The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WordPress Plugins ~ not comprehensive

vulnerability CVE-2019-7411

WordPress Launcher: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Launcher, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/05/2019.
Identifiers: CVE-2019-7411, VIGILANCE-VUL-29310.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Launcher, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2019-9618

WordPress GraceMedia Media Player: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of WordPress GraceMedia Media Player, in order to read a file outside the service root path.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 14/05/2019.
Identifiers: CVE-2019-9618, VIGILANCE-VUL-29285.

Description of the vulnerability

An attacker can traverse directories of WordPress GraceMedia Media Player, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2019-7411

WordPress MyThemeShop Launcher: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress MyThemeShop Launcher, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 14/05/2019.
Identifiers: CVE-2019-7411, METS-2019-002, VIGILANCE-VUL-29284.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress MyThemeShop Launcher, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2019-11871

WordPress Custom Field Suite: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Custom Field Suite, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/05/2019.
Identifiers: CVE-2019-11871, VIGILANCE-VUL-29275.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Custom Field Suite, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2019-10866

WordPress Form Maker: SQL injection via get_labels_parameters

Synthesis of the vulnerability

An attacker can use a SQL injection via get_labels_parameters() of WordPress Form Maker, in order to read or alter data.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 13/05/2019.
Identifiers: CVE-2019-10866, VIGILANCE-VUL-29274.

Description of the vulnerability

An attacker can use a SQL injection via get_labels_parameters() of WordPress Form Maker, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-11869

WordPress Yuzo Related Posts: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Yuzo Related Posts, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/05/2019.
Identifiers: CVE-2019-11869, VIGILANCE-VUL-29268.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Yuzo Related Posts, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-11807

WordPress WooCommerce Checkout Manager: media file deletion

Synthesis of the vulnerability

An attacker can make WordPress WooCommerce Checkout Manager remove media files.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: data deletion.
Provenance: internet client.
Creation date: 07/05/2019.
Identifiers: CVE-2019-11807, VIGILANCE-VUL-29238.

Description of the vulnerability

An attacker can make WordPress WooCommerce Checkout Manager remove media files.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2019-10673

WordPress Ultimate Member: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of WordPress Ultimate Member, in order to force the victim to perform operations.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 06/05/2019.
Identifiers: CVE-2019-10673, VIGILANCE-VUL-29231.

Description of the vulnerability

An attacker can trigger a Cross Site Request Forgery of WordPress Ultimate Member, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2019-9978

WordPress Social Warfare: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Social Warfare, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 25/03/2019.
Revision date: 06/05/2019.
Identifiers: CVE-2019-9978, VIGILANCE-VUL-28845.

Description of the vulnerability

The Social Warfare plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Social Warfare, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2019-11591

WordPress Contact Form by WD: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of WordPress Contact Form by WD, in order to force the victim to perform operations.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 02/05/2019.
Identifiers: CVE-2019-11591, VIGILANCE-VUL-29173.

Description of the vulnerability

The Contact Form by WD plugin can be installed on WordPress.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of WordPress Contact Form by WD, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WordPress Plugins ~ not comprehensive: