Severity
High
Analysis Summary
CVE-2023-5251 CVSS:5.4
Grid Plus plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization in the access.grid_plus_save_layout_callback and grid_plus_delete_callback functions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authentication and obtain administrative.
CVE-2023-5252 CVSS:6.4
FareHarbor plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the spice_post_slider shortcode. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-5307 CVSS:7.2
Photos and Files Contest Gallery plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the gallery shortcode. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-5315 CVSS:8.8
Google Maps made Simple plugin for WordPress is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements using the plugin’s shortcode, which could allow the attacker to bypass authentication and obtain administrative access.
CVE-2023-5335 CVSS:6.4
Buzzsprout Podcasting plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the buzzsprout shortcode. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-5412 CVSS:8.8
Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements using the plugin’s shortcode, which could allow the attacker to bypass authentication and obtain administrative access.
CVE-2023-5428 CVSS:8.8
Image vertical reel scroll slideshow plugin for WordPress is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements using the plugin’s shortcode, which could allow the attacker to bypass authentication and obtain administrative access.
Impact
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-44483
Affected Vendors
Apache
Affected Products
- Apache Santuario 2.2.5
- Apache Santuario 2.3.3
- Apache Santuario 3.0.2
Remediation
Upgrade to the latest version of Santuario available from the Apache Web site.