Lucene search
K

363 matches found

NVD
NVD
added 2026/01/09 7:16 a.m.4 views

CVE-2025-15019

The BIALTY - Bulk Image Alt Text Alt tag, Alt Attribute with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialtycsalt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes...

6.4CVSS0.0019EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/07 9:18 a.m.7 views

CVE-2025-1528

The Search & Filter Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getmetavalues' function in all versions up to, and including, 2.5.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

4.3CVSS6.7AI score0.00235EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:11 a.m.23 views

CVE-2025-1657

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stmlistingajax AJAX action in all versions up to, and including, 2.2.0. This makes it possible for...

8.8CVSS7.2AI score0.00403EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:9 a.m.14 views

CVE-2024-2694

The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

8.8CVSS7.2AI score0.00623EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/07 6:36 a.m.2 views

CVE-2025-13371 Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details PAN, card holder name, expiry month/year, and CVV in WordPress postmeta using base64encode, and then...

8.6CVSS5.8AI score0.00372EPSS
Exploits0References5
CVE
CVE
added 2026/01/07 6:36 a.m.23 views

CVE-2025-13371

CVE-2025-13371 refers to Money Space (Money Space) WordPress plugin. The vulnerability affects all versions up to 2.13.9 and arises from the plugin storing full card data (PAN, cardholder name, expiry, CVV) in WordPress post_meta encoded with base64, then embedding these values into the public ms...

8.6CVSS5.8AI score0.00372EPSS
Exploits0References6
OSV
OSV
added 2026/01/07 6:36 a.m.4 views

CVE-2025-13371 Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details PAN, card holder name, expiry month/year, and CVV in WordPress postmeta using base64encode, and then...

8.6CVSS5.9AI score0.00372EPSS
Exploits0References8
Patchstack
Patchstack
added 2025/12/31 12:0 a.m.9 views

WordPress Directory Listings WordPress plugin - uListing plugin <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection vulnerability

WordPress Directory Listings WordPress plugin - uListing plugin = 2.2.0 - Missing Authorization to Authenticated Subscriber+ Arbitrary Post Meta Update and PHP Object Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin uListing versions = 2.2.0...

8.8CVSS5.7AI score0.00403EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2025/12/12 11:15 a.m.27 views

CVE-2025-14030

CVE-2025-14030 affects the WordPress AI Feeds plugin. Wordfence catalogs a Stored XSS via the aife_post_meta shortcode in versions up to 1.0.22, exploitable by authenticated users with Contributor-level access or higher. The CVSS from the report is 6.4 (Medium) with network attack vector and low ...

6.4CVSS4.7AI score0.00195EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/12/12 11:15 a.m.34 views

CVE-2025-14030 AI Feeds <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode

The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aifepostmeta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acces...

6.4CVSS0.00195EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/12 12:0 a.m.14 views

PT-2025-50923

The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife post meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

6.4CVSS5AI score0.00195EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/12/07 6:5 a.m.5 views

CVE-2025-13629

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...

4.3CVSS5.4AI score0.00129EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/06 6:30 a.m.6 views

EUVD-2025-201529

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...

4.3CVSS4.9AI score0.00129EPSS
Exploits0References4
NVD
NVD
added 2025/12/06 6:15 a.m.5 views

CVE-2025-13629

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...

4.3CVSS0.00129EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/12/06 5:49 a.m.3 views

CVE-2025-13629 WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...

4.3CVSS5AI score0.00129EPSS
Exploits0References3
CVE
CVE
added 2025/12/06 5:49 a.m.11 views

CVE-2025-13629

CVE-2025-13629 relates to the WP Landing Page WordPress plugin (versions up to 0.9.3). The vulnerability is a CSRF flaw caused by missing nonce validation in the wplp_api_update_text function, allowing unauthenticated attackers to forge requests that update arbitrary post meta if a site administr...

4.3CVSS5AI score0.00129EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/12/06 5:49 a.m.21 views

CVE-2025-13629 WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...

4.3CVSS0.00129EPSS
Exploits0References3
Patchstack
Patchstack
added 2025/12/06 12:7 a.m.5 views

WordPress WP Landing Page plugin <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update vulnerability

Cross-Site Request Forgery to Arbitrary Post Meta Update vulnerability discovered by Ivan Cese in WordPress Plugin WP Landing Page versions = 0.9.3...

4.3CVSS6.6AI score0.00129EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2025/12/06 12:0 a.m.5 views

PT-2025-49343

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplp api update text' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via ...

4.3CVSS5.4AI score0.00129EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/11/20 9:36 p.m.6 views

CVE-2025-13085

The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolvevariables AJAX handler. This makes it possible for...

4.3CVSS5.2AI score0.00212EPSS
Exploits0References1
Rows per page
Query Builder