2 results (0.003 seconds)

CVSS: 8.8EPSS: 0%CPEs: 25EXPL: 1

The WP Popup Banners WordPress Plugin, version <= 1.2.5, is affected by an authenticated SQL injection vulnerability in the 'value' parameter in the get_popup_data action. The WP Popup Banners plugin for WordPress is vulnerable to a time-based SQL Injection via the 'value' parameter of the get_popup_data AJAX action in versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://www.tenable.com/security/research/tra-2023-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.8EPSS: 0%CPEs: 93EXPL: 2

Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to avoid any confusion Numerosos plugins y temas del proveedor de AccessPress Themes (también se conoce como Access Keys) han sido perjudicados debido a que su sitio web ha sido comprometido. Sólo están afectados los plugins y temas descargados por medio del sitio web del proveedor, no así los alojados en wordpress.org. Sin embargo, todos ellos fueron actualizados o eliminados para evitar cualquier confusión • https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes https://wpscan.com/vulnerability/9c76bada-fa32-4c2f-9855-d0efd1e63eff • CWE-912: Hidden Functionality •