Lucene search
K

78 matches found

CVE
CVE
added 2024/11/12 3:24 a.m.54 views

CVE-2024-10672

CVE-2024-10672: The Multiple Page Generator Plugin – MPG for WordPress is vulnerable to directory traversal that enables authenticated attackers with editor-level access (and higher) to delete limited server files. Affected versions are

2.7CVSS3.5AI score0.00484EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2024/11/12 3:24 a.m.15 views

CVE-2024-10672 Multiple Page Generator Plugin – MPG <= 4.0.2 - Authenticated (Editor+) Directory Traversal to Limited File Deletion

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpgupsertprojectsourceblock function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with...

2.7CVSS6.7AI score0.00484EPSS
Exploits0References4
OSV
OSV
added 2024/10/22 8:15 a.m.6 views

CVE-2024-9590

The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image meta field value in the 'wpaftaddmetatextinput' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied...

4.8CVSS5.9AI score0.00256EPSS
Exploits0References2
CVE
CVE
added 2024/10/22 7:36 a.m.43 views

CVE-2024-9590

The CVE refers to WordPress plugin Category and Taxonomy Meta Fields (versions

5.5CVSS5.1AI score0.00256EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2024/10/10 2:15 a.m.4 views

CVE-2024-9519

The UserPlus plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'savemetaboxform' function in versions up to, and including, 2.0. This makes it possible for authenticated attackers, with editor-level permissions or above, to update t...

7.2CVSS5.7AI score0.00453EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/10/10 2:6 a.m.6 views

CVE-2024-9519 UserPlus <= 2.0 - Authenticated (Editor+) Registration Form Update to Privilege Escalation

The UserPlus plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'savemetaboxform' function in versions up to, and including, 2.0. This makes it possible for authenticated attackers, with editor-level permissions or above, to update t...

7.2CVSS6.8AI score0.00453EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/08/24 7:33 a.m.15 views

CVE-2024-7351 Simple Job Board <= 2.12.3 - Authenticated (Editor+) PHP Object Injection

The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.12.3 via deserialization of untrusted input when editing job applications. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PH...

7.2CVSS7.2AI score0.0062EPSS
Exploits0References2
CVE
CVE
added 2024/08/24 7:33 a.m.52 views

CVE-2024-7351

CVE-2024-7351 affects the WordPress plugin “Simple Job Board” (versions up to and including 2.12.3). The vulnerability is a PHP Object Injection via deserialization of untrusted input when updating job applications, exploitable by authenticated users with Editor+ privileges. The initial disclosur...

7.2CVSS7AI score0.0062EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2024/08/24 2:15 a.m.1 views

CVE-2023-0926

The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary we...

5.4CVSS6AI score0.00303EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2024/08/13 1:59 a.m.14 views

CVE-2024-7388 WP Bannerize Pro <= 1.9.0 - Authenticated (Editor+) Stored Cross-Site Scripting

The WP Bannerize Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via banner alt data in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and...

4CVSS5.8AI score0.00246EPSS
Exploits0References2
NVD
NVD
added 2024/08/08 2:15 a.m.16 views

CVE-2024-7560

The News Flash theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the newsflashpostmeta meta value. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PH...

7.2CVSS0.0062EPSS
Exploits0References2
CVE
CVE
added 2024/08/08 1:50 a.m.43 views

CVE-2024-7560

CVE-2024-7560 (News Flash Theme – WordPress) is a PHP Object Injection vulnerability affecting all versions up to 1.1.0, exploitable via deserialization of untrusted input from the newsflash_post_meta meta value. The issue permits authenticated attackers with Editor-level access and above to inje...

7.2CVSS7.2AI score0.0062EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/08/08 12:0 a.m.4 views

PT-2024-38420 · WordPress · The News Flash

Name of the Vulnerable Software and Affected Versions: The News Flash theme for WordPress versions up to, and including, 1.1.0 Description: The issue allows authenticated attackers with Editor-level access and above to inject a PHP Object via deserialization of untrusted input from the newsflash...

7.2CVSS7.5AI score0.0062EPSS
Exploits0References5
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.14 views

Visual Composer Website Builder < 45.9.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Description The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 45.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...

6.5CVSS5.7AI score0.00279EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.14 views

AI Engine < 2.1.5 - Authenticated (Editor+) Server-Side Request Forgery

Description The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4 via the downloadimage function. This makes it possible for authenticated attackers, with editor-level access and above, to make web requests to arbitrary locatio...

6.8CVSS6.5AI score0.00885EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.17 views

Coupon & Discount Code Reveal Button < 1.2.6 - Authenticated (Editor+) Stored Cross-Site Scripting

Description The Coupon & Discount Code Reveal Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS6.1AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.15 views

Sendinblue for WooCommerce < 4.0.18 - Authenticated (Editor+) Arbitrary File Download and Deletion

Description The Brevo for WooCommerce plugin for WordPress is vulnerable to arbitrary file download and deletion in all versions up to, and including, 4.0.17. This is due to the plugin not properly validating file names in the getfilecontents and deleteattachment functions. This makes it possible...

8.5CVSS6.9AI score0.00647EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2024/04/09 7:15 p.m.22 views

CVE-2024-0598

The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versions up to and including 3.2.17 due to insufficient input sanitization and output escaping. This makes it possible for...

4.8CVSS4.3AI score0.00686EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2024/04/09 6:59 p.m.12 views

CVE-2024-2344 Avada <= 7.11.6 - Authenticated (Admin+) SQL Injection via entry

The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticted...

7.2CVSS7.2AI score0.00828EPSS
Exploits1References3
WPVulnDB
WPVulnDB
added 2024/04/06 12:0 a.m.16 views

Rehub < 19.6.2 - Authenticated (Editor+) Local File Inclusion

Description The Rehub theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 19.6.1. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any...

8CVSS7.9AI score0.0057EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder