Rd Station
Monthly
Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.
The RD Station plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping of post. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.
The RD Station plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping of post. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.