security

WordPress Plugin Vulnerability Report – EmbedPress – Missing Authorization

By Your WP Guy / Dec 8, 2023

Plugin Name: EmbedPress Key Information: Software Type: Plugin Software Slug: embedpress Software Status: Active Software Author: wpdevteam Software Downloads: 2,004,277 Active Installs: 80,000 Last Updated: December 8, 2023 Patched Versions: NA Affected Versions: <= 3.9.4 Vulnerability Details: Name: EmbedPress <= 3.9.4 – Missing Authorization Title: Missing Authorization Type: Missing Authorization CVSS Score: 5.3 (Medium) Publicly Published: December 8, 2023 Description: The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia…

Read More

WordPress Plugin Vulnerability Report – Manage Notification E-mails – Missing Authorization – CVE-2023-6496

By Your WP Guy / Dec 8, 2023

Plugin Name: Manage Notification E-mails Key Information: Software Type: Plugin Software Slug: manage-notification-emails Software Status: Active Software Author: virgial Software Downloads: 612,816 Active Installs: 100,000 Last Updated: December 8, 2023 Patched Versions: 1.8.6 Affected Versions: <= 1.8.5 Vulnerability Details: Name: Manage Notification E-mails <= 1.8.5 – Missing Authorization Title: Missing Authorization Type: Improper Authorization CVE: CVE-2023-6496 CVSS Score: 5.3 (Medium) Publicly Published: December 8, 2023 Researcher: Rafshanzani Suhada Description: The Manage Notification…

Read More

WordPress Plugin Vulnerability Report – Elementor Website Builder – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import

By Your WP Guy / Dec 6, 2023

Plugin Name: Elementor Website Builder Key Information: Software Type: Plugin Software Slug: elementor Software Status: Active Software Author: elemntor Software Downloads: 357,725,852 Active Installs: 5,000,000 Last Updated: December 6, 2023 Patched Versions: No patched version Affected Versions: <= 3.18.0 Vulnerability Details: Name: Elementor <= 3.18.0 Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import Title: Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via…

Read More

WordPress Plugin Vulnerability Report – Calculated Fields Form – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2023-6446

By Your WP Guy / Dec 5, 2023

Plugin Name: Calculated Fields Form Key Information: Software Type: Plugin Software Slug: calculated-fields-form Software Status: Active Software Author: codepeople Software Downloads: 6,352,767 Active Installs: 60,000 Last Updated: December 5, 2023 Patched Versions: 1.2.41 Affected Versions: <= 1.2.40 Vulnerability Details: Name: Calculated Fields Form <= 1.2.40 – Authenticated (Admin+) Stored Cross-Site Scripting Title: Authenticated (Admin+) Stored Cross-Site Scripting Type: Improper Neutralization of Alternate XSS Syntax CVE: CVE-2023-6446 CVSS Score: 4.4…

Read More

WordPress Plugin Vulnerability Report – SpeedyCache – Missing Authorization via speedycache_create_test_cache

By Your WP Guy / Dec 1, 2023

Plugin Name: SpeedyCache Key Information: Software Type: Plugin Software Slug: speedycache Software Status: Active Software Author: softaculous Software Downloads: 746,740 Active Installs: 100,000 Last Updated: December 1, 2023 Patched Versions: 1.1.3 Affected Versions: <= 1.1.2 Vulnerability Details: Name: SpeedyCache <= 1.1.2 – Missing Authorization via speedycache_create_test_cache Title: Missing Authorization via speedycache_create_test_cache Type: Missing Authorization CVSS Score: 4.3 (Medium) Publicly Published: December 1, 2023 Description: The SpeedyCache – Cache, Optimization, Performance…

Read More

WordPress Plugin Vulnerability Report – Backup Migration – Unauthenticated Arbitrary File Download to Sensitive Information Exposure – CVE-2023-6266

By Your WP Guy / Nov 30, 2023

Plugin Name: Backup Migration Key Information: Software Type: Plugin Software Slug: backup-backup Software Status: Active Software Author: migrate Software Downloads: 1,025,584 Active Installs: 90,000 Last Updated: November 30, 2023 Patched Versions: 1.3.7 Affected Versions: <= 1.3.6 Vulnerability Details: Name: Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure Title: Unauthenticated Arbitrary File Download to Sensitive Information Exposure Type: Information Exposure CVE: CVE-2023-6266 CVSS Score: 7.5…

Read More

WordPress Plugin Vulnerability Report – AMP for WP – Accelerated Mobile Pages – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-48321

By Your WP Guy / Nov 28, 2023

Plugin Name: AMP for WP – Accelerated Mobile Pages Key Information: Software Type: Plugin Software Slug: accelerated-mobile-pages Software Status: Active Software Author: mohammed_kaludi Software Downloads: 17,408,260 Active Installs: 100,000 Last Updated: November 28, 2023 Patched Versions: 1.0.89 Affected Versions: <= 1.0.88.1 Vulnerability Details: Name: Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Title: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Type: Improper…

Read More

WordPress Plugin Vulnerability Report – Email Address Encoder – Authenticated (Contributor+) Stored Cross-Site Scripting

By Your WP Guy / Nov 28, 2023

Plugin Name: Email Address Encoder Key Information: Software Type: Plugin Software Slug: email-address-encoder Software Status: Active Software Author: tillkruess Software Downloads: 1,241,298 Active Installs: 100,000 Last Updated: November 28, 2023 Patched Versions: 1.0.23 Affected Versions: <=1.0.22 Vulnerability Details: Name: Email Address Encoder 1.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting Title: Authenticated (Contributor+) Stored Cross-Site Scripting Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVSS…

Read More

WordPress Plugin Vulnerability Report – SiteOrigin Widgets Bundle – Authenticated (Admin+) Local File Inclusion – CVE-2023-6295

By Your WP Guy / Nov 27, 2023

Plugin Name: SiteOrigin Widgets Bundle Key Information: Software Type: Plugin Software Slug: so-widgets-bundle Software Status: Active Software Author: gpriday Software Downloads: 36,509,376 Active Installs: 600,000 Last Updated: November 27, 2023 Patched Versions: 1.51.0 Affected Versions: <= 1.50.1 Vulnerability Details: Name: SiteOrigin Widgets Bundle < 1.51.0 – Authenticated (Admin+) Local File Inclusion Title: Authenticated (Admin+) Local File Inclusion Type: Improper Control of Filename for Include/Require Statement in PHP…

Read More

WordPress Plugin Vulnerability Report – HUSKY – Missing Authorization via woof_meta_get_keys() – CVE-2023-40334

By Your WP Guy / Nov 23, 2023

Plugin Name: HUSKY Key Information: Software Type: Plugin Software Slug: woocommerce-products-filter Software Status: Active Software Author: realmag777 Software Downloads: 1,602,499 Active Installs: 100,000 Last Updated: November 23, 2023 Patched Versions: 1.3.4.3 Affected Versions: <= 1.3.4.2 Vulnerability Details: Name: HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Missing Authorization via woof_meta_get_keys() Title: Missing Authorization via woof_meta_get_keys() Type: Missing Authorization CVE: CVE-2023-40334 CVSS Score: 4.3 (Medium) Publicly Published: November…

Read More