP Guy / Oct 24, 2023

“What does this random combination of numbers mean? Is my site broken?” you wonder anxiously. While confusing at first glance, WordPress error codes act as handy clues pointing you to potential issues. Once decoded, they transform from indecipherable codes into helpful guides directing you to solutions. This beginner’s guide will decode common WordPress error messages…

WordPress Plugin Vulnerability Report – LiteSpeed Cache – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-4372

By Your WP Guy / Oct 23, 2023

Plugin Name: LiteSpeed Cache Key Information: Software Type: Plugin Software Slug: litespeed-Cache Software Status: Active Software Author: litespeedtech Software Downloads: 52m564,430 Active Installs: 4,000,000 Last Updated: October 23, 2023 Patched Versions: 5.7 Affected Versions: <=5.6 Vulnerability Details: Name: LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVE: CVE-2023-4372 CVSS Score: 6.4 (Medium) Publicly…