WordPress

WordPress Plugin Vulnerability Report – LiteSpeed Cache – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-4372

By Your WP Guy / Oct 23, 2023

Plugin Name: LiteSpeed Cache Key Information: Software Type: Plugin Software Slug: litespeed-Cache Software Status: Active Software Author: litespeedtech Software Downloads: 52m564,430 Active Installs: 4,000,000 Last Updated: October 23, 2023 Patched Versions: 5.7 Affected Versions: <=5.6 Vulnerability Details: Name: LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVE: CVE-2023-4372 CVSS Score: 6.4 (Medium) Publicly…

WordPress Plugin Vulnerability Report – Simple Calendar – Cross-Site Request Forgery

By Your WP Guy / Oct 20, 2023

Plugin Name: Simple Calendar – Google Calendar Plugin Key Information: Software Type: Plugin Software Slug: google-calendar-events Software Status: Active Software Author: simplecalendar Software Downloads: 2,568,146 Active Installs: 60,000 Last Updated: October 20, 2023 Patched Versions: 3.2.5 Affected Versions: <3.2.5 Vulnerability Details: Name: Simple Calendar <= 3.2.4 – Cross-Site Request Forgery via duplicate_feed Title: Cross-Site Request…

WordPress Plugin Vulnerability Report – Booster for WooCommerce – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-5638

By Your WP Guy / Oct 18, 2023

Plugin Name: Booster for WooCommerce Key Information: Software Type: Plugin Software Slug: woocommerce-jetpack Software Status: Active Software Author: pluggabl Software Downloads: 3,411,990 Active Installs: 60,000 Last Updated: October 18, 2023 Patched Versions: 7.1.3 Affected Versions: <=7.1.2 Vulnerability Details: Name: Booster for WooCommerce <= 7.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: Improper Neutralization…

WordPress Plugin Vulnerability Report – WooCommerce Stripe Payment Gateway – Cross-Site Request Forgery

By Your WP Guy / Oct 17, 2023

Plugin Name: WooCommerce Stripe Payment Gateway Key Information: Software Type: Plugin Software Slug: woocommerce-gateway-stripe Software Status: Active Software Author: automattic Software Downloads: 28,425,774 Active Installs: 800,000 Last Updated: October 17, 2023 Patched Versions: 7.6.1 Affected Versions: <=7.6.0 Vulnerability Details: Name: Stripe Gateway <= 7.6.0 – Cross-Site Request Forgery Type: Cross-Site Request Forgery (CSRF) CVSS Score:…

WordPress Plugin Vulnerability Report – Social Media Share Buttons & Social Sharing Icons – Cross-Site Request Forgery – CVE-2023-5602 – Information Exposure – CVE-2023-5070

By Your WP Guy / Oct 16, 2023

Plugin Name: Social Media Share Buttons & Social Sharing Icons Key Information: Software Type: Plugin Software Slug: ultimate-social-media-icons Software Status: Active Software Author: socialdude Software Downloads: 10,654,500 Active Installs: 100,000 Last Updated: October 16, 2023 Patched Versions: 2.8.6 Affected Versions: <=2.8.5 Vulnerability 1 Details: Name: Social Media Share Buttons & Social Sharing Icons <= 2.8.5 – Cross-Site Request Forgery Type: Cross-Site…

WordPress Plugin Vulnerability Report – Embed Calendly – Authenticated Stored Cross-Site Scripting – CVE-2023-4995

By Your WP Guy / Oct 13, 2023

Plugin Name: Embed Calendly Key Information: Software Type: Plugin Software Slug: embed-calendly-scheduling Software Status: Active Software Author: turn2honey Software Downloads: 165,873 Active Installs: 20,000 Last Updated: October 13th, 2023 Patched Versions: 3.7 Affected Versions: <= 3.6 Vulnerability Details: Name: Embed Calendly <= 3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE: CVE-2023-4995…

WordPress Plugin Vulnerability Report – Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce – Authenticated Directory Traversal – CVE-2023-5414

By Your WP Guy / Oct 11, 2023

Plugin Name: Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce Key Information: Software Type: Plugin Software Slug: email-subscribers Software Status: Active Software Author: icegram Software Downloads: 9,788,187 Active Installs: 100,000 Last Updated: October 11, 2023 Patched Versions: 5.6.24 Affected Versions: <= 5.6.23 Vulnerability Details: Name: Icegram Express <= 5.6.23 – Authenticated (Administrator+) Directory Traversal to Arbitrary File Read Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE: CVE-2023-5414 CVSS…

WordPress Plugin Vulnerability Report – WordPress Popular Posts – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

By Your WP Guy / Oct 6, 2023

Plugin Name: WordPress Popular Posts Key Information: Software Type: Plugin Software Slug: wordpress-popular-posts Software Status: Active Software Author: hcabrera Software Downloads: 7,045,880 Active Installs: 200,000 Last Updated: October 6, 2023 Patched Versions: <=6.3.2 Affected Versions: 6.3.3 Vulnerability Details: Name: WordPress Popular Posts <= 6.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)…

WordPress Plugin Vulnerability Report – Hotjar – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2023-1259

By Your WP Guy / Oct 5, 2023

Plugin Name: Hotjar Key Information: Software Type: Plugin Software Slug: hotjar Software Status: Removed Software Author: hotjar Software Downloads: 868,850 Active Installs: 100,000 Last Updated: October 5, 2023 Patched Versions: Not yet patched Affected Versions: <=1.0.15 Vulnerability Details: Name: Hotjar <= 1.0.15 – Authenticated (Administrator+) Stored Cross-Site Scripting Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVE: CVE-2023-1259 CVSS Score: 4.4 (Medium)…