Lucene search
K

265006 matches found

Nuclei
Nuclei
added yesterday34 views

WordPress Plugin MapPress <2.73.4 - Cross-Site Scripting

WordPress Plugin MapPress before version 2.73.4 does not sanitize and escape the 'mapid' parameter before outputting it back in the "Bad mapid" error message, leading to reflected cross-site scripting. id: CVE-2022-0208 info: name: WordPress Plugin MapPress 2.73.4 - Cross-Site Scripting author:...

6.1CVSS6.3AI score0.02021EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday42 views

WordPress Shortcodes and Extra Features for Phlox <2.9.8 - Cross-Site Scripting

WordPress Shortcodes and extra features plugin for the Phlox theme before 2.9.8 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response. An attacker can inject arbitrary script in the browser of an unsuspecting...

6.1CVSS6.4AI score0.01205EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday43 views

WordPress JoomSport <5.2.8 - SQL Injection

WordPress JoomSport plugin before 5.2.8 contains a SQL injection vulnerability. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operation...

9.8CVSS7.3AI score0.04756EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday27 views

WP Cerber < 8.9.3 - Broken Access Control

WP Cerber 8.9.3 contains a bypass of /wp-json access control caused by improper handling of trailing '?' character, letting unauthorized users access protected REST API endpoints, exploit requires sending a request with a trailing '?'. id: CVE-2021-37598 info: name: WP Cerber 8.9.3 - Broken Acces...

5.3CVSS6.1AI score0.0235EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday16 views

FV Flowplayer Video Player WordPress plugin - Authenticated Cross-Site Scripting

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the playerid parameter found in the /view/stats.php file which allows attackers to inject arbitrary web scripts in versions 7.5.0.727 - 7.5.2.727. id: CVE-2021-39350 info: name: FV Flowplayer Video...

6.1CVSS6.5AI score0.02135EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday35 views

WordPress Post Grid <2.1.8 - Cross-Site Scripting

WordPress Post Grid plugin before 2.1.8 contains a reflected cross-site scripting vulnerability. The slider import search feature and tab parameter of thesettings are not properly sanitized before being output back in the pages, id: CVE-2021-24488 info: name: WordPress Post Grid 2.1.8 - Cross-Sit...

6.1CVSS6.3AI score0.11241EPSS
Exploits5References4
Nuclei
Nuclei
added yesterday17 views

WordPress ProfilePress <= 3.1.3 - Privilege Escalation

ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including wpcapabilities, during profile updates. This enables a user to escalate their privileges to...

9.8CVSS7.3AI score0.0412EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday21 views

Chaty < 2.8.2 - Cross-Site Scripting

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting. id: CVE-2021-25016 info: name: Chaty 2.8.2 - Cross-Site Scripting...

6.1CVSS6.4AI score0.01806EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday22 views

WordPress Automatic Plugin - Unauthenticated Options Change

WordPress Automatic Plugin versions 3.53.2 and below contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the processform.php script. The vulnerable script uses updateoption on all POST parameters without authentication or capability...

9.8CVSS7.3AI score0.16408EPSS
Exploits3References2
Nuclei
Nuclei
added yesterday25 views

WordPress Contact Form 7 Skins <=2.5.0 - Cross-Site Scripting

WordPress Contact Form 7 Skins plugin 2.5.0 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the tab parameter before outputting it back in an admin page. id: CVE-2021-25063 info: name: WordPress Contact Form 7 Skins =2.5.0 - Cross-Site Scripting...

6.1CVSS6.3AI score0.02412EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday13 views

WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary Post Deletion

WP DSGVO Tools GDPR = 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanentl...

9.1CVSS7.1AI score0.0393EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday33 views

WordPress Stop Spammers <2021.9 - Cross-Site Scripting

WordPress Stop Spammers plugin before 2021.9 contains a reflected cross-site scripting vulnerability. It does not escape user input when blocking requests such as matching a spam word, thus outputting it in an attribute after sanitizing it to remove HTML tags. id: CVE-2021-24245 info: name:...

6.1CVSS6.3AI score0.05721EPSS
Exploits5References5
Nuclei
Nuclei
added yesterday32 views

WordPress Ocean Extra <1.9.5 - Cross-Site Scripting

WordPress Ocean Extra plugin before 1.9.5 contains a cross-site scripting vulnerability. The plugin does not escape generated links which are then used when the OceanWP theme is active. id: CVE-2021-25104 info: name: WordPress Ocean Extra 1.9.5 - Cross-Site Scripting author: Akincibor severity:...

6.1CVSS6.3AI score0.01355EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday60 views

WordPress JNews Theme <8.0.6 - Cross-Site Scripting

WordPress JNews theme before 8.0.6 contains a reflected cross-site scripting vulnerability. It does not sanitize the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory. id: CVE-2021-24342 info: name: WordPress JNews Theme =8.0.6 to mitigate the XSS...

6.1CVSS6.3AI score0.01975EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday26 views

WordPress English Admin <1.5.2 - Open Redirect

WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admincustomlanguagereturnurl before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id:...

6.1CVSS6.5AI score0.01873EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday20 views

WooCommerce Help Scout - Arbitrary File Upload

WooCommerce Help Scout plugin before version 2.9.1 contains an unrestricted file upload vulnerability. The vulnerability allows unauthenticated users to upload arbitrary files to the server which by default will end up in wp-content/uploads/hstmp/ directory, potentially leading to remote code...

9.8CVSS7.5AI score0.07908EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday45 views

Easy Social Feed < 6.2.7 - Cross-Site Scripting

Easy Social Feed 6.2.7 is susceptible to reflected cross-site scripting because the plugin does not sanitize and escape a parameter before outputting it back in an admin dashboard page, leading to it being executed in the context of a logged admin or editor. id: CVE-2021-25120 info: name: Easy...

6.1CVSS6.3AI score0.02909EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday28 views

WordPress Ninja Forms <3.4.34 - Open Redirect

WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wpajaxnfoauthconnect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive...

6.1CVSS6.3AI score0.01643EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday43 views

WordPress Contact Form 7 <2.3.4 - Arbitrary Nonce Generation

WordPress Contact Form 7 before version 2.3.4 allows unauthenticated users to use the wpcf7rgetnonce AJAX action to retrieve a valid nonce for any WordPress action/function. id: CVE-2021-24278 info: name: WordPress Contact Form 7 2.3.4 - Arbitrary Nonce Generation author: 2rs3c severity: high...

7.5CVSS7.1AI score0.07359EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday15 views

WordPress ProfilePress 3.0-3.1.3 - Arbitrary File Upload

A vulnerability in the file uploader component found in the /src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. id: CVE-2021-3462...

9.8CVSS7.2AI score0.06744EPSS
Exploits2References1
Rows per page
Query Builder