6.1
CVE-2023-7228 - illi Link Party! <= 1.0 - Unauthenticated Stored XSS
The illi Link Party! WordPress plugin through 1.0 does not sanitise and escape some parameters, which could allow unauthenticated vistors to perform Cross-Site Scripting attacks.
7.1
CVE-2023-7197 - Marketing Twitter Bot <= 1.11 - Settings Update to Stored XSS via CSRF
The Marketing Twitter Bot WordPress plugin through 1.11 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
4.3
CVE-2023-7196 - Ultimate Noindex Nofollow Tool <= 1.1.2 - Settings Update via CSRF
The Ultimate Noindex Nofollow Tool WordPress plugin through 1.1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
4.3
CVE-2023-7195 - WP-Reply Notify <= 1.1 - Settings Update via CSRF
The WP-Reply Notify WordPress plugin through 1.1 does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.
7.1
CVE-2023-7174 - aBitGone CommentSafe <= 1.0.0 - Settings Update to Stored XSS via CSRF
The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
4.8
CVE-2023-7168 - Better Follow Button for Jetpack <= 8.0 - Admin+ Stored XSS
The Better Follow Button for Jetpack WordPress plugin through 8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite sโฆ
5.4
CVE-2023-7088 - Add SVG Support for Media Uploader | inventivo <= 1.0.5 - Author+ Stored XSS via SVG
The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
5.4
CVE-2023-7086 - SVG Uploads Support <= 2.1.1 - Author+ Stored XSS via SVG
The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
6.1
CVE-2023-6786 - Payment Gateway for Telcell <= 2.0.1 - Unauthenticated Open Redirect
The Payment Gateway for Telcell WordPress plugin through 2.0.1 does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue
4.8
CVE-2023-6783 - WolfNet IDX for WordPress <= 1.19.1 - Admin+ Stored XSS
The WolfNet IDX for WordPress plugin through 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)