CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

4642 matches found

WordPress Contact Form 7 <1.3.6.3 - Stored Cross-Site Scripting

WordPress Contact Form 7 before 1.3.6.3 contains an unauthenticated stored cross-site scripting vulnerability in the Drag and Drop Multiple File Upload plugin. SVG files can be uploaded by default via the dndcodedropzupload AJAX action. id: CVE-2022-0595 info: name: WordPress Contact Form 7 1.3.6...

5.4CVSS5.6AI score0.05776EPSS

Exploits2References4

Nuclei•added 14 hours ago•21 views

Contact Form to DB by BestWebSoft < 1.5.7 - Cross-Site Scripting

The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues. id: CVE-2017-18492 info: name: Contact Form to DB by BestWebSoft 1.5.7 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The contact-form-to-db plugin before 1.5.7 for WordPress has multip...

6.1CVSS6.3AI score0.00104EPSS

Exploits1References4

Nuclei•added 14 hours ago•22 views

Contact Form by BestWebSoft < 4.0.6 - Cross-Site Scripting

The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues. id: CVE-2017-18491 info: name: Contact Form by BestWebSoft 4.0.6 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The contact-form-plugin plugin before 4.0.6 for WordPress has multiple X...

6.1CVSS6.3AI score0.00104EPSS

Exploits1References4

Nuclei•added 14 hours ago•23 views

Contact Form Entries < 1.2.4 - Cross-Site Scripting

The plugin does not sanitise and escape various parameters, such as formid, status, enddate, order, orderby and search before outputting them back in the admin page id: CVE-2021-25079 info: name: Contact Form Entries 1.2.4 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | The...

6.1CVSS6.3AI score0.01396EPSS

Exploits4References4

Nuclei•added 14 hours ago•28 views

WordPress Supsystic Contact Form <1.7.15 - Cross-Site Scripting

WordPress Supsystic Contact Form plugin before 1.7.15 contains a cross-site scripting vulnerability. It does not sanitize the tab parameter of its options page before outputting it in an attribute. id: CVE-2021-24276 info: name: WordPress Supsystic Contact Form 1.7.15 - Cross-Site Scripting autho...

6.1CVSS6AI score0.08366EPSS

Exploits5References5

Nuclei•added 14 hours ago•10 views

Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution

Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin = 1.3.9.6 contains an unrestricted file upload caused by insufficient file type validation and bypass of filename sanitization with non-ASCII characters, letting unauthenticated attackers upload arbitrary files and achieve...

8.1CVSS5.9AI score0.04249EPSS

Exploits3References2

Nuclei•added 14 hours ago•15 views

WordPress Contact Form 7 Captcha <0.1.2 - Cross-Site Scripting

WordPress Contact Form 7 Captcha plugin before 0.1.2 contains a reflected cross-site scripting vulnerability. It does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute. id: CVE-2022-2187 info: name: WordPress Contact Form 7 Captcha 0.1.2 - Cross-Site Scripting...

6.1CVSS6AI score0.02697EPSS

Exploits2References5

Nuclei•added 14 hours ago•46 views

Contact Form 7 Math Captcha <= 2.0.1 - Cross-site Scripting

The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users. id: CVE-2024-6517 info: name: Contact Form 7 Math Captcha =...

6.1CVSS5.4AI score0.04041EPSS

Exploits1References2

NVD•added yesterday•4 views

CVE-2019-25731

Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to...

7.2CVSS

Exploits0References4

NVD•added yesterday•3 views

CVE-2019-25734

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint...

5.1CVSS

Exploits0References4

EUVD•added yesterday•3 views

EUVD-2019-20170

5.1CVSS5.8AI score

Exploits0References4

CVE•added yesterday•6 views

CVE-2019-25734

The CVE-2019-25734 entry concerns the WordPress plugin Contact Form by WD version 1.13.1. It describes a combined cross-site request forgery and local file inclusion vulnerability that lets unauthenticated attackers include arbitrary files by exploiting unsanitized action parameters. Attacks targ...

5.1CVSS5.8AI score

Exploits0References4

CVE•added yesterday•8 views

CVE-2019-25731

Zuz Music 2.1 is affected by a persistent cross-site scripting vulnerability that lets unauthenticated attackers inject JavaScript via crafted data in the /gmusic/zuzconsole/___contact endpoint (name, subject, message). The payload executes when administrators view messages in the inbox. CVSS met...

7.2CVSS5.7AI score

Exploits0References4

ATTACKERKB•added yesterday•4 views

CVE-2019-25731

7.2CVSS5.7AI score

Exploits0References4Affected Software1

Vulnrichment•added yesterday•4 views

CVE-2019-25731 Zuz Music 2.1 Persistent Cross-site Scripting via zuzconsole Contact

7.2CVSS5.7AI score

Exploits0References4

Cvelist•added yesterday•24 views

CVE-2019-25731 Zuz Music 2.1 Persistent Cross-site Scripting via zuzconsole Contact

7.2CVSS

Exploits0References4

Nuclei•added yesterday•16 views

Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation

The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's...

9.8CVSS5.8AI score0.21837EPSS

Exploits1References3

Nuclei•added yesterday•14 views

Contact Form Generator <= 2.5.5 - Cross-Site Scripting

The Contact Form Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in wp-admin/admin.php in versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.1CVSS7.1AI score0.21793EPSS

Exploits3References2