Photo Gallery by 10Web – Mobile-Friendly Image Gallery Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVG & Path Traversal via esc_dir Function – CVE-2024-5426, CVE-2024-5481 | WordPress Plugin Vulnerability Report

Plugin Name: Photo Gallery by 10Web – Mobile-Friendly Image Gallery Key Information: Software Type: Plugin Software Slug: photo-gallery Software Status: Active Software Author: 10Web Software Downloads: 18,052,863 Active Installs: 200,000 Last Updated: June 19, 2024 Patched Versions: 1.8.24 Affected Versions: <= 1.8.23 Vulnerability 1 Details: Name: Photo Gallery by 10Web – Mobile-Friendly Image Gallery <=…

Read More

Click to Chat Vulnerability – HoliThemes – Authenticated (Contributor+) Local File Inclusion – CVE-2024-3849 |WordPress Plugin Vulnerability Report 

Plugin Name: Click to Chat – HoliThemes Key Information: Software Type: Plugin Software Slug: click-to-chat-for-whatsapp Software Status: Active Software Author: holithemes Software Downloads: 11,311,845 Active Installs: 500,000 Last Updated: May 2, 2024 Patched Versions: 4.0 Affected Versions: <= 3.35 Vulnerability Details: Name: Click to Chat – HoliThemes <= 3.35 Title: Authenticated (Contributor+) Local File Inclusion…

Read More

List category posts Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1051 | WordPress Plugin Vulnerability Report

Plugin Name: List category posts Key Information: Software Type: Plugin Software Slug: list-category-posts Software Status: Active Software Author: fernandobt Software Downloads: 3,812,968 Active Installs: 100,000 Last Updated: March 29, 2024 Patched Versions: 0.89.7 Affected Versions: <= 0.89.6 Vulnerability Details: Name: List category posts <= 0.89.6 – Authenticated (Contributor+) Stored Cross-Site Scripting Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVE: CVE-2024-1051 CVSS Score: 6.4 (Medium)…

Read More

Advanced Database Cleaner Vulnerability – Authenticated(Administrator+) PHP Object Injection via process_bulk_action – CVE-2024-0668 | WordPress Plugin Vulnerability Report

Plugin Name: Advanced Database Cleaner Key Information: Software Type: Plugin Software Slug: advanced-database-cleaner Software Status: Active Software Author: symptote Software Downloads: 1,283,477 Active Installs: 100,000 Last Updated: January 24, 2024 Patched Versions: 3.1.4 Affected Versions: <= 3.1.3 Vulnerability Details: Name: Advanced Database Cleaner <= 3.1.3 – Authenticated(Administrator+) PHP Object Injection via process_bulk_action Title: Authenticated(Administrator+) PHP Object Injection via process_bulk_action Type: Deserialization of Untrusted Data CVE: CVE-2024-0668 CVSS Score: 6.6…

Read More

Advanced Woo Search Vulnerability – Reflected Cross-Site Scripting – CVE-2024-0251 | WordPress Plugin Vulnerability Report

Plugin Name: Advanced Woo Search Key Information: Software Type: Plugin Software Slug: advanced-woo-search Software Status: Active Software Author: mihail-barinov Software Downloads: 3,318,679 Active Installs: 70,000 Last Updated: January 12, 2024 Patched Versions: 2.97 Affected Versions: <= 2.96 Vulnerability Details: Name: Advanced Woo Search <= 2.96 Title: Reflected Cross-Site Scripting Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE: CVE-2024-0251 CVSS Score:…

Read More

WordPress Plugin Vulnerability Report – Shortcodes Ultimate – Authenticated (Contributor+) Stored Cross-Site Scripting & Insecure Direct Object Reference to Information Disclosure – CVE-2023-6225 & CVE-2023-6226

Plugin Name: Shortcodes Ultimate Key Information: Software Type: Plugin Software Slug: shortcodes-ultimate Software Status: Active Software Author: gn_themes Software Downloads: 17,874,399 Active Installs: 600,000 Last Updated: November 27, 2023 Patched Versions: 7.0.0 Affected Versions: <= 5.13.3 Vulnerability 1 Details: Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Title: Authenticated (Contributor+) Stored Cross-Site Scripting Type: Improper Neutralization of Input During Web…

Read More

WordPress Plugin Vulnerability Report – Paid Memberships Pro – Authenticated (Subscriber+) Arbitrary File Upload – CVE-2023-6187

Plugin Name: Paid Memberships Pro Key Information: Software Type: Plugin Software Slug: paid-memberships-pro Software Status: Active Software Author: strangerstudios Software Downloads: 5,334,391 Active Installs: 90,000 Last Updated: November 16, 2023 Patched Versions: 2.12.4 Affected Versions: <= 2.12.3 Vulnerability Details: Name: Paid Memberships Pro <= 2.12.3 – Authenticated (Subscriber+) Arbitrary File Upload Title: Authenticated (Subscriber+) Arbitrary File Upload Type: Unrestricted Upload of File with Dangerous Type CVE: CVE-2023-6187 CVSS…

Read More

WordPress Plugin Vulnerability Report – WP Customer Reviews – Authenticated (Subscriber+) Sensitive Information Exposure – CVE-2023-4686

Plugin Name: WP Customer Reviews Key Information: Software Type: Plugin Software Slug: wp-customer-reviews Software Status: Active Software Author: bompus Software Downloads: 1,108,443 Active Installs: 30,000 Last Updated: October 31, 2023 Patched Versions: No Patched Version Affected Versions: <= 3.6.8 Vulnerability Details: Name: WP Customer Reviews <= 3.6.8 – Authenticated (Subscriber+) Sensitive Information Exposure Title: Authenticated (Subscriber+) Sensitive Information Exposure Type: Missing Authorization CVE: CVE-2023-4686 CVSS Score: 4.3 (Medium) Publicly…

Read More

WordPress Plugin Vulnerability Report – Booster for WooCommerce – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-5638

Plugin Name: Booster for WooCommerce Key Information: Software Type: Plugin Software Slug: woocommerce-jetpack Software Status: Active Software Author: pluggabl Software Downloads: 3,411,990 Active Installs: 60,000 Last Updated: October 18, 2023 Patched Versions: 7.1.3 Affected Versions: <=7.1.2 Vulnerability Details: Name: Booster for WooCommerce <= 7.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: Improper Neutralization…

Read More