The PZ Frontend Manager WordPress Plugin version 1.0.5 and below is vulnerable to Cross Site Request Forgery (CSRF) attacks due to lack of CSRF checks in certain areas. This could allow malicious actors to manipulate logged in users into executing unintended actions.
The WordPress Frontend Login and Registration Blocks Plugin version 1.0.7 allows attackers to escalate privileges by exploiting a vulnerability in the 'flrblocksusersettingsupdatehandle' action. This can lead to unauthorized changes in user settings.
The WordPress User Registration & Membership Plugin version 4.1.1 and below allows unauthenticated users to escalate privileges. An attacker can exploit this vulnerability to gain unauthorized access and perform malicious actions.
The Slider & Popup Builder by Depicter plugin for WordPress up to version 3.6.1 is vulnerable to SQL Injection through the 's' parameter. Attackers can inject additional SQL queries to extract sensitive data from the database due to lack of proper input validation and escaping.
The WordPress Core version 6.2 is vulnerable to a directory traversal attack. An attacker can manipulate input in a way that allows them to access files outside of the intended directory, such as sensitive system files like /etc/passwd. This vulnerability is identified as CVE-2023-2745.
The Kubio AI Page Builder plugin for WordPress version 2.5.1 and below is vulnerable to Local File Inclusion (LFI) in the `kubio_hybrid_theme_load_template` function. This allows unauthorized attackers to read arbitrary files through path traversal, potentially leading to Remote Code Execution (RCE) when combined with file upload capabilities.
An unauthenticated SQL injection vulnerability was found in KiviCare Clinic & Patient Management System (EHR) version 3.6.4. The vulnerability exists in the tax_calculated_data AJAX action, where the visit_type[service_id] parameter is insufficiently escaped, allowing attackers to execute SQL injection attacks.
The vulnerability in Wordpress Plugin Background Image Cropper v1.2 allows remote attackers to execute arbitrary code on the target system. By uploading a malicious PHP file, an attacker can run commands on the server remotely. This vulnerability has a CVE ID pending assignment.
A Stored Cross-Site Scripting (XSS) vulnerability exists in WordPress File Upload plugin version 4.23.3 and prior. By inserting a malicious shortcode in a post, an attacker can trigger an XSS attack when a file is uploaded, leading to potential script execution in the victim's browser. This vulnerability has been assigned CVE-2023-4811.
The vulnerability allows unauthenticated attackers to upload arbitrary files leading to remote code execution. An attacker can exploit this vulnerability by uploading a malicious file containing PHP code. This vulnerability has a CVE assigned: CVE-2024-XXXXX.
Services By CQR