Lucene search
K

18 matches found

NVD
NVD
added 2026/03/10 5:40 p.m.3 views

CVE-2026-3585

The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...

7.5CVSS0.0035EPSS
Exploits0References3
EUVD
EUVD
added 2025/11/15 6:30 a.m.5 views

EUVD-2025-197684

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaximportfile function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level...

4.3CVSS5.5AI score0.0021EPSS
Exploits0References8
NVD
NVD
added 2025/11/15 6:15 a.m.7 views

CVE-2025-12494

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaximportfile function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level...

4.3CVSS0.0021EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2025/11/15 5:45 a.m.3 views

CVE-2025-12494 Image Gallery – Photo Grid & Video Gallery <= 2.12.28 - Improper Authorization to Authenticated (Author+) Arbitrary Image File Move

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaximportfile function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level...

4.3CVSS5.6AI score0.0021EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2025/10/20 9:23 p.m.4 views

CVE-2025-11536 Element Pack Addons for Elementor <= 8.2.5 - Authenticated (Subscriber+) Blind Server-Side Request Forgery

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wpajaximportelementortemplate action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to ma...

5CVSS5.5AI score0.00218EPSS
Exploits0References2
NVD
NVD
added 2025/09/11 8:15 a.m.12 views

CVE-2025-8425

The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajaximportstrings function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with...

8.8CVSS0.00284EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/09/11 7:25 a.m.3 views

CVE-2025-8425 My WP Translate <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajaximportstrings function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.5AI score0.00284EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/09/11 12:0 a.m.6 views

PT-2025-37130

Name of the Vulnerable Software and Affected Versions: My WP Translate plugin for WordPress versions up to and including 1.1 Description: The My WP Translate plugin for WordPress is susceptible to unauthorized data modification, potentially leading to privilege escalation. A missing capability...

8.8CVSS5.8AI score0.00284EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/09/09 12:0 a.m.6 views

PT-2025-36578

Name of the Vulnerable Software and Affected Versions: AutomatorWP – Automator plugin for WordPress versions prior to 5.3.7 Description: The AutomatorWP – Automator plugin for WordPress is susceptible to unauthorized data modification due to a missing capability check on the automatorwp ajax impo...

8CVSS6.4AI score0.00416EPSS
Exploits0References6
OSV
OSV
added 2024/10/18 8:15 a.m.4 views

CVE-2024-10079

The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajaximportcontent' function. This allows authenticated attackers, with subscriber-level permissions an...

8.8CVSS6AI score0.00779EPSS
Exploits0References2
NVD
NVD
added 2024/10/18 8:15 a.m.19 views

CVE-2024-10079

The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajaximportcontent' function. This allows authenticated attackers, with subscriber-level permissions an...

8.8CVSS0.00779EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/10/18 12:0 a.m.5 views

PT-2024-16012 · WordPress · Wp Easy Post Types

Name of the Vulnerable Software and Affected Versions: WP Easy Post Types plugin for WordPress versions up to, and including, 1.4.4 Description: The issue concerns PHP Object Injection via deserialization of untrusted input from the text parameter in the ajax import content function. This allows...

8.8CVSS7.5AI score0.00779EPSS
Exploits0References9
NVD
NVD
added 2024/02/29 4:15 a.m.21 views

CVE-2024-1468

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaximportoptions function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with...

8.8CVSS8.9AI score0.01161EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2024/02/28 12:0 a.m.20 views

Avada | Website Builder For WordPress & WooCommerce < 7.11.5 - Authenticated (Contributor+) Arbitrary File Upload

Description The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaximportoptions function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers,...

8.8CVSS8.9AI score0.01161EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2024/02/28 12:0 a.m.5 views

PT-2024-18072 · WordPress · Avada

Name of the Vulnerable Software and Affected Versions: Avada | Website Builder For WordPress & WooCommerce theme for WordPress versions up to, and including, 7.11.4 Description: The issue is related to arbitrary file uploads due to missing file type validation in the ajax import options function...

8.8CVSS9.7AI score0.01161EPSS
Exploits0References14
OSV
OSV
added 2021/01/01 2:15 a.m.5 views

CVE-2020-35936

Stored Cross-Site Scripting XSS vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to...

8CVSS5.8AI score
Exploits0References1
OSV
OSV
added 2021/01/01 2:15 a.m.5 views

CVE-2020-35937

Stored Cross-Site Scripting XSS vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to...

8CVSS7.2AI score0.01651EPSS
Exploits1References1
CNNVD
CNNVD
added 2020/12/31 12:0 a.m.4 views

WordPress Cross-Site Scripting Vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the Post Grid plugin before 2.0.73 for WordPress, whi...

8CVSS5.6AI score0.01651EPSS
Exploits1References2
Rows per page
Query Builder