363 matches found
CVE-2025-15019
The BIALTY - Bulk Image Alt Text Alt tag, Alt Attribute with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialtycsalt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes...
CVE-2025-1528
The Search & Filter Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getmetavalues' function in all versions up to, and including, 2.5.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...
CVE-2025-1657
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stmlistingajax AJAX action in all versions up to, and including, 2.2.0. This makes it possible for...
CVE-2024-2694
The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
CVE-2025-13371 Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details PAN, card holder name, expiry month/year, and CVV in WordPress postmeta using base64encode, and then...
CVE-2025-13371
CVE-2025-13371 refers to Money Space (Money Space) WordPress plugin. The vulnerability affects all versions up to 2.13.9 and arises from the plugin storing full card data (PAN, cardholder name, expiry, CVV) in WordPress post_meta encoded with base64, then embedding these values into the public ms...
CVE-2025-13371 Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details PAN, card holder name, expiry month/year, and CVV in WordPress postmeta using base64encode, and then...
WordPress Directory Listings WordPress plugin - uListing plugin <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection vulnerability
WordPress Directory Listings WordPress plugin - uListing plugin = 2.2.0 - Missing Authorization to Authenticated Subscriber+ Arbitrary Post Meta Update and PHP Object Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin uListing versions = 2.2.0...
CVE-2025-14030
CVE-2025-14030 affects the WordPress AI Feeds plugin. Wordfence catalogs a Stored XSS via the aife_post_meta shortcode in versions up to 1.0.22, exploitable by authenticated users with Contributor-level access or higher. The CVSS from the report is 6.4 (Medium) with network attack vector and low ...
CVE-2025-14030 AI Feeds <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode
The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aifepostmeta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acces...
PT-2025-50923
The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife post meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...
CVE-2025-13629
The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...
EUVD-2025-201529
The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...
CVE-2025-13629
The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...
CVE-2025-13629 WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update
The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...
CVE-2025-13629
CVE-2025-13629 relates to the WP Landing Page WordPress plugin (versions up to 0.9.3). The vulnerability is a CSRF flaw caused by missing nonce validation in the wplp_api_update_text function, allowing unauthenticated attackers to forge requests that update arbitrary post meta if a site administr...
CVE-2025-13629 WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update
The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...
WordPress WP Landing Page plugin <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update vulnerability
Cross-Site Request Forgery to Arbitrary Post Meta Update vulnerability discovered by Ivan Cese in WordPress Plugin WP Landing Page versions = 0.9.3...
PT-2025-49343
The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplp api update text' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via ...
CVE-2025-13085
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolvevariables AJAX handler. This makes it possible for...