The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete...
4.3CVSS
4.7AI Score
0.001EPSS
The Popup Manager WordPress plugin through 1.6.6 does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as...
4.3CVSS
4.6AI Score
0.001EPSS
The Popup Maker WordPress plugin before 1.16.11 does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against...
4.8CVSS
4.8AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in popup.php in the Simple Popup Images plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the z...
6AI Score
0.002EPSS
The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site...
6.1CVSS
6AI Score
0.001EPSS
The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary...
4.3CVSS
4.6AI Score
0.001EPSS
The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
4.7AI Score
0.001EPSS
The Popup Anything WordPress plugin before 2.1.7 does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site...
6.1CVSS
6AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.11 at WordPress allows an attacker to update plugin...
5.4CVSS
4.5AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Sygnoos Popup Builder plugin <= 4.1.0 at WordPress leading to popup status...
5.4CVSS
4.6AI Score
0.001EPSS
The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is...
4.8CVSS
4.7AI Score
0.001EPSS
A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be...
4.3CVSS
4.6AI Score
0.002EPSS
Improper Access Control vulnerability leading to multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Muneeb's Custom Popup Builder plugin <= 1.3.1 at...
5.4CVSS
5.4AI Score
0.001EPSS
The Sticky Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ popup_title' parameter in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin level capabilities...
5.5CVSS
4.7AI Score
0.001EPSS
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at...
7.2CVSS
6.9AI Score
0.001EPSS
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is...
4.8CVSS
4.6AI Score
0.001EPSS
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed...
5.3CVSS
5.4AI Score
0.015EPSS
The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site...
6.1CVSS
6.2AI Score
0.001EPSS
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack...
9.8CVSS
9.1AI Score
0.002EPSS
The ARI Fancy Lightbox WordPress plugin before 1.3.9 does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site...
6.1CVSS
6AI Score
0.001EPSS
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL...
9.8CVSS
9.7AI Score
0.024EPSS
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL...
7.2CVSS
7.3AI Score
0.026EPSS
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via...
8.8CVSS
8.5AI Score
0.001EPSS
Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to....
9.8CVSS
9.4AI Score
0.004EPSS
The Custom Popup Builder WordPress plugin before 1.3.1 autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the...
7.5CVSS
7.4AI Score
0.001EPSS
The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF...
8.8CVSS
8.7AI Score
0.001EPSS
The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is...
4.8CVSS
4.8AI Score
0.001EPSS
The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting...
5.4CVSS
5.3AI Score
0.001EPSS
The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including...
6.1CVSS
6AI Score
0.001EPSS
The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin...
8.8CVSS
9AI Score
0.001EPSS
The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin...
8.8CVSS
9AI Score
0.001EPSS
The YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before 2.3.9 did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting...
5.4CVSS
5.2AI Score
0.001EPSS
The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting...
6.1CVSS
5.9AI Score
0.002EPSS
The popup-builder plugin before 3.64.1 for WordPress allows information disclosure and settings modification, leading to in-scope privilege escalation via admin-post actions to com/classes/Actions.php. By sending a POST request to wp-admin/admin-post.php, an authenticated attacker with minimal...
6.3CVSS
6.5AI Score
0.001EPSS
An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several of....
6.1CVSS
6.4AI Score
0.001EPSS
The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator...
9.8CVSS
10AI Score
0.012EPSS
plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework through 3.3.8 for WordPress allows authenticated options...
4.3CVSS
4.4AI Score
0.001EPSS
An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka...
9.1CVSS
9.1AI Score
0.062EPSS
The slick-popup plugin before 1.7.2 for WordPress has a hardcoded OmakPass13# password for the slickpopupteam account, after a Subscriber calls a certain AJAX...
8.8CVSS
8.7AI Score
0.003EPSS
8.8CVSS
8.7AI Score
0.001EPSS
A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via com/libs/Table.php because Subscribers Table ordering is...
9.8CVSS
9.8AI Score
0.003EPSS
Multiple cross-site request forgery (CSRF) vulnerabilities in the Timed Popup (wp-timed-popup) plugin 1.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or (2) conduct cross-site scripting...
6.8AI Score
0.004EPSS
Buffer overflow in the PopUp Plus 2.0.3.8 plugin for Miranda IM, with "Use SmileyAdd Setting" enabled, allows remote attackers to execute arbitrary...
8.1AI Score
0.121EPSS