Search criteria
9 vulnerabilities by Webcraftic
CVE-2025-53254 (GCVE-0-2025-53254)
Vulnerability from cvelistv5 – Published: 2025-06-27 13:21 – Updated: 2025-06-27 14:45
VLAI?
Title
WordPress Cyrlitera plugin <= 1.2.0 - Cross Site Request Forgery (CSRF) Vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in webcraftic Cyrlitera allows Cross Site Request Forgery. This issue affects Cyrlitera: from n/a through 1.2.0.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webcraftic | Cyrlitera |
Affected:
n/a , ≤ 1.2.0
(custom)
|
Credits
Trương Hữu Phúc (truonghuuphuc) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T14:36:46.664276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T14:45:55.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cyrlitera",
"product": "Cyrlitera",
"vendor": "webcraftic",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCross-Site Request Forgery (CSRF) vulnerability in webcraftic Cyrlitera allows Cross Site Request Forgery.\u003c/p\u003e\u003cp\u003eThis issue affects Cyrlitera: from n/a through 1.2.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in webcraftic Cyrlitera allows Cross Site Request Forgery. This issue affects Cyrlitera: from n/a through 1.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:21:03.851Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/cyrlitera/vulnerability/wordpress-cyrlitera-plugin-1-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Cyrlitera plugin \u003c= 1.2.0 - Cross Site Request Forgery (CSRF) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-53254",
"datePublished": "2025-06-27T13:21:03.851Z",
"dateReserved": "2025-06-27T11:58:24.740Z",
"dateUpdated": "2025-06-27T14:45:55.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3105 (GCVE-0-2024-3105)
Vulnerability from cvelistv5 – Published: 2024-06-15 08:42 – Updated: 2024-08-09 20:09
VLAI?
Title
Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution
Summary
The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.
Severity ?
9.9 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webcraftic | Woody code snippets – Insert Header Footer Code, AdSense Ads |
Affected:
* , ≤ 2.5.0
(semver)
|
Credits
Craig Smith
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3102522%40insert-php\u0026new=3102522%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:webcraftic:woody_ad_snippets:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "woody_ad_snippets",
"vendor": "webcraftic",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T19:57:07.267327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T20:09:19.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woody code snippets \u2013 Insert Header Footer Code, AdSense Ads",
"vendor": "webcraftic",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woody code snippets \u2013 Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the \u0027insert_php\u0027 shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-15T08:42:14.653Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3102522%40insert-php\u0026new=3102522%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-14T20:26:37.000+00:00",
"value": "Disclosed"
}
],
"title": "Woody code snippets \u2013 Insert Header Footer Code, AdSense Ads \u003c= 2.5.0 -Authenticated (Contributor+) Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3105",
"datePublished": "2024-06-15T08:42:14.653Z",
"dateReserved": "2024-03-29T19:14:03.962Z",
"dateUpdated": "2024-08-09T20:09:19.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48335 (GCVE-0-2023-48335)
Vulnerability from cvelistv5 – Published: 2024-06-04 10:40 – Updated: 2024-08-02 21:23
VLAI?
Title
WordPress Hide login page plugin <= 1.1.9 - Secret Login Page Location Disclosure on Multisites vulnerability
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hide login page: from n/a through 1.1.9.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Webcraftic | Hide login page |
Affected:
n/a , ≤ 1.1.9
(custom)
|
Credits
Naveen Muthusamy (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T19:23:12.219027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T19:23:19.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/hide-login-page/wordpress-hide-login-page-plugin-1-1-7-secret-login-page-location-disclosure-on-multisites-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "hide-login-page",
"product": "Hide login page",
"vendor": "Webcraftic",
"versions": [
{
"lessThanOrEqual": "1.1.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Naveen Muthusamy (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Hide login page: from n/a through 1.1.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hide login page: from n/a through 1.1.9."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T10:40:17.913Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/hide-login-page/wordpress-hide-login-page-plugin-1-1-7-secret-login-page-location-disclosure-on-multisites-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Hide login page plugin \u003c= 1.1.9 - Secret Login Page Location Disclosure on Multisites vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-48335",
"datePublished": "2024-06-04T10:40:17.913Z",
"dateReserved": "2023-11-14T21:42:37.033Z",
"dateUpdated": "2024-08-02T21:23:39.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36759 (GCVE-0-2020-36759)
Vulnerability from cvelistv5 – Published: 2023-10-20 07:29 – Updated: 2024-09-11 15:54
VLAI?
Summary
The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9. This is due to missing or incorrect nonce validation on the runActions() function. This makes it possible for unauthenticated attackers to activate and deactivate snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webcraftic | Woody code snippets – Insert Header Footer Code, AdSense Ads |
Affected:
* , < 2.3.10
(semver)
|
Credits
Jerome Bruandet
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:37:07.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e573c0a4-d053-400b-828c-0d0eca880776?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2368332%40insert-php\u0026new=2368332%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-36759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T15:24:07.043275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T15:54:48.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woody code snippets \u2013 Insert Header Footer Code, AdSense Ads",
"vendor": "webcraftic",
"versions": [
{
"lessThan": "2.3.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9. This is due to missing or incorrect nonce validation on the runActions() function. This makes it possible for unauthenticated attackers to activate and deactivate snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T07:29:36.978Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e573c0a4-d053-400b-828c-0d0eca880776?source=cve"
},
{
"url": "https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/"
},
{
"url": "https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2368332%40insert-php\u0026new=2368332%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2020-09-16T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2020-36759",
"datePublished": "2023-10-20T07:29:36.978Z",
"dateReserved": "2023-07-11T18:41:53.975Z",
"dateUpdated": "2024-09-11T15:54:48.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16289 (GCVE-0-2019-16289)
Vulnerability from cvelistv5 – Published: 2019-09-13 14:58 – Updated: 2024-08-05 01:10
VLAI?
Summary
The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:10:41.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-14T20:06:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/insert-php/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"name": "https://generaleg0x01.com/2019/09/13/xss-woody/",
"refsource": "MISC",
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"name": "https://wpvulndb.com/vulnerabilities/9880",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16289",
"datePublished": "2019-09-13T14:58:03",
"dateReserved": "2019-09-13T00:00:00",
"dateUpdated": "2024-08-05T01:10:41.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15858 (GCVE-0-2019-15858)
Vulnerability from cvelistv5 – Published: 2019-09-03 06:14 – Updated: 2024-08-05 01:03
VLAI?
Summary
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:03:32.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin/includes/class.import.snippet.php in the \"Woody ad snippets\" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-04T11:06:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15858",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/includes/class.import.snippet.php in the \"Woody ad snippets\" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9490",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"name": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/",
"refsource": "MISC",
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15858",
"datePublished": "2019-09-03T06:14:03",
"dateReserved": "2019-09-03T00:00:00",
"dateUpdated": "2024-08-05T01:03:32.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15818 (GCVE-0-2019-15818)
Vulnerability from cvelistv5 – Published: 2019-08-30 12:32 – Updated: 2024-08-05 00:56
VLAI?
Summary
The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-31T07:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9503",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"name": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"name": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/",
"refsource": "MISC",
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15818",
"datePublished": "2019-08-30T12:32:43",
"dateReserved": "2019-08-29T00:00:00",
"dateUpdated": "2024-08-05T00:56:22.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15776 (GCVE-0-2019-15776)
Vulnerability from cvelistv5 – Published: 2019-08-29 11:45 – Updated: 2024-08-05 00:56
VLAI?
Summary
The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-30T06:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15776",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9503",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"name": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/",
"refsource": "MISC",
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"name": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15776",
"datePublished": "2019-08-29T11:45:31",
"dateReserved": "2019-08-29T00:00:00",
"dateUpdated": "2024-08-05T00:56:22.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14773 (GCVE-0-2019-14773)
Vulnerability from cvelistv5 – Published: 2019-08-08 19:49 – Updated: 2024-08-05 00:26
VLAI?
Summary
admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:38.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin/includes/class.actions.snippet.php in the \"Woody ad snippets\" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close\u0026post= deletion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-08T19:49:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/includes/class.actions.snippet.php in the \"Woody ad snippets\" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close\u0026post= deletion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/",
"refsource": "MISC",
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"name": "https://wordpress.org/plugins/insert-php/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14773",
"datePublished": "2019-08-08T19:49:04",
"dateReserved": "2019-08-07T00:00:00",
"dateUpdated": "2024-08-05T00:26:38.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}