彙總 10up 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 CSRF與跨站腳本 等問題,部分漏洞可能導致 工作階段劫持,並影響 生產負載與軟體部署 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2024-8378 | The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data. | [email protected] | 4.8 | 0.30% | 2024-11-07 | 2026-06-17 |
| CVE-2024-43116 | Cross-Site Request Forgery (CSRF) vulnerability in 10up Simple Local Avatars.This issue affects Simple Local Avatars: from n/a through 2.7.10. | [email protected] | 4.3 | 0.20% | 2024-08-26 | 2026-06-17 |
| CVE-2024-35684 | Cross-Site Request Forgery (CSRF) vulnerability in 10up ElasticPress elasticpress.This issue affects ElasticPress: from n/a through <= 5.1.1. | [email protected] | 4.3 | 0.18% | 2024-06-08 | 2026-06-17 |
| CVE-2021-4405 | The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | [email protected] | 4.3 | 0.39% | 2023-07-01 | 2026-06-17 |
| CVE-2022-1613 | The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations. | [email protected] | 5.3 | 0.58% | 2022-09-26 | 2026-06-17 |
| CVE-2022-1091 | The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks). | [email protected] | 6.1 | 1.16% | 2022-04-18 | 2026-06-17 |
| CVE-2019-18855 | A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes. | [email protected] | 7.5 | 2.60% | 2019-11-11 | 2026-06-16 |
| CVE-2019-18854 | A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring. | [email protected] | 7.5 | 2.60% | 2019-11-11 | 2026-06-16 |