webfactoryltd 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk csrf、vendor risk cross-site scripting, and vendor risk sql injection があり、vendor surface production workloads and vendor surface software deployment の利用場面で vendor impact session compromise and vendor impact data exposure などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-1262 | The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification. | [email protected] | 5.3 | 0.12% | 2025-02-25 | 2025-02-28 |
| CVE-2024-5087 | The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin. | [email protected] | 6.3 | 0.32% | 2024-06-08 | 2026-04-08 |
| CVE-2024-4661 | The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting. | [email protected] | 4.3 | 0.11% | 2024-06-08 | 2026-04-08 |
| CVE-2024-5770 | The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings. | [email protected] | 4.2 | 0.09% | 2024-06-08 | 2026-04-08 |
| CVE-2023-6799 | The WP Reset – Most Advanced WordPress Reset Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0 via the use of insufficiently random snapshot names. This makes it possible for unauthenticated attackers to extract sensitive data including site backups by brute-forcing the snapshot filenames. Please note that the vendor does not plan to do any further hardening on this functionality. | [email protected] | 5.9 | 0.48% | 2024-04-09 | 2026-04-08 |
| CVE-2024-1340 | The Login Lockdown – Protect Login Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the generate_export_file function in all versions up to, and including, 2.08. This makes it possible for authenticated attackers, with subscriber access and higher, to export this plugin's settings that include whitelisted IP addresses as well as a global unlock key. With the global unlock key an attacker can add their IP address to the whitelist. | [email protected] | 5.4 | 0.18% | 2024-02-29 | 2026-04-08 |
| CVE-2024-1501 | The Database Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.22. This is due to missing or incorrect nonce validation on the install_wpr() function. This makes it possible for unauthenticated attackers to install the WP Reset Plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | [email protected] | 4.7 | 0.32% | 2024-02-21 | 2026-04-08 |
| CVE-2024-1075 | The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden. | [email protected] | 3.7 | 0.48% | 2024-02-05 | 2026-04-08 |
| CVE-2023-50837 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFactory Ltd Login Lockdown – Protect Login Form.This issue affects Login Lockdown – Protect Login Form: from n/a through 2.06. | [email protected] | 7.6 | 0.29% | 2023-12-29 | 2026-04-28 |
| CVE-2023-49747 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebFactory Ltd Guest Author allows Stored XSS.This issue affects Guest Author: from n/a through 2.3. | [email protected] | 5.9 | 0.13% | 2023-12-15 | 2026-04-28 |
| CVE-2023-3601 | The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. | [email protected] | 4.3 | 0.18% | 2023-08-14 | 2025-05-05 |
| CVE-2023-0832 | The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | [email protected] | 4.3 | 0.08% | 2023-06-09 | 2026-04-08 |
| CVE-2023-0831 | The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | [email protected] | 4.3 | 0.08% | 2023-06-09 | 2026-04-08 |
| CVE-2023-1913 | The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has b | [email protected] | 4.4 | 0.24% | 2023-04-06 | 2026-04-08 |
| CVE-2022-1583 | The External Links in New Window / New Tab WordPress plugin before 1.43 does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur. | [email protected] | 6.5 | 0.57% | 2022-05-30 | 2024-11-21 |
| CVE-2022-1582 | The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. | [email protected] | 6.1 | 0.20% | 2022-05-30 | 2024-11-21 |
| CVE-2021-36909 | Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover. | [email protected] | 8.8 | 1.21% | 2021-11-18 | 2024-11-21 |
| CVE-2021-36908 | Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions. | [email protected] | 8.8 | 0.14% | 2021-11-18 | 2024-11-21 |
| CVE-2021-24533 | The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend | [email protected] | 4.8 | 0.21% | 2021-08-23 | 2024-11-21 |
| CVE-2021-24424 | The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | [email protected] | 5.4 | 0.37% | 2021-07-12 | 2024-11-21 |