Filtered by vendor Wbolt
Subscribe
Total
5 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-6319 | 1 Wbolt | 1 Imgspider | 2024-11-21 | N/A | 8.8 HIGH |
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2024-6318 | 1 Wbolt | 1 Imgspider | 2024-11-21 | N/A | 8.8 HIGH |
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_img_file' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2023-26531 | 1 Wbolt | 1 All-in-one Search Automatic Push Management | 2024-11-21 | N/A | 5.4 MEDIUM |
Cross-Site Request Forgery (CSRF) vulnerability in 闪电博 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条 allows Cross Site Request Forgery.This issue affects 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条: from n/a through 4.2.7. | |||||
CVE-2021-24976 | 1 Wbolt | 1 Smart Seo Tool | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting | |||||
CVE-2021-24618 | 1 Wbolt | 1 Donate With Qrcode | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack. |