Lucene search
K

71 matches found

OSV
OSV
added 2025/10/01 8:41 p.m.6 views

CVE-2025-59337 Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments

Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixe...

5.5CVSS6.4AI score0.00277EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/08/16 3:38 a.m.8 views

CVE-2025-3671 WPGYM - Wordpress Gym Management System <= 67.7.0 - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrar...

8.8CVSS0.00693EPSS
Exploits0References2
OSV
OSV
added 2025/07/16 6:15 a.m.5 views

CVE-2025-2799

The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes i...

4.8CVSS5.9AI score0.00205EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/23 8:20 a.m.5 views

CVE-2024-6692

The Easy Digital Downloads – Sell Digital Files & Subscriptions eCommerce Store + Payments Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escapin...

3.3CVSS5AI score0.00356EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 11:25 p.m.5 views

CVE-2022-4010

The Image Hover Effects WordPress plugin before 5.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS3.9AI score0.00532EPSS
Exploits2References1
OSV
OSV
added 2025/05/15 8:15 p.m.3 views

CVE-2024-3062

The Save as Image Plugin by Pdfcrowd WordPress plugin before 3.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

4.8CVSS5.8AI score0.00266EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/03/10 2:38 a.m.6 views

CVE-2024-13835

The Post Meta Data Manager plugin for WordPress is vulnerable to multisite privilege escalation in all versions up to, and including, 1.4.4. This is due to the plugin not properly verifying the existence of a multisite installation prior to allowing user meta to be added/modified. This makes it...

7.2CVSS7.2AI score0.00372EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/03/08 12:0 a.m.2 views

WordPress plugin Post Meta Data Manager 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

7.2CVSS8.8AI score0.00372EPSS
Exploits0References4
OSV
OSV
added 2025/02/28 9:15 a.m.6 views

CVE-2024-13851

The Modal Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject...

4.8CVSS5.9AI score0.00228EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/02/21 12:0 a.m.2 views

WordPress plugin Head, Footer and Post Injections 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code injection vulnerability exists in th...

7.2CVSS8.9AI score0.00383EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/11/08 12:0 a.m.4 views

PT-2024-39833 · WordPress · The Anih - Creative Agency Wordpress Theme

Name of the Vulnerable Software and Affected Versions: The Anih - Creative Agency WordPress Theme versions up to, and including, 2024 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to an incomplete blacklist, insufficient input sanitization, and output...

5.5CVSS6.1AI score0.0025EPSS
Exploits0References8
OSV
OSV
added 2024/10/26 3:15 a.m.3 views

CVE-2024-9462

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...

4.8CVSS5.9AI score0.0032EPSS
Exploits0References4
OSV
OSV
added 2024/09/05 11:15 a.m.3 views

CVE-2022-3556

The Cab fare calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vehicle title setting in versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative...

4.8CVSS5.9AI score0.003EPSS
Exploits0References2
OSV
OSV
added 2024/07/31 6:15 a.m.4 views

CVE-2024-6165

The WANotifier WordPress plugin before 2.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS5.8AI score0.00351EPSS
Exploits1References1
OSV
OSV
added 2024/07/30 6:15 a.m.3 views

CVE-2024-5807

The Business Card WordPress plugin through 1.0.0 does not prevent high privilege users like administrators from uploading malicious PHP files, which could allow them to run arbitrary code on servers hosting their site, even in MultiSite configurations...

7.2CVSS6AI score0.00645EPSS
Exploits1References1
OSV
OSV
added 2024/06/26 6:15 a.m.4 views

CVE-2024-4959

The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS5.8AI score0.0033EPSS
Exploits2References1
OSV
OSV
added 2024/05/14 4:17 p.m.4 views

CVE-2024-4445

The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS5.7AI score0.00343EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/05/14 12:0 a.m.6 views

PT-2024-31156 · WordPress · Wp Compress – Image Optimizer [All-In-One]

Name of the Vulnerable Software and Affected Versions: WP Compress – Image Optimizer All-In-One versions up to, and including, 6.20.01 Description: The issue allows authenticated attackers with subscriber-level permissions and above to modify data, including editing plugin settings and storing...

6.5CVSS6.5AI score0.00343EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2024/02/12 4:6 p.m.24 views

CVE-2023-6294 popup-builder < 4.2.6 - Admin+ SSRF & File Read

The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations...

6.7AI score0.00812EPSS
Exploits2References1
OSV
OSV
added 2023/10/20 8:15 a.m.7 views

CVE-2023-4648

The WP Customer Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

4.8CVSS7.3AI score0.00303EPSS
Exploits0References2
Rows per page
Query Builder