Filtered by vendor Cm-wp
Subscribe
Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13337 | 1 Cm-wp | 1 Clearfy | 2025-07-08 | N/A | 4.3 MEDIUM |
| The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.2. This is due to missing or incorrect nonce validation on the 'setup-wbcr_clearfy' page. This makes it possible for unauthenticated attackers to update the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-13338 | 1 Cm-wp | 1 Clearfy | 2025-07-08 | N/A | 5.3 MEDIUM |
| The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on the wclearfy_cache_delete functionality . This makes it possible for unauthenticated attackers to clear the cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-10149 | 1 Cm-wp | 1 Social Slider Widget | 2025-06-09 | N/A | 4.8 MEDIUM |
| The Social Slider Feed WordPress plugin before 2.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-35751 | 1 Cm-wp | 1 Woody Code Snippets | 2024-11-21 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Creative Motion, Will Bontrager Software, LLC Woody ad snippets allows Stored XSS.This issue affects Woody ad snippets: from n/a through 2.4.10. | |||||
| CVE-2023-0477 | 1 Cm-wp | 1 Auto Featured Image | 2024-11-21 | N/A | 8.8 HIGH |
| The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation. | |||||
| CVE-2022-2877 | 1 Cm-wp | 1 Titan Anti-spam \& Security | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. | |||||
| CVE-2021-24932 | 1 Cm-wp | 1 Auto Featured Image | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24196 | 1 Cm-wp | 1 Social Slider Widget | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly echoed without being sanitized | |||||
| CVE-2020-36759 | 1 Cm-wp | 1 Woody Code Snippets | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9. This is due to missing or incorrect nonce validation on the runActions() function. This makes it possible for unauthenticated attackers to activate and deactivate snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||