Lucene search

K

Fields Security Vulnerabilities

cve
cve

CVE-2024-4565

The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct...

6.4AI Score

0.0004EPSS

2024-06-20 06:15 AM
28
cve
cve

CVE-2024-35728

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.This issue affects PPOM for WooCommerce: from n/a through...

5.3CVSS

5.5AI Score

0.0005EPSS

2024-06-10 05:16 PM
22
cve
cve

CVE-2024-34762

Vulnerability discovered by executing a planned security audit. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows PHP Local File Inclusion.This issue affects Advanced Custom Fields PRO: from n/a before...

9.9CVSS

9.5AI Score

0.0004EPSS

2024-06-10 04:15 PM
24
cve
cve

CVE-2024-34761

Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before...

8.5CVSS

8.6AI Score

0.0004EPSS

2024-06-10 04:15 PM
28
cve
cve

CVE-2024-32081

Missing Authorization vulnerability in Websupporter Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through...

8.8CVSS

4.7AI Score

0.001EPSS

2024-06-09 07:15 PM
41
cve
cve

CVE-2024-35661

Missing Authorization vulnerability in SoftLab Upload Fields for WPForms.This issue affects Upload Fields for WPForms: from n/a through...

9.8CVSS

5.4AI Score

0.001EPSS

2024-06-09 07:15 PM
23
cve
cve

CVE-2024-31267

Missing Authorization vulnerability in WP Desk Flexible Checkout Fields for WooCommerce.This issue affects Flexible Checkout Fields for WooCommerce: from n/a through...

4.3CVSS

4.7AI Score

0.0004EPSS

2024-06-09 12:15 PM
26
cve
cve

CVE-2023-26523

Missing Authorization vulnerability in CodePeople Calculated Fields Form allows Functionality Misuse.This issue affects Calculated Fields Form: from n/a through...

4.3CVSS

7.1AI Score

0.0004EPSS

2024-06-03 10:15 PM
15
cve
cve

CVE-2022-45070

Missing Authorization vulnerability in FmeAddons Conditional Checkout Fields for WooCommerce.This issue affects Conditional Checkout Fields for WooCommerce: from n/a through...

5.3CVSS

6.8AI Score

0.0004EPSS

2024-05-17 07:15 AM
23
cve
cve

CVE-2024-3956

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pod Form widget in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.4CVSS

5.7AI Score

0.001EPSS

2024-05-14 03:42 PM
7
cve
cve

CVE-2024-33956

Missing Authorization vulnerability in ThemeLocation Custom WooCommerce Checkout Fields Editor.This issue affects Custom WooCommerce Checkout Fields Editor: from n/a through...

4.3CVSS

6.8AI Score

0.0004EPSS

2024-05-14 03:38 PM
11
cve
cve

CVE-2024-0613

The Delete Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.1. This is due to missing or incorrect nonce validation on the ajax_delete_field() function. This makes it possible for unauthenticated attackers to delete arbitrary.....

6.1CVSS

5.9AI Score

0.0005EPSS

2024-05-02 05:15 PM
34
cve
cve

CVE-2024-3962

The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary...

9.8CVSS

7.8AI Score

0.0004EPSS

2024-04-26 09:15 AM
34
cve
cve

CVE-2024-31431

Cross-Site Request Forgery (CSRF) vulnerability in Tyche Softwares Product Input Fields for WooCommerce.This issue affects Product Input Fields for WooCommerce: from n/a through...

4.3CVSS

6.9AI Score

0.0004EPSS

2024-04-15 10:15 AM
28
cve
cve

CVE-2023-6967

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to SQL Injection via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2) due to insufficient escaping on the user supplied parameter and lack of sufficient...

8.8CVSS

9.3AI Score

0.0004EPSS

2024-04-09 07:15 PM
34
cve
cve

CVE-2023-6993

The Custom post types, Custom Fields & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and custom post meta in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping on user supplied post meta values....

6.4CVSS

7.6AI Score

0.0004EPSS

2024-04-09 07:15 PM
23
cve
cve

CVE-2023-6965

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This is due to the fact that the plugin allows the use of a file inclusion feature via...

4.3CVSS

9AI Score

0.0004EPSS

2024-04-09 07:15 PM
29
cve
cve

CVE-2023-6999

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This makes it possible for authenticated attackers, with contributor level access....

8.8CVSS

9.4AI Score

0.0004EPSS

2024-04-09 07:15 PM
34
cve
cve

CVE-2024-31094

Deserialization of Untrusted Data vulnerability in Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through...

9.3AI Score

0.0004EPSS

2024-03-31 06:15 PM
30
cve
cve

CVE-2024-30518

Cross-Site Request Forgery (CSRF) vulnerability in ThemeLocation Custom WooCommerce Checkout Fields Editor.This issue affects Custom WooCommerce Checkout Fields Editor: from n/a through...

4.3CVSS

9.2AI Score

0.0004EPSS

2024-03-29 04:15 PM
30
cve
cve

CVE-2024-29759

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Calculated Fields Form allows Reflected XSS.This issue affects Calculated Fields Form: from n/a through...

7.1CVSS

9.3AI Score

0.0004EPSS

2024-03-27 02:15 PM
27
cve
cve

CVE-2024-1697

The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the save_wcfe_options function in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS

7.6AI Score

0.0004EPSS

2024-03-23 02:15 AM
14
cve
cve

CVE-2024-1995

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and...

4.3CVSS

5.3AI Score

0.0004EPSS

2024-03-20 02:15 AM
10
cve
cve

CVE-2024-2020

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.2CVSS

6.7AI Score

0.0004EPSS

2024-03-13 04:15 PM
16
cve
cve

CVE-2024-0829

The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber....

4.3CVSS

5.2AI Score

0.0004EPSS

2024-03-13 04:15 PM
16
cve
cve

CVE-2024-0830

The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0. This is due to missing or incorrect nonce validation on several ajax actions. This makes it possible for unauthenticated attackers to invoke.....

4.3CVSS

5.2AI Score

0.0004EPSS

2024-03-13 04:15 PM
21
cve
cve

CVE-2023-6809

The Custom fields shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cf shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied custom post meta values. This makes it possible for...

6.4CVSS

6AI Score

0.0004EPSS

2024-03-13 04:15 PM
14
cve
cve

CVE-2023-6996

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode....

8.8CVSS

8.7AI Score

0.001EPSS

2024-02-05 10:15 PM
12
cve
cve

CVE-2023-6982

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and postmeta in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied....

6.4CVSS

5.2AI Score

0.0004EPSS

2024-02-05 10:15 PM
20
cve
cve

CVE-2023-6983

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.1 via the vg_display_data shortcode due to missing validation on a user controlled key. This makes it possible...

4.3CVSS

4.6AI Score

0.0004EPSS

2024-02-05 10:15 PM
17
cve
cve

CVE-2023-6701

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS

5.2AI Score

0.001EPSS

2024-02-05 10:15 PM
55
cve
cve

CVE-2023-6526

The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta values displayed through the plugin's shortcode in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes....

6.4CVSS

5.6AI Score

0.0004EPSS

2024-02-05 10:15 PM
47
cve
cve

CVE-2024-0963

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's CP_CALCULATED_FIELDS shortcode in all versions up to, and including, 1.2.52 due to insufficient input sanitization and output escaping on user supplied 'location' attribute. This makes it.....

6.4CVSS

5.6AI Score

0.001EPSS

2024-02-02 12:15 PM
16
cve
cve

CVE-2023-0389

The Calculated Fields Form WordPress plugin before 1.1.151 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

4.8CVSS

4.7AI Score

0.0004EPSS

2024-01-16 04:15 PM
24
cve
cve

CVE-2023-6446

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.8CVSS

4.9AI Score

0.0004EPSS

2024-01-11 07:15 AM
12
cve
cve

CVE-2022-40696

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WP Engine Advanced Custom Fields (ACF).This issue affects Advanced Custom Fields (ACF): from 3.1.1 through...

7.5CVSS

7.5AI Score

0.001EPSS

2024-01-08 10:15 PM
24
cve
cve

CVE-2023-51517

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CodePeople Calculated Fields Form.This issue affects Calculated Fields Form: from n/a through...

5.4CVSS

5.8AI Score

0.0004EPSS

2023-12-29 03:15 PM
11
cve
cve

CVE-2023-49802

The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and....

6.7CVSS

5.9AI Score

0.001EPSS

2023-12-11 10:15 PM
6
cve
cve

CVE-2023-32116

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in TotalPress.Org Custom post types, Custom Fields & more plugin <= 4.0.12...

5.9CVSS

4.9AI Score

0.0004EPSS

2023-10-26 01:15 PM
20
cve
cve

CVE-2023-5292

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acfe_form' shortcode in versions up to, and including, 0.8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS

5.2AI Score

0.001EPSS

2023-10-20 08:15 AM
40
cve
cve

CVE-2023-4469

The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrflds_export_file function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially...

5.3CVSS

5.4AI Score

0.001EPSS

2023-10-06 10:15 AM
19
cve
cve

CVE-2023-40068

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative.....

5.4CVSS

5.4AI Score

0.001EPSS

2023-08-21 09:15 AM
60
cve
cve

CVE-2022-4888

The Checkout Fields Manager WordPress plugin before 1.0.2, Abandoned Cart Recovery WordPress plugin before 1.2.5, Custom Fields for WooCommerce WordPress plugin before 1.0.4, Custom Order Number WordPress plugin through 1.0.1, Custom Registration Forms Builder WordPress plugin before 1.0.2,...

6.5CVSS

7AI Score

0.001EPSS

2023-07-31 10:15 AM
27
cve
cve

CVE-2023-33213

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in gVectors Display Custom Fields – wpView plugin <= 1.3.0...

5.9CVSS

5.2AI Score

0.0005EPSS

2023-06-19 01:15 PM
19
cve
cve

CVE-2020-36731

The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction()...

7.2CVSS

5.8AI Score

0.001EPSS

2023-06-07 02:15 AM
15
cve
cve

CVE-2020-36696

The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download files from the...

7.5CVSS

7.3AI Score

0.001EPSS

2023-06-07 02:15 AM
11
cve
cve

CVE-2023-2256

The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.7 does not sanitize and escape some URL parameters, leading to Reflected Cross-Site...

6.1CVSS

6.4AI Score

0.001EPSS

2023-05-30 08:15 AM
21
cve
cve

CVE-2022-47157

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Don Benjamin WP Custom Fields Search plugin <= 1.2.34...

5.9CVSS

4.8AI Score

0.0005EPSS

2023-05-18 11:15 AM
10
cve
cve

CVE-2023-1839

The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.6 does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for...

4.8CVSS

5AI Score

0.001EPSS

2023-05-15 01:15 PM
21
cve
cve

CVE-2023-30777

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5...

7.1CVSS

5.9AI Score

0.006EPSS

2023-05-10 06:15 AM
330
Total number of security vulnerabilities85