Lucene search
+L

295 matches found

OSV
OSV
added 2025/11/12 4:29 a.m.7 views

CVE-2025-12833 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'postattachmentupload' function due to missing validation on a user controlled key. This...

4.3CVSS6AI score0.00221EPSS
Exploits0References6
Cvelist
Cvelist
added 2025/11/12 4:29 a.m.12 views

CVE-2025-12833 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.139 via the 'postattachmentupload' function due to missing validation on a user controlled key. This...

4.3CVSS0.00221EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/11/12 12:0 a.m.17 views

PT-2025-46565

Name of the Vulnerable Software and Affected Versions GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress versions prior to 2.8.139 Description The GeoDirectory plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This fl...

4.3CVSS6.4AI score0.00221EPSS
Exploits0References6
EUVD
EUVD
added 2025/11/11 12:30 p.m.4 views

EUVD-2025-84359

The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a vali...

8.8CVSS7AI score0.0067EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/11/11 3:30 a.m.8 views

CVE-2025-12880 Progress Bar Blocks for Gutenberg <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

The Progress Bar Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-leve...

5.4CVSS0.0016EPSS
Exploits0References2
CVE
CVE
added 2025/11/11 3:30 a.m.20 views

CVE-2025-12880

CVE-2025-12880 concerns the WordPress plugin Progress Bar Blocks for Gutenberg . The issue is a Stored Cross-Site Scripting (XSS) vulnerability via SVG file uploads caused by insufficient input sanitization and output escaping. It affects all versions up to and including 1.0.0, with exploitation ...

5.4CVSS4.7AI score0.0016EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/11/04 11:19 a.m.3 views

CVE-2025-12045 Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output...

6.4CVSS4.7AI score0.00218EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/11/02 6:43 a.m.21 views

CVE-2025-12171

The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingestimage function in versions 1.1.0 to 1.5.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary file...

8.8CVSS7.5AI score0.00493EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/11/02 5:44 a.m.22 views

CVE-2025-11983

The WP Discourse plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5.9. This is due to the plugin unconditionally sending Discourse API credentials Api-Key and Api-Username headers to any host specified in a post's discoursepermalink custom field...

4.3CVSS5.8AI score0.00245EPSS
Exploits0References1
EUVD
EUVD
added 2025/11/01 6:30 a.m.5 views

EUVD-2025-37421

The Folderly plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the /wp-json/folderly/v1/config/clear-all-data REST API endpoint in all versions up to, and including, 0.3. This makes it possible for authenticated attackers, with...

4.3CVSS5.1AI score0.00178EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/11/01 5:40 a.m.3 views

CVE-2025-11983 WP Discourse <= 2.5.9 - Authenticated (Author+) Information Exposure

The WP Discourse plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5.9. This is due to the plugin unconditionally sending Discourse API credentials Api-Key and Api-Username headers to any host specified in a post's discoursepermalink custom field...

4.3CVSS5.4AI score0.00245EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/10/28 5:27 a.m.7 views

CVE-2025-10145

...

0.00042EPSS
Exploits0
EUVD
EUVD
added 2025/10/18 9:30 a.m.5 views

EUVD-2025-34975

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/moveimage REST API endpoint due to missing validation on a user...

4.3CVSS5.2AI score0.00311EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/10/18 6:42 a.m.8 views

CVE-2025-11519 Image optimization service by Optimole <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/moveimage REST API endpoint due to missing validation on a user...

4.3CVSS5.3AI score0.00311EPSS
Exploits0References3
CVE
CVE
added 2025/10/18 6:42 a.m.19 views

CVE-2025-11519

The CVE concerns the Optimole WordPress plugin (image optimization service) up to version 4.1.0, where an Insecure Direct Object Reference exists through the /wp-json/optml/v1/move_image REST endpoint due to missing validation of a user-controlled key. This allows authenticated attackers with Aut...

4.3CVSS5.3AI score0.00311EPSS
Exploits0References3
NVD
NVD
added 2025/10/18 5:15 a.m.10 views

CVE-2025-11361

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.7.1 via the ebsaveaigeneratedimage function. This makes it possible for authenticated attackers, with Author-leve...

6.4CVSS0.00281EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/10/18 4:25 a.m.19 views

CVE-2025-11361 Essential Blocks <= 5.7.1 - Authenticated (Author+) Server-Side Request Forgery

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.7.1 via the ebsaveaigeneratedimage function. This makes it possible for authenticated attackers, with Author-leve...

6.4CVSS0.00281EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/04 6:30 a.m.5 views

EUVD-2025-32405

The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied...

6.4CVSS4.7AI score0.00232EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2025/10/04 3:33 a.m.5 views

CVE-2025-10383 Contest Gallery – Upload, Vote & Sell with PayPal and Stripe <= 27.0.2 - Authenticated (Author+) Stored Cross-Site Scripting

The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied...

6.4CVSS4.8AI score0.00232EPSS
Exploits0References7
Cvelist
Cvelist
added 2025/10/04 3:33 a.m.15 views

CVE-2025-10383 Contest Gallery – Upload, Vote & Sell with PayPal and Stripe <= 27.0.2 - Authenticated (Author+) Stored Cross-Site Scripting

The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied...

6.4CVSS0.00232EPSS
Exploits0References7
Rows per page
Query Builder