Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
18 vulnerabilities by Webcraftic
CVE-2025-53254 (GCVE-0-2025-53254)
Vulnerability from nvd – Published: 2025-06-27 13:21 – Updated: 2026-05-13 00:00
VLAI
Title
WordPress Cyrlitera plugin <= 1.3.0 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Cyrlitera cyrlitera allows Cross Site Request Forgery.This issue affects Cyrlitera: from n/a through <= 1.3.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
Date Public
2026-04-01 16:41
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T14:36:46.664276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T00:00:53.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cyrlitera",
"product": "Cyrlitera",
"vendor": "Themeisle",
"versions": [
{
"changes": [
{
"at": "1.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:50.489Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Cyrlitera cyrlitera allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Cyrlitera: from n/a through \u003c= 1.3.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Cyrlitera cyrlitera allows Cross Site Request Forgery.This issue affects Cyrlitera: from n/a through \u003c= 1.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:21.963Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cyrlitera/vulnerability/wordpress-cyrlitera-plugin-1-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Cyrlitera plugin \u003c= 1.3.0 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-53254",
"datePublished": "2025-06-27T13:21:03.851Z",
"dateReserved": "2025-06-27T11:58:24.740Z",
"dateUpdated": "2026-05-13T00:00:53.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3105 (GCVE-0-2024-3105)
Vulnerability from nvd – Published: 2024-06-15 08:42 – Updated: 2026-04-08 16:36
VLAI
Title
Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution
Summary
The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| themeisle | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts |
Affected:
0 , ≤ 2.5.0
(semver)
|
|
| webcraftic | woody_ad_snippets |
Affected:
0 , ≤ 2.5.0
(semver)
cpe:2.3:a:webcraftic:woody_ad_snippets:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3102522%40insert-php\u0026new=3102522%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:webcraftic:woody_ad_snippets:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "woody_ad_snippets",
"vendor": "webcraftic",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T19:57:07.267327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T20:09:19.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woody Code Snippets \u2013 Insert PHP, CSS, JS, and Header/Footer Scripts",
"vendor": "themeisle",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woody code snippets \u2013 Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the \u0027insert_php\u0027 shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:37.357Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3102522%40insert-php\u0026new=3102522%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-14T20:26:37.000Z",
"value": "Disclosed"
}
],
"title": "Woody code snippets \u2013 Insert Header Footer Code, AdSense Ads \u003c= 2.5.0 -Authenticated (Contributor+) Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3105",
"datePublished": "2024-06-15T08:42:14.653Z",
"dateReserved": "2024-03-29T19:14:03.962Z",
"dateUpdated": "2026-04-08T16:36:37.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-48335 (GCVE-0-2023-48335)
Vulnerability from nvd – Published: 2024-06-04 10:40 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Hide login page plugin <= 1.1.9 - Secret Login Page Location Disclosure on Multisites vulnerability
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hide login page: from n/a through 1.1.9.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/hid… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Webcraftic | Hide login page |
Affected:
n/a , ≤ 1.1.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T19:23:12.219027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T19:23:19.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/hide-login-page/wordpress-hide-login-page-plugin-1-1-7-secret-login-page-location-disclosure-on-multisites-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "hide-login-page",
"product": "Hide login page",
"vendor": "Webcraftic",
"versions": [
{
"lessThanOrEqual": "1.1.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Naveen Muthusamy (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Hide login page: from n/a through 1.1.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hide login page: from n/a through 1.1.9."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:54.526Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/hide-login-page/wordpress-hide-login-page-plugin-1-1-7-secret-login-page-location-disclosure-on-multisites-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Hide login page plugin \u003c= 1.1.9 - Secret Login Page Location Disclosure on Multisites vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-48335",
"datePublished": "2024-06-04T10:40:17.913Z",
"dateReserved": "2023-11-14T21:42:37.033Z",
"dateUpdated": "2026-04-28T16:08:54.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-36759 (GCVE-0-2020-36759)
Vulnerability from nvd – Published: 2023-10-20 07:29 – Updated: 2026-04-08 17:29
VLAI
Title
Woody code snippets <= 2.3.9 - Cross-Site Request Forgery Bypass
Summary
The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9. This is due to missing or incorrect nonce validation on the runActions() function. This makes it possible for unauthenticated attackers to activate and deactivate snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeisle | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts |
Affected:
0 , < 2.3.10
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:37:07.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e573c0a4-d053-400b-828c-0d0eca880776?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2368332%40insert-php\u0026new=2368332%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-36759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T15:24:07.043275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T15:54:48.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woody Code Snippets \u2013 Insert PHP, CSS, JS, and Header/Footer Scripts",
"vendor": "themeisle",
"versions": [
{
"lessThan": "2.3.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9. This is due to missing or incorrect nonce validation on the runActions() function. This makes it possible for unauthenticated attackers to activate and deactivate snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:52.309Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e573c0a4-d053-400b-828c-0d0eca880776?source=cve"
},
{
"url": "https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/"
},
{
"url": "https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2368332%40insert-php\u0026new=2368332%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2020-09-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Woody code snippets \u003c= 2.3.9 - Cross-Site Request Forgery Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2020-36759",
"datePublished": "2023-10-20T07:29:36.978Z",
"dateReserved": "2023-07-11T18:41:53.975Z",
"dateUpdated": "2026-04-08T17:29:52.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-16289 (GCVE-0-2019-16289)
Vulnerability from nvd – Published: 2019-09-13 14:58 – Updated: 2024-08-05 01:10
VLAI
Summary
The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/insert-php/#developers | x_refsource_MISC |
| https://generaleg0x01.com/2019/09/13/xss-woody/ | x_refsource_MISC |
| https://wpvulndb.com/vulnerabilities/9880 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:10:41.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-14T20:06:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/insert-php/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"name": "https://generaleg0x01.com/2019/09/13/xss-woody/",
"refsource": "MISC",
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"name": "https://wpvulndb.com/vulnerabilities/9880",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16289",
"datePublished": "2019-09-13T14:58:03.000Z",
"dateReserved": "2019-09-13T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:10:41.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15858 (GCVE-0-2019-15858)
Vulnerability from nvd – Published: 2019-09-03 06:14 – Updated: 2024-08-05 01:03
VLAI
Summary
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9490 | x_refsource_MISC |
| https://blog.nintechnet.com/multiple-vulnerabilit… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:03:32.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin/includes/class.import.snippet.php in the \"Woody ad snippets\" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-04T11:06:06.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15858",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/includes/class.import.snippet.php in the \"Woody ad snippets\" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9490",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"name": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/",
"refsource": "MISC",
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15858",
"datePublished": "2019-09-03T06:14:03.000Z",
"dateReserved": "2019-09-03T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:03:32.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15818 (GCVE-0-2019-15818)
Vulnerability from nvd – Published: 2019-08-30 12:32 – Updated: 2024-08-05 00:56
VLAI
Summary
The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9503 | x_refsource_MISC |
| https://wordpress.org/plugins/simple-301-redirect… | x_refsource_MISC |
| https://blog.nintechnet.com/unauthenticated-optio… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-31T07:06:09.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9503",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"name": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"name": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/",
"refsource": "MISC",
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15818",
"datePublished": "2019-08-30T12:32:43.000Z",
"dateReserved": "2019-08-29T00:00:00.000Z",
"dateUpdated": "2024-08-05T00:56:22.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15776 (GCVE-0-2019-15776)
Vulnerability from nvd – Published: 2019-08-29 11:45 – Updated: 2024-08-05 00:56
VLAI
Summary
The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9503 | x_refsource_MISC |
| https://threatpost.com/wordpress-plugins-exploite… | x_refsource_MISC |
| https://wordpress.org/plugins/simple-301-redirect… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-30T06:06:05.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15776",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9503",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"name": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/",
"refsource": "MISC",
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"name": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15776",
"datePublished": "2019-08-29T11:45:31.000Z",
"dateReserved": "2019-08-29T00:00:00.000Z",
"dateUpdated": "2024-08-05T00:56:22.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14773 (GCVE-0-2019-14773)
Vulnerability from nvd – Published: 2019-08-08 19:49 – Updated: 2024-08-05 00:26
VLAI
Summary
admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.pluginvulnerabilities.com/2019/08/01/… | x_refsource_MISC |
| https://wordpress.org/plugins/insert-php/#developers | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:38.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin/includes/class.actions.snippet.php in the \"Woody ad snippets\" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close\u0026post= deletion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-08T19:49:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/includes/class.actions.snippet.php in the \"Woody ad snippets\" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close\u0026post= deletion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/",
"refsource": "MISC",
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"name": "https://wordpress.org/plugins/insert-php/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14773",
"datePublished": "2019-08-08T19:49:04.000Z",
"dateReserved": "2019-08-07T00:00:00.000Z",
"dateUpdated": "2024-08-05T00:26:38.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53254 (GCVE-0-2025-53254)
Vulnerability from cvelistv5 – Published: 2025-06-27 13:21 – Updated: 2026-05-13 00:00
VLAI
Title
WordPress Cyrlitera plugin <= 1.3.0 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Cyrlitera cyrlitera allows Cross Site Request Forgery.This issue affects Cyrlitera: from n/a through <= 1.3.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
Date Public
2026-04-01 16:41
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T14:36:46.664276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T00:00:53.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cyrlitera",
"product": "Cyrlitera",
"vendor": "Themeisle",
"versions": [
{
"changes": [
{
"at": "1.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:50.489Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Cyrlitera cyrlitera allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Cyrlitera: from n/a through \u003c= 1.3.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Cyrlitera cyrlitera allows Cross Site Request Forgery.This issue affects Cyrlitera: from n/a through \u003c= 1.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:13:21.963Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cyrlitera/vulnerability/wordpress-cyrlitera-plugin-1-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Cyrlitera plugin \u003c= 1.3.0 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-53254",
"datePublished": "2025-06-27T13:21:03.851Z",
"dateReserved": "2025-06-27T11:58:24.740Z",
"dateUpdated": "2026-05-13T00:00:53.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3105 (GCVE-0-2024-3105)
Vulnerability from cvelistv5 – Published: 2024-06-15 08:42 – Updated: 2026-04-08 16:36
VLAI
Title
Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution
Summary
The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| themeisle | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts |
Affected:
0 , ≤ 2.5.0
(semver)
|
|
| webcraftic | woody_ad_snippets |
Affected:
0 , ≤ 2.5.0
(semver)
cpe:2.3:a:webcraftic:woody_ad_snippets:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3102522%40insert-php\u0026new=3102522%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:webcraftic:woody_ad_snippets:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "woody_ad_snippets",
"vendor": "webcraftic",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T19:57:07.267327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T20:09:19.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woody Code Snippets \u2013 Insert PHP, CSS, JS, and Header/Footer Scripts",
"vendor": "themeisle",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woody code snippets \u2013 Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the \u0027insert_php\u0027 shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:37.357Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3102522%40insert-php\u0026new=3102522%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-14T20:26:37.000Z",
"value": "Disclosed"
}
],
"title": "Woody code snippets \u2013 Insert Header Footer Code, AdSense Ads \u003c= 2.5.0 -Authenticated (Contributor+) Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3105",
"datePublished": "2024-06-15T08:42:14.653Z",
"dateReserved": "2024-03-29T19:14:03.962Z",
"dateUpdated": "2026-04-08T16:36:37.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-48335 (GCVE-0-2023-48335)
Vulnerability from cvelistv5 – Published: 2024-06-04 10:40 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Hide login page plugin <= 1.1.9 - Secret Login Page Location Disclosure on Multisites vulnerability
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hide login page: from n/a through 1.1.9.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/hid… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Webcraftic | Hide login page |
Affected:
n/a , ≤ 1.1.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T19:23:12.219027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T19:23:19.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/hide-login-page/wordpress-hide-login-page-plugin-1-1-7-secret-login-page-location-disclosure-on-multisites-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "hide-login-page",
"product": "Hide login page",
"vendor": "Webcraftic",
"versions": [
{
"lessThanOrEqual": "1.1.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Naveen Muthusamy (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Hide login page: from n/a through 1.1.9.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Webcraftic Hide login page allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hide login page: from n/a through 1.1.9."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:54.526Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/hide-login-page/wordpress-hide-login-page-plugin-1-1-7-secret-login-page-location-disclosure-on-multisites-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Hide login page plugin \u003c= 1.1.9 - Secret Login Page Location Disclosure on Multisites vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-48335",
"datePublished": "2024-06-04T10:40:17.913Z",
"dateReserved": "2023-11-14T21:42:37.033Z",
"dateUpdated": "2026-04-28T16:08:54.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-36759 (GCVE-0-2020-36759)
Vulnerability from cvelistv5 – Published: 2023-10-20 07:29 – Updated: 2026-04-08 17:29
VLAI
Title
Woody code snippets <= 2.3.9 - Cross-Site Request Forgery Bypass
Summary
The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9. This is due to missing or incorrect nonce validation on the runActions() function. This makes it possible for unauthenticated attackers to activate and deactivate snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeisle | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts |
Affected:
0 , < 2.3.10
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:37:07.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e573c0a4-d053-400b-828c-0d0eca880776?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2368332%40insert-php\u0026new=2368332%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-36759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T15:24:07.043275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T15:54:48.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woody Code Snippets \u2013 Insert PHP, CSS, JS, and Header/Footer Scripts",
"vendor": "themeisle",
"versions": [
{
"lessThan": "2.3.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9. This is due to missing or incorrect nonce validation on the runActions() function. This makes it possible for unauthenticated attackers to activate and deactivate snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:52.309Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e573c0a4-d053-400b-828c-0d0eca880776?source=cve"
},
{
"url": "https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/"
},
{
"url": "https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/"
},
{
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2368332%40insert-php\u0026new=2368332%40insert-php\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2020-09-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Woody code snippets \u003c= 2.3.9 - Cross-Site Request Forgery Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2020-36759",
"datePublished": "2023-10-20T07:29:36.978Z",
"dateReserved": "2023-07-11T18:41:53.975Z",
"dateUpdated": "2026-04-08T17:29:52.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-16289 (GCVE-0-2019-16289)
Vulnerability from cvelistv5 – Published: 2019-09-13 14:58 – Updated: 2024-08-05 01:10
VLAI
Summary
The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/insert-php/#developers | x_refsource_MISC |
| https://generaleg0x01.com/2019/09/13/xss-woody/ | x_refsource_MISC |
| https://wpvulndb.com/vulnerabilities/9880 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:10:41.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-14T20:06:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/insert-php/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/insert-php/#developers"
},
{
"name": "https://generaleg0x01.com/2019/09/13/xss-woody/",
"refsource": "MISC",
"url": "https://generaleg0x01.com/2019/09/13/xss-woody/"
},
{
"name": "https://wpvulndb.com/vulnerabilities/9880",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9880"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16289",
"datePublished": "2019-09-13T14:58:03.000Z",
"dateReserved": "2019-09-13T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:10:41.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15858 (GCVE-0-2019-15858)
Vulnerability from cvelistv5 – Published: 2019-09-03 06:14 – Updated: 2024-08-05 01:03
VLAI
Summary
admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9490 | x_refsource_MISC |
| https://blog.nintechnet.com/multiple-vulnerabilit… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:03:32.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin/includes/class.import.snippet.php in the \"Woody ad snippets\" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-04T11:06:06.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15858",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/includes/class.import.snippet.php in the \"Woody ad snippets\" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9490",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9490"
},
{
"name": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/",
"refsource": "MISC",
"url": "https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-woody-ad-snippets-plugin-lead-to-remote-code-execution/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15858",
"datePublished": "2019-09-03T06:14:03.000Z",
"dateReserved": "2019-09-03T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:03:32.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15818 (GCVE-0-2019-15818)
Vulnerability from cvelistv5 – Published: 2019-08-30 12:32 – Updated: 2024-08-05 00:56
VLAI
Summary
The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9503 | x_refsource_MISC |
| https://wordpress.org/plugins/simple-301-redirect… | x_refsource_MISC |
| https://blog.nintechnet.com/unauthenticated-optio… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-31T07:06:09.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The simple-301-redirects-addon-bulk-uploader plugin through 1.2.4 for WordPress has no requirement for authentication for action=bulk301export or action=bulk301clearlist."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9503",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"name": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
},
{
"name": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/",
"refsource": "MISC",
"url": "https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15818",
"datePublished": "2019-08-30T12:32:43.000Z",
"dateReserved": "2019-08-29T00:00:00.000Z",
"dateUpdated": "2024-08-05T00:56:22.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15776 (GCVE-0-2019-15776)
Vulnerability from cvelistv5 – Published: 2019-08-29 11:45 – Updated: 2024-08-05 00:56
VLAI
Summary
The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9503 | x_refsource_MISC |
| https://threatpost.com/wordpress-plugins-exploite… | x_refsource_MISC |
| https://wordpress.org/plugins/simple-301-redirect… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-30T06:06:05.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15776",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The simple-301-redirects-addon-bulk-uploader plugin before 1.2.5 for WordPress has no protection against 301 redirect rule injection via a CSV file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9503",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9503"
},
{
"name": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/",
"refsource": "MISC",
"url": "https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/"
},
{
"name": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/simple-301-redirects-addon-bulk-uploader/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15776",
"datePublished": "2019-08-29T11:45:31.000Z",
"dateReserved": "2019-08-29T00:00:00.000Z",
"dateUpdated": "2024-08-05T00:56:22.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14773 (GCVE-0-2019-14773)
Vulnerability from cvelistv5 – Published: 2019-08-08 19:49 – Updated: 2024-08-05 00:26
VLAI
Summary
admin/includes/class.actions.snippet.php in the "Woody ad snippets" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close&post= deletion.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.pluginvulnerabilities.com/2019/08/01/… | x_refsource_MISC |
| https://wordpress.org/plugins/insert-php/#developers | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:38.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin/includes/class.actions.snippet.php in the \"Woody ad snippets\" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close\u0026post= deletion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-08T19:49:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-14773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/includes/class.actions.snippet.php in the \"Woody ad snippets\" plugin through 2.2.5 for WordPress allows wp-admin/admin-post.php?action=close\u0026post= deletion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/",
"refsource": "MISC",
"url": "https://www.pluginvulnerabilities.com/2019/08/01/post-deletion-vulnerability-in-woody-ad-snippets/"
},
{
"name": "https://wordpress.org/plugins/insert-php/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/insert-php/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-14773",
"datePublished": "2019-08-08T19:49:04.000Z",
"dateReserved": "2019-08-07T00:00:00.000Z",
"dateUpdated": "2024-08-05T00:26:38.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}