18 matches found
CVE-2026-3585
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...
EUVD-2025-197684
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaximportfile function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level...
CVE-2025-12494
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaximportfile function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level...
CVE-2025-12494 Image Gallery – Photo Grid & Video Gallery <= 2.12.28 - Improper Authorization to Authenticated (Author+) Arbitrary Image File Move
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaximportfile function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level...
CVE-2025-11536 Element Pack Addons for Elementor <= 8.2.5 - Authenticated (Subscriber+) Blind Server-Side Request Forgery
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wpajaximportelementortemplate action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to ma...
CVE-2025-8425
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajaximportstrings function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with...
CVE-2025-8425 My WP Translate <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajaximportstrings function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with...
PT-2025-37130
Name of the Vulnerable Software and Affected Versions: My WP Translate plugin for WordPress versions up to and including 1.1 Description: The My WP Translate plugin for WordPress is susceptible to unauthorized data modification, potentially leading to privilege escalation. A missing capability...
PT-2025-36578
Name of the Vulnerable Software and Affected Versions: AutomatorWP – Automator plugin for WordPress versions prior to 5.3.7 Description: The AutomatorWP – Automator plugin for WordPress is susceptible to unauthorized data modification due to a missing capability check on the automatorwp ajax impo...
CVE-2024-10079
The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajaximportcontent' function. This allows authenticated attackers, with subscriber-level permissions an...
CVE-2024-10079
The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajaximportcontent' function. This allows authenticated attackers, with subscriber-level permissions an...
PT-2024-16012 · WordPress · Wp Easy Post Types
Name of the Vulnerable Software and Affected Versions: WP Easy Post Types plugin for WordPress versions up to, and including, 1.4.4 Description: The issue concerns PHP Object Injection via deserialization of untrusted input from the text parameter in the ajax import content function. This allows...
CVE-2024-1468
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaximportoptions function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with...
Avada | Website Builder For WordPress & WooCommerce < 7.11.5 - Authenticated (Contributor+) Arbitrary File Upload
Description The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaximportoptions function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers,...
PT-2024-18072 · WordPress · Avada
Name of the Vulnerable Software and Affected Versions: Avada | Website Builder For WordPress & WooCommerce theme for WordPress versions up to, and including, 7.11.4 Description: The issue is related to arbitrary file uploads due to missing file type validation in the ajax import options function...
CVE-2020-35936
Stored Cross-Site Scripting XSS vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to...
CVE-2020-35937
Stored Cross-Site Scripting XSS vulnerabilities in the Team Showcase plugin before 1.22.16 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to...
WordPress Cross-Site Scripting Vulnerability
WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the Post Grid plugin before 2.0.73 for WordPress, whi...