Filtered by vendor Automattic
Subscribe
Total
49 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28121 | 1 Automattic | 2 Woocommerce Payments, Woopayments | 2024-02-04 | N/A | 9.8 CRITICAL |
| An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated. | |||||
| CVE-2023-2996 | 1 Automattic | 1 Jetpack | 2024-02-04 | N/A | 8.8 HIGH |
| The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization. | |||||
| CVE-2023-27429 | 1 Automattic | 1 Jetpack Crm | 2024-02-04 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Automattic - Jetpack CRM team Jetpack CRM plugin <= 5.4.4 versions. | |||||
| CVE-2022-45069 | 1 Automattic | 1 Crowdsignal Dashboard | 2024-02-04 | N/A | 8.8 HIGH |
| Auth. (contributor+) Privilege Escalation vulnerability in Crowdsignal Dashboard plugin <= 3.0.9 on WordPress. | |||||
| CVE-2022-3919 | 1 Automattic | 1 Jetpack Crm | 2024-02-04 | N/A | 4.8 MEDIUM |
| The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-2386 | 1 Automattic | 1 Crowdsignal Dashboard | 2024-02-04 | N/A | 6.1 MEDIUM |
| The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-2080 | 1 Automattic | 1 Sensei Lms | 2024-02-04 | N/A | 4.3 MEDIUM |
| The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student | |||||
| CVE-2022-2034 | 1 Automattic | 1 Sensei Lms | 2024-02-04 | N/A | 5.3 MEDIUM |
| The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers | |||||
| CVE-2017-20086 | 1 Automattic | 1 Vaultpress | 2024-02-04 | 6.0 MEDIUM | 7.5 HIGH |
| A vulnerability, which was classified as critical, was found in VaultPress Plugin 1.8.4. This affects an unknown part. The manipulation leads to code injection. It is possible to initiate the attack remotely. | |||||
| CVE-2021-24209 | 1 Automattic | 1 Wp Super Cache | 2024-02-04 | 9.0 HIGH | 7.2 HIGH |
| The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection. | |||||
| CVE-2021-24329 | 1 Automattic | 1 Wp Super Cache | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24374 | 1 Automattic | 1 Jetpack | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked. | |||||
| CVE-2021-32789 | 1 Automattic | 1 Woocommerce Blocks | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading. | |||||
| CVE-2021-24312 | 1 Automattic | 1 Wp Super Cache | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. This is due to an incomplete fix of CVE-2021-24209. | |||||
| CVE-2020-8215 | 1 Automattic | 1 Canvas | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| A buffer overflow is present in canvas version <= 1.6.9, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image. | |||||
| CVE-2013-2009 | 1 Automattic | 1 Wp Super Cache | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| WordPress WP Super Cache Plugin 1.2 has Remote PHP Code Execution | |||||
| CVE-2013-2011 | 1 Automattic | 1 W3 Super Cache | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for CVE-2013-2009. | |||||
| CVE-2013-2010 | 2 Automattic, Boldgrid | 2 Wp Super Cache, W3 Total Cache | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability | |||||
| CVE-2013-2008 | 1 Automattic | 1 Wp Super Cache | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress Super Cache Plugin 1.3 has XSS. | |||||
| CVE-2016-10763 | 1 Automattic | 1 Camptix Event Ticketing | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
| The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body. | |||||