Vulnerabilities – Lana Codes

CVE ID:

CVE-2023-0589

WordPress Plugin

wp-image-carousel <= 1.0.2

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-19

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2020-36656

WordPress Plugin

ultimate-addons-for-gutenberg <= 1.14.11

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-18

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0220

WordPress Plugin

booking-system <= 2.9.9.2.8

Vulnerability Type:

SQL Injection

Date:

2023-01-11

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE ID:

CVE-2023-23726

WordPress Plugin

tickera-event-ticketing-system <= 3.5.1.0

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2023-01-11

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when updating a post status, which could allow any authenticated users, such as subscriber to update arbitrary post status.

CVE ID:

CVE-2023-23714

WordPress Plugin

uncanny-learndash-toolkit <= 3.6.4.1

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-11

The plugin does not have Cross-Site Request Forgery (CSRF) check when installing plugins, which could allow attackers to make logged in admins install and activate arbitrary plugins from wordpress.org repository via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0535

WordPress Plugin

donations-block <= 2.0.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0559

WordPress Plugin

gs-envato-portfolio <= 1.3.8

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0541

WordPress Plugin

gs-books-showcase <= 1.3.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0540

WordPress Plugin

gs-portfolio <= 1.6.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0539

WordPress Plugin

gs-instagram-portfolio <= 1.4.4

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0492

WordPress Plugin

gs-woocommerce-products-slider <= 1.5.8

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0491

WordPress Plugin

schedulicity-online-appointment-booking <= 2.21

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0538

WordPress Plugin

campaign-url-builder <= 1.8.1

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0542

WordPress Plugin

custom-post-type-list-shortcode <= 1.4.4

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0490

WordPress Plugin

fx-toc <= 1.1.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0495

WordPress Plugin

ht-slider-for-elementor <= 1.3.9

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0484

WordPress Plugin

ht-contactform <= 1.1.5

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0501

WordPress Plugin

wp-insurance <= 2.1.3

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0496

WordPress Plugin

ht-event <= 1.4.5

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0497

WordPress Plugin

ht-portfolio <= 1.1.5

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0498

WordPress Plugin

wp-education <= 1.2.6

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0499

WordPress Plugin

quickswish <= 1.0.9

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0500

WordPress Plugin

wp-film-studio <= 1.3.4

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0502

WordPress Plugin

wp-news-magazine <= 1.1.9

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0503

WordPress Plugin

99fy-core <= 1.2.7

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

Common Vulnerabilities

CVE ID:

CVE-2023-0589

WordPress Plugin

wp-image-carousel <= 1.0.2

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-19

CVE ID:

CVE-2020-36656

WordPress Plugin

ultimate-addons-for-gutenberg <= 1.14.11

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-18

CVE ID:

CVE-2023-0220

WordPress Plugin

booking-system <= 2.9.9.2.8

Vulnerability Type:

SQL Injection

Date:

2023-01-11

CVE ID:

CVE-2023-23726

WordPress Plugin

tickera-event-ticketing-system <= 3.5.1.0

Vulnerability Type:

Cross-Site Request Forgery (CSRF),Missing Authorization

Date:

2023-01-11

CVE ID:

CVE-2023-23714

WordPress Plugin

uncanny-learndash-toolkit <= 3.6.4.1

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-11

CVE ID:

CVE-2023-0535

WordPress Plugin

donations-block <= 2.0.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

CVE ID:

CVE-2023-0559

WordPress Plugin

gs-envato-portfolio <= 1.3.8

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

CVE ID:

CVE-2023-0541

WordPress Plugin

gs-books-showcase <= 1.3.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

CVE ID:

CVE-2023-0540

WordPress Plugin

gs-portfolio <= 1.6.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

CVE ID:

CVE-2023-0539

WordPress Plugin

gs-instagram-portfolio <= 1.4.4

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

Cross-Site Request Forgery (CSRF),
Missing Authorization