The Login Logout Register Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'llrmloginlogout' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for....
6.4CVSS
6AI Score
0.0004EPSS
The Login Logout Register Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'llrmloginlogout' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for....
5.9AI Score
0.0004EPSS
Description Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access of data due to a insufficient capability checks and restrictions on a function in various versions. This makes it possible for authenticated attackers, with Contributor-level access and above, to access.....
6.9AI Score
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes.....
6.4CVSS
6.1AI Score
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes.....
5.9AI Score
The WP STAGING WordPress Backup Plugin – Migration Backup Restore plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpstg_processing AJAX action in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers,...
9.1CVSS
8.2AI Score
The WP STAGING WordPress Backup Plugin – Migration Backup Restore plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpstg_processing AJAX action in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers,...
7.9AI Score
The Essential Addons for Elementor PRO – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team Member Carousel widget in all Pro versions up to, and including, 5.8.14 due to insufficient input...
6.4CVSS
6.1AI Score
0.0004EPSS
The Essential Addons for Elementor PRO – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team Member Carousel widget in all Pro versions up to, and including, 5.8.14 due to insufficient input...
6AI Score
0.0004EPSS
Wordpress Country State City Dropdown <=2.7.2 - SQL Injection
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it....
7.5AI Score
0.001EPSS
CVE-2024-3937 Playlist for Youtube <= 1.32 - Editor+ Stored XSS
The Playlist for Youtube WordPress plugin through 1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.7AI Score
CVE-2024-3921 Gianism <= 5.1.0 - Admin+ Stored XSS
The Gianism WordPress plugin through 5.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.8AI Score
CVE-2024-3050 Site Reviews < 7.0.0 - IP Spoofing
The Site Reviews WordPress plugin before 7.0.0 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass IP-based...
6.8AI Score
CVE-2024-4419 Fetch JFT <= 1.8.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Fetch JFT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
5.9AI Score
The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the...
7.1AI Score
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This makes it possible for authenticated attackers, with contributor access and...
7.9AI Score
The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for...
6.9AI Score
The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for...
7.2AI Score
CVE-2024-5204 Swiss Toolkit For WP <= 1.0.7 - Authenticated (Contributor+) Authentication Bypass
The Swiss Toolkit For WP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.7. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for authenticated attackers with contributor-level and...
7.1AI Score
AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 - Missing Authorization
Description The AdFoxly – Ad Manager, AdSense Ads & Ads.txt plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to perform an unauthorized...
6.6AI Score
Tainacan < 0.21.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Tainacan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.21.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
5.7AI Score
Fastly < 1.2.26 - Missing Authorization
Description The Fastly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in versions up to, and including, 1.2.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform...
6.4AI Score
Praison SEO WordPress <= 4.0.15 - Authenticated (Author+) Stored Cross-Site Scripting
Description The Praison SEO WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...
5.6AI Score
Debug Log – Manger Tool < 1.5 - Unauthenticated Information Exposure via Logs
Description The Debug Log – Manger Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in...
6.3AI Score
Tainacan < 0.21.4 - Unauthenticated Stored Cross-Site Scripting
Description The Tainacan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 0.21.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...
5.9AI Score
MStore API < 3.9.8 - SQL Injection
The MStore API WordPress plugin before 3.9.8 is vulnerable to Blind SQL injection via the product_id...
9.9AI Score
0.066EPSS
8.6AI Score
0.001EPSS
7.9AI Score
6.5AI Score
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection...
7.8AI Score
0.0004EPSS
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF...
7AI Score
0.0004EPSS
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF...
7AI Score
0.0004EPSS
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF...
7AI Score
0.0004EPSS
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF...
6AI Score
0.0004EPSS
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF...
7AI Score
0.0004EPSS
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF...
7AI Score
0.0004EPSS
The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.9AI Score
0.0004EPSS
CVE-2024-4531 Business Card <= 1.0.0 - Card Edit via CSRF
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF...
6.8AI Score
0.0004EPSS
CVE-2024-4534 KKProgressbar2 Free <= 1.1.4.2 - Stored XSS via CSRF
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF...
5.9AI Score
0.0004EPSS
CVE-2024-4535 KKProgressbar2 Free <= 1.1.4.2 - Progress Bar Deletion via CSRF
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF...
6.8AI Score
0.0004EPSS
CVE-2024-4532 Business Card <= 1.0.0 - Arbitrary Card Deletion via CSRF
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF...
7AI Score
0.0004EPSS
CVE-2024-4533 KKProgressbar2 Free <= 1.1.4.2 - Admin+ SQL Injection
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection...
7.5AI Score
0.0004EPSS
CVE-2024-4530 Business Card <= 1.0.0 - Category Edit via CSRF
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF...
7AI Score
0.0004EPSS
CVE-2024-4529 Business Card <= 1.0.0 - Category Deletion via CSRF
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF...
7AI Score
0.0004EPSS
CVE-2024-3939 Ditty < 3.1.36 - Author+ Stored XSS
The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.7AI Score
0.0004EPSS
Search & Replace < 3.2.2 - Administrator+ SQL injection
Description The Search & Replace plugin for WordPress is vulnerable to SQL Injection via the select_tables parameter in all version up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
7.2AI Score
Description The Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘campaign_id’ parameter in versions up to, and including, 2.16.1 due to insufficient input sanitization and...
5.9AI Score
0.001EPSS
CVE-2024-4443-Poc CVE-2024-4443 Business Directory Plugin –...
7.9AI Score
0.001EPSS
The Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘campaign_id’ parameter in versions up to, and including, 2.16.1 due to insufficient input sanitization and output...
6.4CVSS
6AI Score
0.001EPSS
The Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘campaign_id’ parameter in versions up to, and including, 2.16.1 due to insufficient input sanitization and output...
5.9AI Score
0.001EPSS