Security Vulnerabilities - CVEs Published In October 2023
The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers.
CVSS Score
6.1
EPSS Score
0.01
Published
2023-10-31
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.
CVSS Score
9.8
EPSS Score
0.93
Published
2023-10-31
The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-10-31
The EventPrime WordPress plugin before 3.2.0 does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks.
CVSS Score
4.3
EPSS Score
0.001
Published
2023-10-31
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GamiPress gamipress allows SQL Injection.This issue affects GamiPress: from n/a through 2.5.7.
CVSS Score
9.8
EPSS Score
0.003
Published
2023-10-31
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 9.9.3.
CVSS Score
6.7
EPSS Score
0.003
Published
2023-10-31
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker rsvpmaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 9.9.3.
CVSS Score
7.2
EPSS Score
0.004
Published
2023-10-31
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LearnDash LearnDash LMS allows SQL Injection.This issue affects LearnDash LMS: from n/a through 4.5.3.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-10-31
TOTOLINK A3300R 17.0.0cu.557_B20221024 contains a command injection via the file_name parameter in the UploadFirmwareFile function.
CVSS Score
9.8
EPSS Score
0.03
Published
2023-10-31
TOTOLINK LR1200GB V9.1.0u.6619_B20230130 was discovered to contain a stack overflow via the password parameter in the function loginAuth.
CVSS Score
9.8
EPSS Score
0.111
Published
2023-10-31