WordPress Plugin Vulnerability Report – BackWPup – Authenticated (Administrator+) Directory Traversal – CVE-2023-5504

Plugin Name: BackWPup Key Information: Software Type: Plugin Software Slug: backwpup Software Status: Active Software Author: wp_media Software Downloads: 13,284,859 Active Installs: 600,000 Last Updated: November 22, 2023 Patched Versions: 4.0.2 Affected Versions: <= 4.0.1 Vulnerability Details: Name: BackWPup <= 4.0.1 – Authenticated (Administrator+) Directory Traversal Title: Authenticated (Administrator+) Directory Traversal Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CVE: CVE-2023-5504 CVSS Score: 8.7 (High)…

Read More

WordPress Plugin Vulnerability Report – Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce – Authenticated Directory Traversal – CVE-2023-5414

Plugin Name: Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce Key Information: Software Type: Plugin Software Slug: email-subscribers Software Status: Active Software Author: icegram Software Downloads: 9,788,187 Active Installs: 100,000 Last Updated: October 11, 2023 Patched Versions: 5.6.24 Affected Versions: <= 5.6.23 Vulnerability Details: Name: Icegram Express <= 5.6.23 – Authenticated (Administrator+) Directory Traversal to Arbitrary File Read Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE: CVE-2023-5414 CVSS…

Read More

WordPress Plugin Vulnerability Report – Leaflet Map – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-5050

Plugin Name: Leaflet Map Key Information: Software Type: Plugin Software Slug: leaflet-map Software Status: Active Software Author: bozdoz Software Downloads: 339,670 Active Installs: 30,000 Last Updated: September 20, 2023 Patched Versions: <=3.3.0 Affected Versions: 3.3.1 Vulnerability Details: Name: Leaflet Map <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: Improper Neutralization of Input…

Read More

WordPress Plugin Vulnerability Report – Table of Contents Plus – Authenticated (Administrator+) Stored Cross-Site Scripting

Plugin Name: Table of Contents Plus Key Information: Software Type: Plugin Software Slug: table-of-contents-plus Software Status: Active Software Author: conjur3r Software Downloads: 2,261,612 Active Installs: 300,000 Last Updated: September 19, 2023 Patched Versions: 2309 Affected Versions: <2309 Vulnerability Details: Name: Table of Contents Plus <= 2302 – Authenticated (Administrator+) Stored Cross-Site Scripting Type: Improper Neutralization…

Read More

WordPress Plugin Vulnerability Report – Essential Addons for Elementor – Authenticated (Contributor+) Privilege Escalation

Plugin Name: Essential Addons for Elementor Key Information: Software Type: Plugin Software Slug: essential-addons-for-elementor-lite Software Status: Active Software Author: wpdevteam Software Downloads: 55,164,924 Active Installs: 1,000,000 Last Updated: September 14, 2023 Patched Versions: 5.8.9 Affected Versions: <=5.8.8 Vulnerability Details: Name: Essential Addons for Elementor <= 5.8.8 – Authenticated (Contributor+) Privilege Escalation Type: Missing Authorization CVSS…

Read More

WordPress Plugin Vulnerabilities Report – Booster for WooCommerce – Authenticated Stored Cross-Site Scripting & Information Disclosure – CVE-2023-4945, CVE-2023-4796

Plugin Name: Booster for WooCommerce Key Information: Software Type: Plugin Software Slug: woocommerce-jetpack Software Status: Active Software Author: pluggabl Software Downloads: 3,353,295 Active Installs: 60,000 Last Updated: September 13, 2023 Patched Versions: 7.1.1 Affected Versions: <=7.1.0 Vulnerability Details: 1. Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: Improper Neutralization of Input During Web Page Generation…

Read More

WordPress Plugin Vulnerability Report – Migration, Backup, Staging – WPvivid – Missing Authorization & Stored Cross-Site Scripting

Plugin Name: Migration, Backup, Staging – WPvivid Key Information: Software Type: Plugin Software Slug: wpvivid-backuprestore Software Status: Active Software Author: wpvividplugins Software Downloads: 5,141,419 Active Installs: 300,000 Last Updated: September 12, 2023 Patched Versions: 0.9.91 Affected Versions: <=0.9.90 First Vulnerability: Vulnerability Details: Name: WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via ‘start_staging’ and ‘get_staging_progress’…

Read More

WordPress Plugin Vulnerability Report: Slimstat Analytics – Authenticated (Contributor+) Blind SQL Injection via Shortcode – CVE-2023-4598

Key Information: Software Type: Plugin Software Slug: wp-slimstat Software Status: Active Software Author: mostafas1990 Software Downloads: 5,922,898 Active Installs: 100,000 Last Updated: September 11, 2023 Patched Versions: 5.0.10 Affected Versions: <=5.0.9 Vulnerability Details: Name: Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Blind SQL Injection via Shortcode Type: Improper Neutralization of Special Elements used in an…

Read More

WordPress Plugin Vulnerability Report: User Feedback – Unauthenticated Stored Cross-Site Scripting – CVE-2023-39308

Plugin Name: User Feedback Key Information: Software Type: Plugin Software Slug: userfeedback-lite Software Status: Active Software Author: smub Software Downloads: 348,588 Active Installs: 100,000 Last Updated: September 7, 2023 Patched Versions: 1.0.8 Affected Versions: <=1.0.7 Vulnerability Details: Name: User Feedback <= 1.0.7 – Unauthenticated Stored Cross-Site Scripting Type: Improper Neutralization of Input During Web Page…

Read More