Last Vulnerabilities 2023-06-20-HIGH

Last Vulnerabilities 2023-06-20-HIGH

Vuln ID : CVE-2022-47586

Publie le 2023-06-19T12:15:09.340

Derniere modification : 2023-06-20T07:12:55.493

Description :
Unauth. SQL Injection (SQLi) vulnerability in Themefic Ultimate Addons for Contact Form 7 plugin <= 3.1.23 versions.

CVE ID: CVE-2022-47586

Source : audit@patchstack.com

Score CVSS : 8.2

References :
[{'url': 'https://patchstack.com/database/vulnerability/ultimate-addons-for-contact-form-7/wordpress-ultimate-addons-for-contact-form-7-plugin-3-1-23-sql-injection?_s_id=cve', 'source': 'audit@patchstack.com'}]


Vuln ID : CVE-2022-46850

Publie le 2023-06-19T13:15:09.493

Derniere modification : 2023-06-20T07:12:55.493

Description :
Auth. (author+) Broken Access Control vulnerability leading to Arbitrary File Deletion in Nabil Lemsieh Easy Media Replace plugin <= 0.1.3 versions.

CVE ID: CVE-2022-46850

Source : audit@patchstack.com

Score CVSS : 8.7

References :
[{'url': 'https://patchstack.com/database/vulnerability/easy-media-replace/wordpress-easy-media-replace-plugin-0-1-3-arbitrary-file-deletion?_s_id=cve', 'source': 'audit@patchstack.com'}]


Vuln ID : CVE-2023-35772

Publie le 2023-06-19T14:15:09.620

Derniere modification : 2023-06-20T07:12:55.493

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Alain Gonzalez Google Map Shortcode plugin <= 3.1.2 versions.

CVE ID: CVE-2023-35772

Source : audit@patchstack.com

Score CVSS : 7.1

References :
[{'url': 'https://patchstack.com/database/vulnerability/google-map-shortcode/wordpress-google-map-shortcode-plugin-3-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve', 'source': 'audit@patchstack.com'}]


Vuln ID : CVE-2023-35775

Publie le 2023-06-19T14:15:09.693

Derniere modification : 2023-06-20T07:12:55.493

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Backup Solutions WP Backup Manager plugin <= 1.13.1 versions.

CVE ID: CVE-2023-35775

Source : audit@patchstack.com

Score CVSS : 7.1

References :
[{'url': 'https://patchstack.com/database/vulnerability/wp-backup-manager/wordpress-wp-backup-manager-plugin-1-13-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve', 'source': 'audit@patchstack.com'}]


Vuln ID : CVE-2023-3325

Publie le 2023-06-20T05:15:09.170

Derniere modification : 2023-06-20T07:12:55.493

Description :
The CMS Commander plugin for WordPress is vulnerable to authorization bypass due to the use of an insufficiently unique cryptographic signature on the 'cmsc_add_site' function in versions up to, and including, 2.287. This makes it possible for unauthenticated attackers to the plugin to change the '_cmsc_public_key' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation. This can only be exploited if the plugin has not been configured yet, however, if combined with another arbitrary plugin installation and activation vulnerability, the impact can be severe.

CVE ID: CVE-2023-3325

Source : security@wordfence.com

Score CVSS : 8.1

References :
[{'url': 'https://plugins.trac.wordpress.org/browser/cms-commander-client/tags/2.287/init.php#L88', 'source': 'security@wordfence.com'}, {'url': 'https://plugins.trac.wordpress.org/changeset/2927811/cms-commander-client', 'source': 'security@wordfence.com'}, {'url': 'https://www.wordfence.com/threat-intel/vulnerabilities/id/ca37d453-9f9a-46b2-a17f-65a16e3e2ed1?source=cve', 'source': 'security@wordfence.com'}]


Vuln ID : CVE-2023-35884

Publie le 2023-06-20T07:15:08.993

Derniere modification : 2023-06-20T13:03:08.293

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in EventPrime plugin <= 3.0.5 versions.

CVE ID: CVE-2023-35884

Source : audit@patchstack.com

Score CVSS : 7.1

References :
[{'url': 'https://patchstack.com/database/vulnerability/eventprime-event-calendar-management/wordpress-eventprime-plugin-3-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve', 'source': 'audit@patchstack.com'}]


Vuln ID : CVE-2023-26436

Publie le 2023-06-20T08:15:09.607

Derniere modification : 2023-06-20T13:03:08.293

Description :
Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.

CVE ID: CVE-2023-26436

Source : security@open-xchange.com

Score CVSS : 7.1

References :
[{'url': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'source': 'security@open-xchange.com'}, {'url': 'https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf', 'source': 'security@open-xchange.com'}]


Vuln ID : CVE-2023-1862

Publie le 2023-06-20T09:15:09.463

Derniere modification : 2023-06-20T13:03:08.293

Description :
Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target's device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target's device must've been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target's credentials.

CVE ID: CVE-2023-1862

Source : cna@cloudflare.com

Score CVSS : 7.3

References :
[{'url': 'https://developers.cloudflare.com/warp-client/get-started/windows/', 'source': 'cna@cloudflare.com'}, {'url': 'https://github.com/cloudflare/advisories/security/advisories/GHSA-q55r-53c8-5642', 'source': 'cna@cloudflare.com'}, {'url': 'https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release', 'source': 'cna@cloudflare.com'}]


Vuln ID : CVE-2023-35097

Publie le 2023-06-20T10:15:09.657

Derniere modification : 2023-06-20T13:03:08.293

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Internet Marketing Dojo WP Affiliate Links plugin <= 0.1.1 versions.

CVE ID: CVE-2023-35097

Source : audit@patchstack.com

Score CVSS : 7.1

References :
[{'url': 'https://patchstack.com/database/vulnerability/wp-affiliate-links/wordpress-wp-affiliate-links-plugin-0-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve', 'source': 'audit@patchstack.com'}]


Vuln ID : CVE-2023-35098

Publie le 2023-06-20T10:15:09.737

Derniere modification : 2023-06-20T13:03:08.293

Description :
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions.

CVE ID: CVE-2023-35098

Source : audit@patchstack.com

Score CVSS : 7.1

References :
[{'url': 'https://patchstack.com/database/vulnerability/wordpress-nextgen-galleryview/wordpress-wordpress-nextgen-galleryview-plugin-0-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve', 'source': 'audit@patchstack.com'}]


Vuln ID : CVE-2023-3337

Publie le 2023-06-20T12:15:09.743

Derniere modification : 2023-06-20T13:03:08.293

Description :
A vulnerability was found in PuneethReddyHC Online Shopping System Advanced 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/reg.php of the component Admin Registration. The manipulation leads to improper authentication. The attack can be launched remotely. The identifier VDB-232009 was assigned to this vulnerability.

CVE ID: CVE-2023-3337

Source : cna@vuldb.com

Score CVSS : 7.3

References :
[{'url': 'https://vuldb.com/?ctiid.232009', 'source': 'cna@vuldb.com'}, {'url': 'https://vuldb.com/?id.232009', 'source': 'cna@vuldb.com'}]

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.