Vulnerabilities and security researches forblog-designer-pack blog-designer-pack
Direction: ascendingJun 06, 2024
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # CVE-2023-5815
- CVE, Research URL
- Date
- Nov 22, 2023
- Research Description
- The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include arbitrary PHP files and achieve remote code execution. On vulnerable Docker configurations it may be possible for an attacker to create a PHP file and then subsequently include it to achieve RCE.
- Affected versions
-
max 3.4.2.
- Status
-
vulnerable
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # 314a742c88d5d8716382ccebf50de3afe4ce254c
- CVE, Research URL
- Date
- Feb 28, 2022
- Research Description
- Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News [blog-designer-pack] < 2.3.1 WordPress News & Blog Designer Pack – WordPress Blog Plugin plugin < 2.3.1 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress News & Blog Designer Pack – WordPress Blog Plugin plugin (versions < 2.3.1).
- Affected versions
-
max 2.3.1.
- Status
-
vulnerable
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # CVE-2022-4792
- CVE, Research URL
- Date
- Jan 31, 2023
- Research Description
- The News & Blog Designer Pack WordPress plugin before 3.3 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
- Affected versions
-
max 3.3.
- Status
-
vulnerable
Nov 15, 2024
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # CVE-2022-4974
- CVE, Research URL
- Date
- Oct 16, 2024
- Research Description
- The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 2.3.1.
- Status
-
vulnerable
Apr 04, 2025
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # CVE-2025-31082
- CVE, Research URL
- Date
- Apr 02, 2025
- Research Description
- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in InfornWeb News & Blog Designer Pack blog-designer-pack allows PHP Local File Inclusion.This issue affects News & Blog Designer Pack: from n/a through <= 4.0.
- Affected versions
-
max 4.0.1.
- Status
-
vulnerable
May 02, 2026
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # CVE-2024-13362
- CVE, Research URL
- Date
- May 01, 2026
- Research Description
- Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 3.4.11.
- Status
-
vulnerable
Jun 14, 2026
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # CVE-2023-33999
- CVE, Research URL
- Date
- Jun 11, 2026
- Research Description
- Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
- Affected versions
-
max 3.4.1.
- Status
-
vulnerable
Jun 16, 2026
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # 6d8910c719b2a132ec93828cd37e418b19cac960
- CVE, Research URL
- Date
- Mar 04, 2022
- Research Description
- Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News [blog-designer-pack] < 2.3.1 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 2.3.1.
- Status
-
vulnerable
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Pos # df1ad2fc8d9bfad3d57cf93694f0f888c8e96183
- CVE, Research URL
- Date
- Feb 28, 2022
- Research Description
- Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News [blog-designer-pack] < 2.3.1 WordPress News & Blog Designer Pack – WordPress Blog Plugin plugin < 2.3.1 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress News & Blog Designer Pack – WordPress Blog Plugin plugin (versions < 2.3.1).
- Affected versions
-
max 2.3.1.
- Status
-
vulnerable