Vendor CVEs
Automattic
All CVEs
69 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-10075 | 0.00 | — | 0.00 | May 15, 2025 | The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block. | |||
| CVE-2025-0466 | 0.00 | — | 0.00 | Feb 4, 2025 | The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information. | |||
| CVE-2024-43968 | 0.00 | — | 0.00 | Nov 1, 2024 | Broken Access Control vulnerability in Automattic Newspack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack: from n/a through 3.8.6. | |||
| CVE-2024-9944 | 0.00 | — | 0.01 | Oct 15, 2024 | The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject… | |||
| CVE-2024-43949 | 0.00 | — | 0.00 | Aug 29, 2024 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic GHActivity allows Stored XSS.This issue affects GHActivity: from n/a through 2.0.0-alpha. | |||
| CVE-2024-37474 | 0.00 | — | 0.00 | Jul 4, 2024 | Cross Site Scripting (XSS) vulnerability in Automattic Newspack Ads allows Stored XSS.This issue affects Newspack Ads: from n/a through 1.47.1. | |||
| CVE-2024-37476 | 0.00 | — | 0.00 | Jul 4, 2024 | Cross Site Scripting (XSS) vulnerability in Automattic Newspack Campaigns allows Stored XSS.This issue affects Newspack Campaigns: from n/a through 2.31.1. | |||
| CVE-2023-47788 | 0.00 | — | 0.00 | Jun 19, 2024 | Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7. | |||
| CVE-2023-27429 | 0.00 | — | 0.00 | Jun 21, 2023 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Automattic - Jetpack CRM team Jetpack CRM plugin <= 5.4.4 versions. | |||
| CVE-2022-4497 | 0.00 | — | 0.01 | Jan 9, 2023 | The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against… | |||
| CVE-2022-3919 | 0.00 | — | 0.00 | Dec 12, 2022 | The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||
| CVE-2022-29832 | 0.00 | — | 0.01 | Nov 24, 2022 | Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later, GX Works2 all versions and GX Developer versions 8.40S and later allows a remote unauthenticated attacker to disclose sensitive information.… | |||
| CVE-2022-45069 | 0.00 | — | 0.01 | Nov 17, 2022 | Auth. (contributor+) Privilege Escalation vulnerability in Crowdsignal Dashboard plugin <= 3.0.9 on WordPress. | |||
| CVE-2022-2386 | 0.00 | — | 0.01 | Aug 8, 2022 | The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||
| CVE-2021-34066 | 0.00 | — | 0.02 | Aug 30, 2021 | An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file. | |||
| CVE-2021-24323 | 0.00 | — | 0.01 | May 17, 2021 | When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | |||
| CVE-2020-8215 | 0.00 | — | 0.02 | Jul 20, 2020 | A buffer overflow is present in canvas version <= 1.6.9, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image. | |||
| CVE-2015-3429 | 0.00 | — | 0.04 | Jun 17, 2015 | Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier. | |||
| CVE-2014-0173 | 0.00 | — | 0.02 | Apr 22, 2014 | The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.2, 2.6.x before 2.6.3, 2.7.x before 2.7.2, 2.8.x before 2.8.2, and 2.9.x before 2.9.3 for WordPress does not properly… |
- CVE-2024-10075May 15, 2025risk 0.00cvss —epss 0.00
The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block.
- CVE-2025-0466Feb 4, 2025risk 0.00cvss —epss 0.00
The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.
- CVE-2024-43968Nov 1, 2024risk 0.00cvss —epss 0.00
Broken Access Control vulnerability in Automattic Newspack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack: from n/a through 3.8.6.
- CVE-2024-9944Oct 15, 2024risk 0.00cvss —epss 0.01
The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject…
- CVE-2024-43949Aug 29, 2024risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic GHActivity allows Stored XSS.This issue affects GHActivity: from n/a through 2.0.0-alpha.
- CVE-2024-37474Jul 4, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in Automattic Newspack Ads allows Stored XSS.This issue affects Newspack Ads: from n/a through 1.47.1.
- CVE-2024-37476Jul 4, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in Automattic Newspack Campaigns allows Stored XSS.This issue affects Newspack Campaigns: from n/a through 2.31.1.
- CVE-2023-47788Jun 19, 2024risk 0.00cvss —epss 0.00
Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7.
- CVE-2023-27429Jun 21, 2023risk 0.00cvss —epss 0.00
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Automattic - Jetpack CRM team Jetpack CRM plugin <= 5.4.4 versions.
- CVE-2022-4497Jan 9, 2023risk 0.00cvss —epss 0.01
The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against…
- CVE-2022-3919Dec 12, 2022risk 0.00cvss —epss 0.00
The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
- CVE-2022-29832Nov 24, 2022risk 0.00cvss —epss 0.01
Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later, GX Works2 all versions and GX Developer versions 8.40S and later allows a remote unauthenticated attacker to disclose sensitive information.…
- CVE-2022-45069Nov 17, 2022risk 0.00cvss —epss 0.01
Auth. (contributor+) Privilege Escalation vulnerability in Crowdsignal Dashboard plugin <= 3.0.9 on WordPress.
- CVE-2022-2386Aug 8, 2022risk 0.00cvss —epss 0.01
The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
- CVE-2021-34066Aug 30, 2021risk 0.00cvss —epss 0.02
An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file.
- CVE-2021-24323May 17, 2021risk 0.00cvss —epss 0.01
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
- CVE-2020-8215Jul 20, 2020risk 0.00cvss —epss 0.02
A buffer overflow is present in canvas version <= 1.6.9, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image.
- CVE-2015-3429Jun 17, 2015risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier.
- CVE-2014-0173Apr 22, 2014risk 0.00cvss —epss 0.02
The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.2, 2.6.x before 2.6.3, 2.7.x before 2.7.2, 2.8.x before 2.8.2, and 2.9.x before 2.9.3 for WordPress does not properly…
Page 2 of 2