The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WordPress Plugins ~ not comprehensive

vulnerability bulletin CVE-2018-20556

WordPress Booking Calendar: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of WordPress Booking Calendar, in order to read or alter data.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 19/03/2019.
Identifiers: CVE-2018-20556, VIGILANCE-VUL-28773.

Description of the vulnerability

The WordPress Booking Calendar product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of WordPress Booking Calendar, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-20555

WordPress Social Network Tabs: information disclosure

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of WordPress Social Network Tabs, in order to obtain sensitive information.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 19/03/2019.
Identifiers: CVE-2018-20555, VIGILANCE-VUL-28772.

Description of the vulnerability

An attacker can bypass access restrictions to data of WordPress Social Network Tabs, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2019-9646

WordPress Contact Form Email: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Contact Form Email, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 11/03/2019.
Identifiers: CVE-2019-9646, VIGILANCE-VUL-28706.

Description of the vulnerability

The Contact Form Email plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Contact Form Email, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2019-9576

WordPress Blog2Social: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Blog2Social, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/03/2019.
Identifiers: CVE-2019-9576, VIGILANCE-VUL-28676.

Description of the vulnerability

The Blog2Social plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Blog2Social, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2019-9575

WordPress Quiz And Survey Master: Cross Site Scripting via quiz_id

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via quiz_id of WordPress Quiz And Survey Master, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/03/2019.
Identifiers: CVE-2019-9575, VIGILANCE-VUL-28675.

Description of the vulnerability

The Quiz And Survey Master plugin can be installed on WordPress.

However, it does not filter received data via quiz_id before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via quiz_id of WordPress Quiz And Survey Master, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2019-9567 CVE-2019-9568

WordPress Forminator Contact Form: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress Forminator Contact Form.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition, data deletion.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 05/03/2019.
Identifiers: CVE-2019-9567, CVE-2019-9568, VIGILANCE-VUL-28653.

Description of the vulnerability

An attacker can use several vulnerabilities of WordPress Forminator Contact Form.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2019-5924

WordPress Smart Forms: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of WordPress Smart Forms, in order to force the victim to perform operations.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 28/02/2019.
Identifiers: CVE-2019-5924, JVN#97656108, VIGILANCE-VUL-28626.

Description of the vulnerability

The Smart Forms plugin can be installed on WordPress.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of WordPress Smart Forms, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-7413

WordPress Parallax Scroll: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Parallax Scroll, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/02/2019.
Identifiers: CVE-2019-7413, VIGILANCE-VUL-28450.

Description of the vulnerability

The Parallax Scroll plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Parallax Scroll, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2019-7412

WordPress PS PHPCaptcha WP: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress PS PHPCaptcha WP, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/02/2019.
Identifiers: CVE-2019-7412, VIGILANCE-VUL-28449.

Description of the vulnerability

The PS PHPCaptcha WP plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress PS PHPCaptcha WP, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-1000003

WordPress MapSVG Lite: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of WordPress MapSVG Lite, in order to force the victim to perform operations.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 05/02/2019.
Identifiers: CVE-2019-1000003, VIGILANCE-VUL-28438.

Description of the vulnerability

The MapSVG Lite plugin can be installed on WordPress.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of WordPress MapSVG Lite, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WordPress Plugins ~ not comprehensive: