Security Vulnerabilities - CVEs Published In January 2023
The Posts List Designer by Category WordPress plugin before 3.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-01-30
The Panda Pods Repeater Field WordPress plugin before 1.5.4 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a user having at least Contributor permission.
CVSS Score
5.4
EPSS Score
0.083
Published
2023-01-30
The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.
CVSS Score
9.8
EPSS Score
0.73
Published
2023-01-30
The Widgets for Google Reviews WordPress plugin before 9.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-01-30
The Simple Sitemap WordPress plugin before 3.5.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-01-30
The SAML SSO Standard WordPress plugin version 16.0.0 before 16.0.8, SAML SSO Premium WordPress plugin version 12.0.0 before 12.1.0 and SAML SSO Premium Multisite WordPress plugin version 20.0.0 before 20.0.7 does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in.
CVSS Score
6.1
EPSS Score
0.004
Published
2023-01-30
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects iotdb-web-workbench component: from 0.13.0 before 0.13.3.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-01-30
Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.
CVSS Score
7.3
EPSS Score
0.0
Published
2023-01-30
The Robot application in Ip-label Newtest before v8.5R0 was discovered to use weak signature checks on executed binaries, allowing attackers to have write access and escalate privileges via replacing NEWTESTREMOTEMANAGER.EXE.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-01-30
AMI Megarac Password reset interception via API
CVSS Score
8.3
EPSS Score
0.001
Published
2023-01-30