Lucene search
+L

386 matches found

cvelist
cvelist
added 2023/05/03 11:8 a.m.44 views

CVE-2023-25796 WordPress WP BaiDu Submit Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Include WP BaiDu Submit plugin = 1.2.1 versions...

5.9CVSS5.5AI score0.00369EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2023/04/25 12:0 a.m.3 views

PT-2023-20103 · WordPress · Oliver Schlöbe Simple Yearly Archive

Name of the Vulnerable Software and Affected Versions: Oliver Schlöbe Simple Yearly Archive plugin versions = 2.1.8 Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability that requires authentication with admin+ privileges. Recommendations: For Oliver Schlöbe Simple...

5.9CVSS5.3AI score0.00369EPSS
Exploits0References4
prion
prion
added 2023/04/18 2:15 a.m.15 views

Cross site scripting

The Responsive Filterable Portfolio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the searchterm parameter in versions up to, and including, 1.0.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

5.8CVSS6AI score0.00567EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 2023/04/07 8:48 a.m.23 views

CVE-2023-24402 WordPress WP Booking System Plugin <= 2.0.18 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Cross-Site Scripting XSS vulnerability in Veribo, Roland Murg WP Booking System – Booking Calendar plugin = 2.0.18 versions...

5.9CVSS5.6AI score0.00394EPSS
Exploits0References1
prion
prion
added 2023/04/06 8:15 p.m.19 views

Cross site request forgery (csrf)

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfcpreloadsinglesavesettingscallback function. This makes it possible for unauthenticated attackers to change...

4.3CVSS4.2AI score0.00227EPSS
Exploits0References2Affected Software1
prion
prion
added 2023/04/06 8:15 p.m.19 views

Cross site request forgery (csrf)

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfcclearcacheofallsitescallback function. This makes it possible for unauthenticated attackers to clear cache...

4.3CVSS4.2AI score0.00227EPSS
Exploits0References2Affected Software1
wpexploit
wpexploit
added 2023/03/27 12:0 a.m.112 views

TF Random Numbers < 2.0.1 - Subscriber+ Arbitrary Option Update

The plugin does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the...

6.5CVSS6.9AI score0.00301EPSS
Exploits2
cvelist
cvelist
added 2023/03/23 3:57 p.m.28 views

CVE-2022-47173 WordPress Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration Plugin <= 1.62.0 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in nasirahmed Connect Contact Form 7, WooCommerce To Google Sheets & Other Platforms – Advanced Form Integration plugin = 1.62.0 versions...

5.9CVSS5.5AI score0.00392EPSS
Exploits0References1
patchstack
patchstack
added 2023/03/16 12:0 a.m.12 views

WordPress CP Multi View Event Calendar Plugin <= 1.4.10 is vulnerable to Other Vulnerability Type

Software CP Multi View Event Calendar Type Plugin Vulnerable versions = 1.4.10 Fixed in 1.4.11 OWASP Top 10 A5: Broken Access Control Classification Other Vulnerability Type CVE CVE-2023-28492 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 1690516e9658 Credits István Márt...

4.3CVSS6.5AI score0.00311EPSS
Exploits0References2Affected Software1
patchstack
patchstack
added 2023/03/16 12:0 a.m.10 views

WordPress Sequential Order Numbers for WooCommerce Plugin <= 3.5.7.6 is vulnerable to Broken Access Control

Software Sequential Order Numbers for WooCommerce Type Plugin Vulnerable versions = 3.5.7.6 Fixed in 3.5.7.7 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2022-45813 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 91999026aef4 Credits...

5.9AI score0.00227EPSS
Exploits0References2Affected Software1
prion
prion
added 2023/03/10 8:15 p.m.22 views

Cross site request forgery (csrf)

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.1. This is due to missing or incorrect nonce validation on the ucssconnect function. This makes it possible for unauthenticated attackers to connect the si...

4.3CVSS4.3AI score0.00307EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2023/03/07 1:28 p.m.20 views

CVE-2020-36668 JetBackup – WP Backup, Migrate & Restore <= 1.4.0 - Sensitive Information Disclosure

The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to sensitive information disclosure in versions up to, and including, 1.4.0 due to a lack of proper capability checking on the backupguardgetmanualmodal function called via an AJAX action. This makes it possible for...

4.3CVSS4.3AI score0.00639EPSS
Exploits0References2
patchstack
patchstack
added 2023/02/21 12:0 a.m.13 views

WordPress Feed Them Social Plugin <= 3.0.2 is vulnerable to Cross Site Request Forgery (CSRF)

Software Feed Them Social Type Plugin Vulnerable versions = 3.0.2 Fixed in 4.0.0 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-25056 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID d0bf770b4cc9 Credits Rio Darmawan...

8.8CVSS7AI score0.00256EPSS
Exploits0References2Affected Software1
wpvulndb
wpvulndb
added 2023/02/13 12:0 a.m.44 views

WooCommerce Checkout Field Manager < 18.0 - Unauthenticated Arbitrary File Upload

The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server PoC 1. Install and activate woocommerce dependency, no setup required 2. Install and active the vulnerable plugin n-media-woocommerce-checkout-fields...

9.8CVSS9.4AI score0.04427EPSS
Exploits2Affected Software1
patchstack
patchstack
added 2023/01/19 12:0 a.m.3 views

WordPress Easy PayPal Buy Now Button Plugin < 1.7.3 is vulnerable to Cross Site Request Forgery (CSRF)

Software Easy PayPal Buy Now Button Type Plugin Vulnerable versions 1.7.3 Fixed in 1.7.3 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE N/A Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID d96c1118d3fb Credits WPScanTeam Required...

6.9AI score
Exploits0References3Affected Software1
ptsecurity
ptsecurity
added 2023/01/16 12:0 a.m.5 views

PT-2023-14525 · WordPress · Themify Portfolio Post

Name of the Vulnerable Software and Affected Versions: Themify Portfolio Post WordPress plugin versions prior to 1.2.1 Description: The issue allows users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as...

5.4CVSS6.1AI score0.00534EPSS
Exploits2References6
prion
prion
added 2023/01/10 5:15 p.m.23 views

Improper access control

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprsavemegamenusettings' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify Mega Menu...

4CVSS4.5AI score0.00688EPSS
Exploits2References3Affected Software1
prion
prion
added 2023/01/10 5:15 p.m.16 views

Cross site scripting

The Royal Elementor Addons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.59, due to due to insufficient input sanitization and output escaping of the 'wprajaxsearchlinktarget' parameter in the 'datafetch' function. This makes it possibl...

5.8CVSS6AI score0.00728EPSS
Exploits1References3Affected Software1
cvelist
cvelist
added 2023/01/09 10:13 p.m.29 views

CVE-2022-4393 ImageLinks Interactive Image Builder for WordPress <= 1.5.3 - Contributor+ Stored XSS

The ImageLinks Interactive Image Builder for WordPress plugin through 1.5.3 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

5.4AI score0.00471EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/12/27 12:0 a.m.526 views

Pardakht Delkhah < 2.9.3 - Unauthenticated Stored XSS

The plugin does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin. 1. Install and activate WoocCommerce dependency, no configuration...

6.1CVSS0.6AI score0.00526EPSS
Exploits2
Rows per page
Query Builder