Filtered by vendor Automattic
Subscribe
Total
28 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24374 | 1 Automattic | 1 Jetpack | 2023-02-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked. | |||||
| CVE-2022-4497 | 1 Automattic | 1 Jetpack Crm | 2023-01-12 | N/A | 5.4 MEDIUM |
| The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins | |||||
| CVE-2022-3919 | 1 Automattic | 1 Jetpack Crm | 2022-12-14 | N/A | 4.8 MEDIUM |
| The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-45069 | 1 Automattic | 1 Crowdsignal Dashboard | 2022-11-18 | N/A | 8.8 HIGH |
| Auth. (contributor+) Privilege Escalation vulnerability in Crowdsignal Dashboard plugin <= 3.0.9 on WordPress. | |||||
| CVE-2022-2080 | 1 Automattic | 1 Sensei Lms | 2022-08-31 | N/A | 4.3 MEDIUM |
| The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student | |||||
| CVE-2022-2034 | 1 Automattic | 1 Sensei Lms | 2022-08-31 | N/A | 5.3 MEDIUM |
| The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers | |||||
| CVE-2022-2386 | 1 Automattic | 1 Crowdsignal Dashboard | 2022-08-12 | N/A | 6.1 MEDIUM |
| The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24312 | 1 Automattic | 1 Wp Super Cache | 2022-07-29 | 6.5 MEDIUM | 7.2 HIGH |
| The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. This is due to an incomplete fix of CVE-2021-24209. | |||||
| CVE-2017-20086 | 1 Automattic | 1 Vaultpress | 2022-06-29 | 6.0 MEDIUM | 7.5 HIGH |
| A vulnerability, which was classified as critical, was found in VaultPress Plugin 1.8.4. This affects an unknown part. The manipulation leads to code injection. It is possible to initiate the attack remotely. | |||||
| CVE-2021-32789 | 1 Automattic | 1 Woocommerce Blocks | 2021-08-05 | 5.0 MEDIUM | 7.5 HIGH |
| woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-24329 | 1 Automattic | 1 Wp Super Cache | 2021-06-10 | 3.5 LOW | 5.4 MEDIUM |
| The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24209 | 1 Automattic | 1 Wp Super Cache | 2021-05-04 | 9.0 HIGH | 7.2 HIGH |
| The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection. | |||||
| CVE-2020-8215 | 1 Automattic | 1 Canvas | 2020-07-23 | 6.8 MEDIUM | 8.8 HIGH |
| A buffer overflow is present in canvas version <= 1.6.9, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image. | |||||
| CVE-2013-2010 | 2 Automattic, Boldgrid | 2 Wp Super Cache, W3 Total Cache | 2020-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability | |||||
| CVE-2013-2009 | 1 Automattic | 1 Wp Super Cache | 2020-02-10 | 6.8 MEDIUM | 8.8 HIGH |
| WordPress WP Super Cache Plugin 1.2 has Remote PHP Code Execution | |||||
| CVE-2013-2008 | 1 Automattic | 1 Wp Super Cache | 2020-02-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress Super Cache Plugin 1.3 has XSS. | |||||
| CVE-2013-2011 | 1 Automattic | 1 W3 Super Cache | 2020-01-02 | 6.8 MEDIUM | 8.8 HIGH |
| WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for CVE-2013-2009. | |||||
| CVE-2015-9359 | 1 Automattic | 1 Jetpack | 2019-08-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg(). | |||||
| CVE-2015-9357 | 1 Automattic | 1 Akismet | 2019-08-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| The akismet plugin before 3.1.5 for WordPress has XSS. | |||||
| CVE-2016-10763 | 1 Automattic | 1 Camptix Event Ticketing | 2019-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body. | |||||