Common Vulnerabilities

In the Lana Codes Common Vulnerability Database (LANACOMMONVDB), we collect the vulnerabilities we discover in other systems and provide standard descriptions.

CVE ID:

CVE-2023-0504

WordPress Plugin

wp-politic <= 2.3.7

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0505

WordPress Plugin

ever-compare <= 1.2.3

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-10

The plugin does not have Cross-Site Request Forgery (CSRF) check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-0336

WordPress Plugin

ooohboi-steroids-for-elementor <= 2.1.4

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2023-01-10

The plugin has Cross-Site Request Forgery (CSRF) and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.

CVE ID:

CVE-2023-0335

WordPress Plugin

wp-shamsi <= 4.3.3

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2023-01-10

The plugin has Cross-Site Request Forgery (CSRF) and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.

CVE ID:

CVE-2023-0536

WordPress Plugin

wp-d3 <= 2.4.1

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0537

WordPress Plugin

product-slider-for-woocommerce-lite <= 1.1.7

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0489

WordPress Plugin

slideonline <= 1.2.1

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-10

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0365

WordPress Plugin

react-webcam <= 1.2.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-09

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0364

WordPress Plugin

real-kit <= 5.1.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-09

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0363

WordPress Plugin

scheduled-announcements-widget <= 0.2

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-09

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0419

WordPress Plugin

shortcode-for-font-awesome <= 1.3.1

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-09

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0362

WordPress Plugin

themify-portfolio-post <= 1.2.1

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-09

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0405

WordPress Plugin

gpt3-ai-content-generator <= 1.4.37

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2023-01-09

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when updating a post content, which could allow any authenticated users, such as subscriber to update arbitrary post content.

CVE ID:

CVE-2023-0259

WordPress Plugin

wp-google-places-review-slider <= 11.7

Vulnerability Type:

SQL Injection

Date:

2023-01-09

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE ID:

CVE-2023-0260

WordPress Plugin

wp-facebook-reviews <= 12.1

Vulnerability Type:

SQL Injection

Date:

2023-01-09

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE ID:

CVE-2023-0261

WordPress Plugin

wp-tripadvisor-review-slider <= 10.7

Vulnerability Type:

SQL Injection

Date:

2023-01-09

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE ID:

CVE-2023-0262

WordPress Plugin

wp-airbnb-review-slider <= 3.2

Vulnerability Type:

SQL Injection

Date:

2023-01-09

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE ID:

CVE-2023-0263

WordPress Plugin

wp-yelp-review-slider <= 7.0

Vulnerability Type:

SQL Injection

Date:

2023-01-09

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

CVE ID:

CVE-2023-24377

WordPress Plugin

ecwid-shopping-cart <= 6.11.3

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2023-01-09

The plugin does not have Cross-Site Request Forgery (CSRF) check when importing WooCommerce data, which could allow attackers to make logged in admins perform such action via a Cross-Site Request Forgery (CSRF) attack.

CVE ID:

CVE-2023-25791

WordPress Plugin

fontiran <= 2.1

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2023-01-09

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when deleting a font, which could allow any authenticated users, such as subscriber to delete arbitrary font.

CVE ID:

CVE-2023-28417

WordPress Plugin

integration-dynamics <= 1.3.12

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2023-01-09

The plugin does not have authorisation check when updating log level or downloading log via an AJAX action, which could allow any authenticated users, such as subscriber to call it and update log level and download the log.

CVE ID:

CVE-2023-0418

WordPress Plugin

video-central <= 1.3.0

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-09

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0372

WordPress Plugin

embedstories <= 0.7.4

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-08

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0371

WordPress Plugin

embedalbum-pro <= 1.1.27

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-08

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

CVE ID:

CVE-2023-0370

WordPress Plugin

wpb-advanced-faq <= 1.0.6

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2023-01-08

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.