Filtered by vendor Accesspressthemes
Subscribe
Total
18 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25378 | 1 Accesspressthemes | 1 Wp Floating Menu | 2024-02-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Wordpress Plugin Store / AccessPress Themes WP Floating Menu V1.3.0 is affected by: Cross Site Scripting (XSS) via the id GET parameter. | |||||
| CVE-2023-26518 | 1 Accesspressthemes | 1 Wp Tfeed | 2023-12-10 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in AccessPress Themes WP TFeed plugin <= 1.6.9 versions. | |||||
| CVE-2023-26532 | 1 Accesspressthemes | 1 Social Auto Poster | 2023-12-10 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in AccessPress Themes Social Auto Poster plugin <= 2.1.4 versions. | |||||
| CVE-2022-4946 | 1 Accesspressthemes | 1 Frontend Post Wordpress Plugin | 2023-12-10 | N/A | 5.4 MEDIUM |
| The Frontend Post WordPress Plugin WordPress plugin through 2.8.4 does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain. | |||||
| CVE-2023-28661 | 1 Accesspressthemes | 1 Wp Popup Banners | 2023-12-10 | N/A | 8.8 HIGH |
| The WP Popup Banners WordPress Plugin, version <= 1.2.5, is affected by an authenticated SQL injection vulnerability in the 'value' parameter in the get_popup_data action. | |||||
| CVE-2023-0175 | 1 Accesspressthemes | 1 Smart Logo Showcase Lite | 2023-12-10 | N/A | 5.4 MEDIUM |
| The Responsive Clients Logo Gallery Plugin for WordPress plugin through 1.1.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2021-24867 | 1 Accesspressthemes | 93 Accessbuddy, Accesspress Anonymous Post, Accesspress Basic and 90 more | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to avoid any confusion | |||||
| CVE-2022-23911 | 1 Accesspressthemes | 1 Ap Custom Testimonial | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection | |||||
| CVE-2022-23912 | 1 Accesspressthemes | 1 Ap Custom Testimonial | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not sanitise and escape the id parameter before outputting it back in an attribute, leading to a Reflected cross-Site Scripting | |||||
| CVE-2021-25107 | 1 Accesspressthemes | 1 Form Store To Db | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin | |||||
| CVE-2022-0628 | 1 Accesspressthemes | 1 Ap Mega Menu | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the _wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-23976 | 1 Accesspressthemes | 1 Access Demo Importer | 2023-12-10 | 5.8 MEDIUM | 8.1 HIGH |
| Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to reset all data (posts / pages / media). | |||||
| CVE-2022-23975 | 1 Accesspressthemes | 1 Access Demo Importer | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin. | |||||
| CVE-2021-24858 | 1 Accesspressthemes | 1 Wp Cookie User Info | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
| The Cookie Notification Plugin for WordPress plugin before 1.0.9 does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection | |||||
| CVE-2021-39317 | 1 Accesspressthemes | 43 Access Demo Importer, Accesspress-lite, Accesspress-mag and 40 more | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer <=1.0.6 WordPress Themes: accesspress-basic <= 3.2.1 accesspress-lite <= 2.92 accesspress-mag <= 2.6.5 accesspress-parallax <= 4.5 accesspress-root <= 2.5 accesspress-store <= 2.4.9 agency-lite <= 1.1.6 arrival <= 1.4.2 bingle <= 1.0.4 bloger <= 1.2.6 brovy <= 1.3 construction-lite <= 1.2.5 doko <= 1.0.27 edict-lite <= 1.1.4 eightlaw-lite <= 2.1.5 eightmedi-lite <= 2.1.8 eight-sec <= 1.1.4 eightstore-lite <= 1.2.5 enlighten <= 1.3.5 fotography <= 2.4.0 opstore <= 1.4.3 parallaxsome <= 1.3.6 punte <= 1.1.2 revolve <= 1.3.1 ripple <= 1.2.0 sakala <= 1.0.4 scrollme <= 2.1.0 storevilla <= 1.4.1 swing-lite <= 1.1.9 the100 <= 1.1.2 the-launcher <= 1.3.2 the-monday <= 1.4.1 ultra-seven <= 1.2.8 uncode-lite <= 1.3.3 vmag <= 1.2.7 vmagazine-lite <= 1.3.5 vmagazine-news <= 1.0.5 wpparallax <= 2.0.6 wp-store <= 1.1.9 zigcy-baby <= 1.0.6 zigcy-cosmetics <= 1.0.5 zigcy-lite <= 2.0.9 | |||||
| CVE-2021-24143 | 1 Accesspressthemes | 1 Accesspress Social Icons | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. | |||||
| CVE-2017-16949 | 1 Accesspressthemes | 1 Anonymous Post Pro | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution. | |||||
| CVE-2017-15919 | 1 Accesspressthemes | 1 Ultimate-form-builder-lite | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| The ultimate-form-builder-lite plugin before 1.3.7 for WordPress has SQL Injection, with resultant PHP Object Injection, via wp-admin/admin-ajax.php. | |||||