10up

8 CVEs • 4 products

Products (4)

Click to collapse

Toggle

Restricted Site Access

restricted_site_access

Simple Local Avatars

simple_local_avatars

CVEs (8)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-8378 110up 1Safe Svg May 17, 2025 Nov 7, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachmen...Show more The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.Show less
CVE-2024-43116 110up 1Simple Local Avatars Sep 18, 2024 Aug 26, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in 10up Simple Local Avatars.This issue affects Simple Local Avatars: from n/a through 2.7.10.
CVE-2024-35684 110up 1Elasticpress Apr 23, 2026 Jun 8, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in 10up ElasticPress elasticpress.This issue affects ElasticPress: from n/a through <= 5.1.1.
CVE-2021-4405 110up 1Elasticpress Apr 8, 2026 Jul 1, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() funct...Show more The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2022-1613 110up 1Restricted Site Access May 21, 2025 Sep 26, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations.
CVE-2022-1091 110up 1Safe Svg Nov 21, 2024 Apr 18, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform t...Show more The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).Show less
CVE-2019-18855 110up 1Safe Svg Nov 21, 2024 Nov 11, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18854 110up 1Safe Svg Nov 21, 2024 Nov 11, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.