Security Vulnerabilities - CVEs Published In July 2023
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gravity Master Custom Field For WP Job Manager plugin <= 1.1 versions.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-07-27
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPKube Authors List plugin <= 2.0.2 versions.
CVSS Score
7.1
EPSS Score
0.001
Published
2023-07-27
Auth. Stored Cross-Site Scripting (XSS) vulnerability in maennchen1.De wpShopGermany IT-RECHT KANZLEI plugin <= 1.7 versions.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-07-27
Cross-Site Request Forgery (CSRF) vulnerability in Wpstream WpStream – Live Streaming, Video on Demand, Pay Per View plugin <= 4.5.4 versions.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-07-27
A vulnerability, which was classified as problematic, was found in GZ Scripts Availability Booking Calendar PHP 1.0. This affects an unknown part of the file /index.php?controller=GzUser&action=edit&id=1 of the component Image Handler. The manipulation of the argument img leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235569 was assigned to this vulnerability.
CVSS Score
3.5
EPSS Score
0.001
Published
2023-07-27
A vulnerability, which was classified as problematic, has been found in GZ Scripts Availability Booking Calendar PHP 1.0. Affected by this issue is some unknown functionality of the file index.php of the component HTTP POST Request Handler. The manipulation of the argument promo_code leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235568.
CVSS Score
3.5
EPSS Score
0.001
Published
2023-07-27
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with subscriber-level permissions or above, to update the user metas arbitrarily. The meta value can only be a string.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-07-27
The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
CVSS Score
9.8
EPSS Score
0.007
Published
2023-07-27
Dell Power Manager, Versions 3.3 to 3.14 contains an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-07-27
The issue was addressed with additional permissions checks. This issue is fixed in macOS Ventura 13.5. An app may be able to access user-sensitive data.
CVSS Score
5.5
EPSS Score
0.0
Published
2023-07-27