SupsysticCVEs & Vulnerabilities

42 CVEs affecting Supsystic products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

popup 10easy google maps 6social share buttons 5pricing table by supsystic 3contact form 3data tables generator 3photo gallery 3ultimate maps 2
CVE-2023-39997CRITICAL

Missing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through 1.10.19.

13 Dec 2024
9.8
CVSS
CVE-2023-51353CRITICAL

Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through <= 1.10.19.

9 Dec 2024
9.8
CVSS
CVE-2024-52434CRITICAL

Deserialization of Untrusted Data vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Command Injection.This issue affects Popup by Supsystic: from n/a through <= 1.10.29.

18 Nov 2024
9.1
CVSS
CVE-2024-47330HIGH

Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9.

26 Sep 2024
8.8
CVSS
CVE-2024-5219MEDIUM

The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

2 Jul 2024
5.4
CVSS
CVE-2023-46197MEDIUM

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in supsystic.Com Popup by Supsystic allows Relative Path Traversal.This issue affects Popup by Supsystic: from n/a through 1.10.19.

17 May 2024
6.5
CVSS
CVE-2024-31421MEDIUM

Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic.This issue affects Popup by Supsystic: from n/a through <= 1.10.27.

15 Apr 2024
4.3
CVSS
CVE-2024-31269HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps.This issue affects Easy Google Maps: from n/a through 1.11.11.

12 Apr 2024
8.8
CVSS
CVE-2024-29921MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in supsystic Photo Gallery by Supsystic gallery-by-supsystic.This issue affects Photo Gallery by Supsystic: from n/a through <= 1.15.16.

27 Mar 2024
4.8
CVSS
CVE-2023-6732MEDIUM

The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

16 Jan 2024
4.8
CVSS
CVE-2023-49191MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Supsystic GDPR Cookie Consent by Supsystic allows Stored XSS.This issue affects GDPR Cookie Consent by Supsystic: from n/a through 2.1.2.

15 Dec 2023
4.8
CVSS
CVE-2023-5756HIGH

The Digital Publications by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

9 Dec 2023
8.8
CVSS
CVE-2023-45068HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Contact Form by Supsystic plugin <= 1.7.27 versions.

12 Oct 2023
8.8
CVSS
CVE-2023-3186CRITICAL

The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype.

17 Jul 2023
9.8
CVSS
CVE-2023-2526MEDIUM

The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2024-31269 appears to be a duplicate of this issue.

9 Jun 2023
5.4
CVSS
CVE-2023-33926HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps plugin <= 1.11.7 versions.

28 May 2023
8.8
CVSS
CVE-2023-22714HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Coming Soon by Supsystic plugin <= 1.7.10 versions.

22 May 2023
8.8
CVSS
CVE-2023-2528HIGH

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

17 May 2023
8.8
CVSS
CVE-2022-47155HIGH

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Slider by Supsystic plugin <= 1.8.5 versions.

14 Mar 2023
8.8
CVSS
CVE-2022-2384MEDIUM

The Digital Publications by Supsystic WordPress plugin before 1.7.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

15 Aug 2022
4.8
CVSS
CVE-2022-33960HIGH

Multiple Authenticated (subscriber or higher user role) SQL Injection (SQLi) vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress.

22 Jul 2022
8.8
CVSS
CVE-2022-27235HIGH

Multiple Broken Access Control vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress.

22 Jul 2022
8.8
CVSS
CVE-2022-2114MEDIUM

The Data Tables Generator by Supsystic WordPress plugin before 1.10.20 does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

17 Jul 2022
4.8
CVSS
CVE-2022-1653MEDIUM

The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks.

27 Jun 2022
4.3
CVSS
CVE-2017-20065MEDIUM

A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

20 Jun 2022
4.3
CVSS
CVE-2021-36891MEDIUM

Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.

15 Jun 2022
4.3
CVSS
CVE-2021-36890MEDIUM

Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.

2 Jun 2022
4.3
CVSS
CVE-2022-0424MEDIUM

The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users

9 May 2022
5.3
CVSS
CVE-2021-46782MEDIUM

The Pricing Table by Supsystic WordPress plugin before 1.9.5 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting

25 Apr 2022
6.1
CVSS
CVE-2021-46780MEDIUM

The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting

25 Apr 2022
6.1
CVSS
CVE-2021-39346MEDIUM

The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.9.33. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

2 Nov 2021
4.8
CVSS
CVE-2021-24276MEDIUMpoc

The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

5 May 2021
6.1
CVSS
CVE-2021-24275MEDIUMpoc

The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

5 May 2021
6.1
CVSS
CVE-2021-24274MEDIUMpoc

The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

5 May 2021
6.1
CVSS
CVE-2020-12076HIGH

The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks CSRF nonce checks for AJAX actions. One consequence of this is stored XSS.

23 Apr 2020
8.8
CVSS
CVE-2020-12075HIGH

The data-tables-generator-by-supsystic plugin before 1.9.92 for WordPress lacks capability checks for AJAX actions.

23 Apr 2020
8.8
CVSS
CVE-2020-9392HIGH

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or import/modify a table.

23 Mar 2020
7.3
CVSS
CVE-2020-9394HIGH

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.

25 Feb 2020
8.8
CVSS
CVE-2020-9393MEDIUM

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.

25 Feb 2020
6.1
CVSS
CVE-2016-10918HIGH

The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF.

22 Aug 2019
8.8
CVSS
CVE-2016-10915HIGH

The popup-by-supsystic plugin before 1.7.9 for WordPress has CSRF.

20 Aug 2019
8.8
CVSS
CVE-2017-18512HIGH

The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF.

14 Aug 2019
8.8
CVSS
← PrevPage 1 / 1Next →