WordPress Plugin Vulnerability Report – MW WP Form – Unauthenticated Arbitrary File Upload – CVE-2023-6316

Plugin Name: MW WP Form Key Information: Software Type: Plugin Software Slug: mw-wp-form Software Status: Active Software Author: inc2734 Software Downloads: 1,305,500 Active Installs: 200,000 Last Updated: December 4, 2023 Patched Versions: 5.0.2 Affected Versions: <= 5.0.1 Vulnerability Details: Name: MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload Title: Unauthenticated Arbitrary File Upload Type: Unrestricted Upload of File with Dangerous Type CVE: CVE-2023-6316 CVSS Score: 9.8 (Critical)…

Read More

WordPress Plugin Vulnerability Report – Abandoned Cart Lite for WooCommerce – Cross-Site Request Forgery

Plugin Name: Abandoned Cart Lite for WooCommerce Key Information: Software Type: Plugin Software Slug: woocommerce-abandoned-cart Software Status: Active Software Author: tychesoftwares Software Downloads: 1,004,642 Active Installs: 30,000 Last Updated: December 1, 2023 Patched Versions: 5.16.2 Affected Versions: <= 5.16.1 Vulnerability Details: Name: Abandoned Cart Lite for WooCommerce <= 5.16.1 – Cross-Site Request Forgery Title: Cross-Site Request Forgery Type: Cross-Site Request Forgery (CSRF) CVSS Score: 5.3 (Medium) Publicly Published: December…

Read More

WordPress Plugin Vulnerability Report – Razorpay for WooCommerce – Missing Authorization and Cross-Site Request Forgery

Plugin Name: Razorpay for WooCommerce Key Information: Software Type: Plugin Software Slug: woo-razorpay Software Status: Active Software Author: NA Software Downloads: 1,366,539 Active Installs: 60,000 Last Updated: November 28, 2023 Patched Versions: 4.5.7 Affected Versions: <= 4.5.6 Vulnerability 1 Details: Name: Razorpay for WooCommerce <= 4.5.6 – Missing Authorization Title: Missing Authorization Type: Missing Authorization CVSS Score: 4.3 (Medium) Publicly Published: November 28, 2023 Description: The Razorpay for WooCommerce plugin…

Read More

WordPress Plugin Vulnerability Report – Mollie Payments for WooCommerce – Authenticated (Shop Manager+) Arbitrary File Upload – CVE-2023-6090

Plugin Name: Mollie Payments for WooCommerce Key Information: Software Type: Plugin Software Slug: mollie-payments-for-woocommerce Software Status: Active Software Author: mollieintegration Software Downloads: 2,934,315 Active Installs: 100,000 Last Updated: November 27, 2023 Patched Versions: 7.3.12 Affected Versions: <= 7.3.11 Vulnerability Details: Name: Mollie Payments for WooCommerce <= 7.3.11 – Authenticated (Shop Manager+) Arbitrary File Upload Title: Authenticated (Shop Manager+) Arbitrary File Upload Type: Unrestricted Upload of File with…

Read More

WordPress Plugin Vulnerability Report – Shortcodes Ultimate – Authenticated (Contributor+) Stored Cross-Site Scripting & Insecure Direct Object Reference to Information Disclosure – CVE-2023-6225 & CVE-2023-6226

Plugin Name: Shortcodes Ultimate Key Information: Software Type: Plugin Software Slug: shortcodes-ultimate Software Status: Active Software Author: gn_themes Software Downloads: 17,874,399 Active Installs: 600,000 Last Updated: November 27, 2023 Patched Versions: 7.0.0 Affected Versions: <= 5.13.3 Vulnerability 1 Details: Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Title: Authenticated (Contributor+) Stored Cross-Site Scripting Type: Improper Neutralization of Input During Web…

Read More

WordPress Plugin Vulnerability Report – BackWPup – Authenticated (Administrator+) Directory Traversal – CVE-2023-5504

Plugin Name: BackWPup Key Information: Software Type: Plugin Software Slug: backwpup Software Status: Active Software Author: wp_media Software Downloads: 13,284,859 Active Installs: 600,000 Last Updated: November 22, 2023 Patched Versions: 4.0.2 Affected Versions: <= 4.0.1 Vulnerability Details: Name: BackWPup <= 4.0.1 – Authenticated (Administrator+) Directory Traversal Title: Authenticated (Administrator+) Directory Traversal Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CVE: CVE-2023-5504 CVSS Score: 8.7 (High)…

Read More

WordPress Plugin Vulnerability Report – Widgets for Google Reviews – Authenticated (Editor+) Arbitrary File Upload – CVE-2023-48275

Plugin Name: Widgets for Google Reviews Key Information: Software Type: Plugin Software Slug: wp-reviews-plugin-for-google Software Status: Active Software Author: trustindex Software Downloads: 4,619,317 Active Installs: 300,000 Last Updated: November 22, 2023 Patched Versions: 11.1 Affected Versions: <= 11.0.2 Vulnerability Details: Name: Widgets for Google Reviews <= 11.0.2 – Authenticated (Editor+) Arbitrary File Upload Title: Authenticated…

Read More

WordPress Plugin Vulnerability Report – wpDiscuz – Authenticated (Administrator+) Stored Cross-Site Scripting

Plugin Name: wpDiscuz Key Information: Software Type: Plugin Software Slug: wpdiscuz Software Status: Active Software Author: advancedcoding Software Downloads: 3,042,036 Active Installs: 80,000 Last Updated: November 17, 2023 Patched Versions: 7.6.13 Affected Versions: <= 7.6.12 Vulnerability Details: Name: wpDiscuz <= 7.6.12 – Authenticated (Administrator+) Stored Cross-Site Scripting Title: Authenticated (Administrator+) Stored Cross-Site Scripting Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVSS Score: 4.4 (Medium)…

Read More

WordPress Plugin Vulnerability Report – Paid Memberships Pro – Authenticated (Subscriber+) Arbitrary File Upload – CVE-2023-6187

Plugin Name: Paid Memberships Pro Key Information: Software Type: Plugin Software Slug: paid-memberships-pro Software Status: Active Software Author: strangerstudios Software Downloads: 5,334,391 Active Installs: 90,000 Last Updated: November 16, 2023 Patched Versions: 2.12.4 Affected Versions: <= 2.12.3 Vulnerability Details: Name: Paid Memberships Pro <= 2.12.3 – Authenticated (Subscriber+) Arbitrary File Upload Title: Authenticated (Subscriber+) Arbitrary File Upload Type: Unrestricted Upload of File with Dangerous Type CVE: CVE-2023-6187 CVSS…

Read More

WordPress Plugin Vulnerability Report – Slider – Missing Authorization via AJAX action

Plugin Name: Slider – Ultimate Responsive Image Slider Key Information: Software Type: Plugin Software Slug: ultimate-responsive-image-slider Software Status: Active Software Author: farazfrank Software Downloads: 1,338,384 Active Installs: 40,000 Last Updated: November 16, 2023 Patched Versions: 3.5.12 Affected Versions: <= 3.5.11 Vulnerability Details: Name: Ultimate Responsive Image Slider <= 3.5.11 – Missing Authorization via AJAX action Title: Missing Authorization via AJAX action Type: Missing Authorization CVSS Score: 4.3 (Medium)…

Read More