Web Security

WordPress Plugin Vulnerability Report – Elementor Addon Elements – Cross-Site Request Forgery – CVE-2023-4690

By Your WP Guy / Nov 15, 2023

Plugin Name: Elementor Addon Elements Key Information: Software Type: Plugin Software Slug: addon-elements-for-elementor-page-builder Software Status: Active Software Author: webtechstreet Software Downloads: 2,143,312 Active Installs: 100,000 Last Updated: November 15, 2023 Patched Versions: 1.12.8 Affected Versions: <= 1.12.7 Vulnerability Details: Name: Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery Title: Cross-Site Request Forgery Type: Cross-Site Request Forgery (CSRF) CVE: CVE-2023-4690 CVSS Score: 5.4 (Medium) Publicly Published: November 15, 2023 Researcher: Marco…

Read More

WordPress Plugin Vulnerability Report – Quiz And Survey Master – Multiple Cross-Site Request Forgery

By Your WP Guy / Nov 8, 2023

Plugin Name: Quiz And Survey Master Key Information: Software Type: Plugin Software Slug: quiz-master-next Software Status: Active Software Author: expresstech Software Downloads: 2,153,834 Active Installs: 40,000 Last Updated: November 8, 2023 Patched Versions: 8.1.19 Affected Versions: <= 8.1.18 Vulnerability Details: Name: Quiz And Survey Master <= 8.1.18 – Multiple Cross-Site Request Forgery Title: Multiple Cross-Site Request Forgery Type: Cross-Site Request Forgery (CSRF) CVSS Score: 5.4 (Medium) Publicly Published: November…

Read More

WordPress Plugin Vulnerability Report – LearnPress – Reflected Cross-Site Scripting via add_internal_scripts_to_head

By Your WP Guy / Nov 7, 2023

Plugin Name: LearnPress Key Information: Software Type: Plugin Software Slug: learnpress Software Status: Active Software Author: thimpress Software Downloads: 3,770,912 Active Installs: 90,000 Last Updated: November 7, 2023 Patched Versions: 4.2.5.4 Affected Versions: < 4.2.5.4 Vulnerability Details: Name: LearnPress <= 4.2.5.3 – Reflected Cross-Site Scripting via add_internal_scripts_to_head Title: Reflected Cross-Site Scripting via add_internal_scripts_to_head Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVSS Score: 6.1 (Medium)…

Read More

WordPress Plugin Vulnerability Report – UpdraftPlus – Cross-Site Request Forgery to Google Drive Storage Update – CVE-2023-5982

By Your WP Guy / Nov 7, 2023

Plugin Name: UpdraftPlus Key Information: Software Type: Plugin Software Slug: updraftplus Software Status: Active Software Author: davidanderson Software Downloads: 107,410,188 Active Installs: 3,000,000 Last Updated: November 7, 2023 Patched Versions: 1.23.11 Affected Versions: <= 1.23.10 Vulnerability Details: Name: UpdraftPlus <= 1.23.10 – Cross-Site Request Forgery to Google Drive Storage Update Title: Cross-Site Request Forgery to Google Drive Storage Update Type: Cross-Site Request Forgery (CSRF) CVE: CVE-2023-5982 CVSS Score: 5.4…

Read More

WordPress Plugin Vulnerability Report – GiveWP – Cross-Site Request Forgery – CVE-2023-4247, CVE-2023-4248

By Your WP Guy / Oct 31, 2023

Plugin Name: GiveWP Key Information: Software Type: Plugin Software Slug: give Software Status: Active Software Author: webdevmattcrom Software Downloads: 6,043,447 Active Installs: 100,000 Last Updated: October 31, 2023 Patched Versions: 2.33.4 Affected Versions: <= 2.33.3 Vulnerability 1 Details: Name: GiveWP <= 2.33.3 – Cross-Site Request Forgery to plugin deactivation Title: Cross-Site Request Forgery to plugin deactivation Type: Cross-Site Request Forgery (CSRF) CVE: CVE-2023-4247 CVSS Score: 5.4 (Medium) Publicly Published: October…

Read More

WordPress Plugin Vulnerability Report – News & Blog Designer Pack – Unauthenticated Remote Code Execution via Local File Inclusion – CVE-2023-5815

By Your WP Guy / Oct 26, 2023

Plugin Name: News & Blog Designer Pack Key Information: Software Type: Plugin Software Slug: blog-designer-pack Software Status: Active Software Author: infornweb Software Downloads: 408,098 Active Installs: 30,000 Last Updated: October 26, 2023 Patched Versions: 3.4.2 Affected Versions: <=3.4.1 Vulnerability Details: Name: News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 – Unauthenticated Remote Code Execution via Local File Inclusion Title: Unauthenticated Remote Code Execution…

Read More

WordPress Plugin Vulnerability Report – LiteSpeed Cache – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-4372

By Your WP Guy / Oct 23, 2023

Plugin Name: LiteSpeed Cache Key Information: Software Type: Plugin Software Slug: litespeed-Cache Software Status: Active Software Author: litespeedtech Software Downloads: 52m564,430 Active Installs: 4,000,000 Last Updated: October 23, 2023 Patched Versions: 5.7 Affected Versions: <=5.6 Vulnerability Details: Name: LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVE: CVE-2023-4372 CVSS Score: 6.4 (Medium) Publicly…

Read More

How Does Cross Site Scripting (XSS) Differ From Other Web Vulnerabilities?

By Your WP Guy / Oct 17, 2023

Whether you run an e-commerce store, a SaaS platform, or simply use your site to acquire leads, you depend on your website to connect with customers and drive revenue. But without proper security, your website is vulnerable to attacks like Cross Site Scripting that can wreak havoc on your business. Cross Site Scripting, commonly know…

Read More

WordPress Plugin Vulnerability Report – Social Media Share Buttons & Social Sharing Icons – Cross-Site Request Forgery – CVE-2023-5602 – Information Exposure – CVE-2023-5070

By Your WP Guy / Oct 16, 2023

Plugin Name: Social Media Share Buttons & Social Sharing Icons Key Information: Software Type: Plugin Software Slug: ultimate-social-media-icons Software Status: Active Software Author: socialdude Software Downloads: 10,654,500 Active Installs: 100,000 Last Updated: October 16, 2023 Patched Versions: 2.8.6 Affected Versions: <=2.8.5 Vulnerability 1 Details: Name: Social Media Share Buttons & Social Sharing Icons <= 2.8.5 – Cross-Site Request Forgery Type: Cross-Site…

Read More

WordPress Plugin Vulnerability Report – Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce – Authenticated Directory Traversal – CVE-2023-5414

By Your WP Guy / Oct 11, 2023

Plugin Name: Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce Key Information: Software Type: Plugin Software Slug: email-subscribers Software Status: Active Software Author: icegram Software Downloads: 9,788,187 Active Installs: 100,000 Last Updated: October 11, 2023 Patched Versions: 5.6.24 Affected Versions: <= 5.6.23 Vulnerability Details: Name: Icegram Express <= 5.6.23 – Authenticated (Administrator+) Directory Traversal to Arbitrary File Read Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE: CVE-2023-5414 CVSS…

Read More