295 matches found
EUVD-2025-28394
Malicious code in bioql PyPI...
CVE-2025-10380
The CVE-2025-10380 entry describes a Server-Side Template Injection (SSTI) in the WordPress plugin Advanced Views – Display Posts, Custom Fields, and More (ACF-Views) affecting all versions up to and including 3.7.19. Root cause: insufficient input sanitization and lack of access control when pro...
PT-2025-39110
Name of the Vulnerable Software and Affected Versions Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress versions up to and including 3.7.19 Description The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is susceptible to Server-Side Templat...
CVE-2025-9776
The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...
CVE-2025-9451
The CVE relates to the WordPress plugin Smartcat Translator for WPML. It describes a time-based SQL injection via the orderby parameter in all versions up to 3.1.69, caused by insufficient escaping of user input and inadequate preparation of the SQL query. The vulnerability requires authenticatio...
CVE-2025-8686 WP Easy FAQs <= 1.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via WP_EASY_FAQ Shortcode
The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WPEASYFAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
PT-2025-37143
The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
CVE-2025-9493
CVE-2025-9493 describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin Admin Menu Editor. The root cause is insufficient input sanitization and output escaping for the placeholder parameter, enabling an authenticated attacker with Author-level access or higher to inject scrip...
PT-2025-33707 · WordPress · Media Library Assistant
Name of the Vulnerable Software and Affected Versions: Media Library Assistant plugin for WordPress versions up to and including 3.27 Description: The Media Library Assistant plugin for WordPress is susceptible to arbitrary file deletion within the /wp-content/uploads directory. This is due to...
CVE-2025-4965
The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
CVE-2024-9444
The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...
CVE-2024-2023
The Folders and Folders Pro plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.0 in Folders and 3.0.2 in Folders Pro via the 'handlefoldersfileupload' function. This makes it possible for authenticated attackers, with author access and above, to uplo...
CVE-2024-1332
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author...
CVE-2024-4366
The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘blockid’ parameter in versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2024-8538
The Big File Uploads – Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with...
CVE-2024-9178
The XT Floating Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...
CVE-2025-3056 Download Manager <= 3.3.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...
CVE-2025-1662
The URL Media Uploader plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.0 via the 'urlmediauploaderurlupload' action. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrar...
CVE-2024-12853
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to uploa...
PT-2024-16752 · WordPress · The Support Svg – Upload Svg Files In Wordpress Without Hassle
Name of the Vulnerable Software and Affected Versions: The Support SVG – Upload svg files in wordpress without hassle plugin for WordPress versions up to, and including, 1.1.0 Description: The issue is related to Stored Cross-Site Scripting via REST API SVG File uploads due to insufficient input...