Filtered by vendor Automattic
Subscriptions
Total
65 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2386 | 1 Automattic | 1 Crowdsignal Dashboard | 2024-11-21 | 6.1 Medium |
| The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2022-2080 | 1 Automattic | 1 Sensei Lms | 2024-11-21 | 4.3 Medium |
| The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student | ||||
| CVE-2022-2034 | 1 Automattic | 1 Sensei Lms | 2024-11-21 | 5.3 Medium |
| The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers | ||||
| CVE-2021-32789 | 1 Automattic | 1 Woocommerce Blocks | 2024-11-21 | 7.5 High |
| woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-24374 | 1 Automattic | 1 Jetpack | 2024-11-21 | 5.3 Medium |
| The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked. | ||||
| CVE-2021-24329 | 1 Automattic | 1 Wp Super Cache | 2024-11-21 | 5.4 Medium |
| The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | ||||
| CVE-2021-24312 | 1 Automattic | 1 Wp Super Cache | 2024-11-21 | 7.2 High |
| The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. This is due to an incomplete fix of CVE-2021-24209. | ||||
| CVE-2021-24209 | 1 Automattic | 1 Wp Super Cache | 2024-11-21 | 7.2 High |
| The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection. | ||||
| CVE-2020-8215 | 1 Automattic | 1 Canvas | 2024-11-21 | 8.8 High |
| A buffer overflow is present in canvas version <= 1.6.9, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image. | ||||
| CVE-2016-10763 | 1 Automattic | 1 Camptix Event Ticketing | 2024-11-21 | N/A |
| The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body. | ||||
| CVE-2016-10762 | 1 Automattic | 1 Camptix Event Ticketing | 2024-11-21 | N/A |
| The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used. | ||||
| CVE-2016-10706 | 1 Automattic | 1 Jetpack | 2024-11-21 | N/A |
| The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link. | ||||
| CVE-2016-10705 | 1 Automattic | 1 Jetpack | 2024-11-21 | N/A |
| The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module. | ||||
| CVE-2015-9359 | 1 Automattic | 1 Jetpack | 2024-11-21 | N/A |
| The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg(). | ||||
| CVE-2015-9357 | 1 Automattic | 1 Akismet | 2024-11-21 | N/A |
| The akismet plugin before 3.1.5 for WordPress has XSS. | ||||
| CVE-2013-2011 | 1 Automattic | 1 W3 Super Cache | 2024-11-21 | 8.8 High |
| WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for CVE-2013-2009. | ||||
| CVE-2013-2010 | 2 Automattic, Boldgrid | 2 Wp Super Cache, W3 Total Cache | 2024-11-21 | 9.8 Critical |
| WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability | ||||
| CVE-2013-2009 | 1 Automattic | 1 Wp Super Cache | 2024-11-21 | 8.8 High |
| WordPress WP Super Cache Plugin 1.2 has Remote PHP Code Execution | ||||
| CVE-2013-2008 | 1 Automattic | 1 Wp Super Cache | 2024-11-21 | 6.1 Medium |
| WordPress Super Cache Plugin 1.3 has XSS. | ||||
| CVE-2024-10486 | 1 Automattic | 1 Woocommerce | 2024-11-19 | 5.3 Medium |
| The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks. | ||||