Lucene search
K

470 matches found

Nuclei
Nuclei
added 18 hours ago23 views

SmartSearchWP < 2.4.6 - OpenAI Key Disclosure

The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key. id: CVE-2024-6845 info: name: SmartSearchWP 2.4.6 - OpenAI Key Disclosure author: s4e-io severity: medium...

5.3CVSS6.1AI score0.01113EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago45 views

WordPress Simple Link Directory <7.7.2 - SQL injection

WordPress Simple Link Directory plugin before 7.7.2 contains a SQL injection vulnerability. The plugin does not validate and escape the postid parameter before using it in a SQL statement via the qcopdupvoteaction AJAX action, available to unauthenticated and authenticated users. An attacker can...

9.8CVSS7.1AI score0.10825EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago86 views

WordPress Spider Calendar <=1.5.65 - Cross-Site Scripting

WorsPress Spider Calendar plugin through 1.5.65 is susceptible to cross-site scripting. The plugin does not sanitize and escape the callback parameter before outputting it back in the page via the window AJAX action, available to both unauthenticated and authenticated users. An attacker can injec...

6.1CVSS6AI score0.02291EPSS
Exploits2References3
Nuclei
Nuclei
added 18 hours ago41 views

Popup Builder < 4.0.7 - SQL Injection

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection. id: CVE-2022-0228 info: name: Popup Builder 4.0.7 -...

7.2CVSS7AI score0.05839EPSS
Exploits2References4
Nuclei
Nuclei
added 18 hours ago31 views

Ditty (formerly Ditty News Ticker) < 3.0.15 - Cross-Site Scripting

The Ditty formerly Ditty News Ticker WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting XSS vulnerability. id: CVE-2022-0533 info: name: Ditty formerly Ditty News Ticker 3.0.15 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | The Ditty formerly...

6.1CVSS6.4AI score0.01857EPSS
Exploits2References4
Nuclei
Nuclei
added 18 hours ago40 views

CommonsBooking < 2.6.8 - SQL Injection

The plugin does not sanitise and escape the location parameter of the calendardata AJAX action available to unauthenticated users before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection. id: CVE-2022-0658 info: name: CommonsBooking 2.6.8 - SQL Injecti...

9.8CVSS7.1AI score0.08852EPSS
Exploits2References4
Nuclei
Nuclei
added 18 hours ago74 views

Formcraft3 <3.8.28 - Server-Side Request Forgery

Formcraft3 before version 3.8.2 does not validate the URL parameter in the formcraft3get AJAX action, leading to server-side request forgery issues exploitable by unauthenticated users. id: CVE-2022-0591 info: name: Formcraft3 3.8.28 - Server-Side Request Forgery author: Akincibor,j4vaovo severit...

9.1CVSS7AI score0.20249EPSS
Exploits2References2
Nuclei
Nuclei
added 18 hours ago75 views

WordPress Mapping Multiple URLs Redirect Same Page <=5.8 - Cross-Site Scripting

WordPress Mapping Multiple URLs Redirect Same Page plugin 5.8 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the mmurspid parameter before outputting it back in an admin page. id: CVE-2022-0599 info: name: WordPress Mapping Multiple URLs Redirec...

6.1CVSS6.4AI score0.01713EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago82 views

WordPress Page Views Count <2.4.15 - SQL Injection

WordPress Page Views Count plugin prior to 2.4.15 contains an unauthenticated SQL injection vulnerability. It does not sanitise and escape the postids parameter before using it in a SQL statement via a REST endpoint. An attacker can possibly obtain sensitive information, modify data, and/or execu...

9.8CVSS7.1AI score0.14783EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago176 views

WordPress NotificationX <2.3.9 - SQL Injection

WordPress NotificationX plugin prior to 2.3.9 contains a SQL injection vulnerability. The plugin does not sanitize and escape the nxid parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify dat...

9.8CVSS7.1AI score0.34359EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago35 views

WordPress Cookie Information/Free GDPR Consent Solution <2.0.8 - Cross-Site Scripting

WordPress Cookie Information/Free GDPR Consent Solution plugin prior to 2.0.8 contains a cross-site scripting vulnerability via the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to...

6.1CVSS6.5AI score0.01601EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago34 views

WordPress RSS Aggregator < 4.20 - Authenticated Cross-Site Scripting

WordPress RSS Aggregator 4.20 is susceptible to cross-site scripting. The plugin does not sanitize and escape the id parameter in the wprssfetchitemsrowaction AJAX action before outputting it back in the response, leading to reflected cross-site scripting. id: CVE-2022-0189 info: name: WordPress...

6.1CVSS5.9AI score0.02228EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago56 views

WordPress Permalink Manager <2.2.15 - Cross-Site Scripting

WordPress Permalink Manager Lite and Pro plugins before 2.2.15 contain a reflected cross-site scripting vulnerability. They do not sanitize and escape query parameters before outputting them back in the debug page. id: CVE-2022-0201 info: name: WordPress Permalink Manager 2.2.15 - Cross-Site...

6.1CVSS6.4AI score0.03368EPSS
Exploits2References4
Nuclei
Nuclei
added 18 hours ago81 views

WordPress Page Builder KingComposer <=2.9.6 - Open Redirect

WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kcgetthumbn AJAX action which is available to both unauthenticated and authenticated users. id: CVE-2022-0165 info: name: WordPress Page Builder KingComposer =2.9.7 to...

6.1CVSS6.6AI score0.0428EPSS
Exploits4References5
Nuclei
Nuclei
added 18 hours ago34 views

WordPress Plugin MapPress <2.73.4 - Cross-Site Scripting

WordPress Plugin MapPress before version 2.73.4 does not sanitize and escape the 'mapid' parameter before outputting it back in the "Bad mapid" error message, leading to reflected cross-site scripting. id: CVE-2022-0208 info: name: WordPress Plugin MapPress 2.73.4 - Cross-Site Scripting author:...

6.1CVSS6.4AI score0.02021EPSS
Exploits2References4
Nuclei
Nuclei
added 18 hours ago49 views

WordPress All-in-one Floating Contact Form <2.0.4 - Cross-Site Scripting

WordPress All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs plugin before 2.0.4 contains a reflected cross-site scripting vulnerability on the my-sticky-elements-leads admin page. id: CVE-2022-0148 info: name: WordPress All-in-one Floating Contact Form 2.0.4 - Cross-Site...

5.4CVSS6.2AI score0.01572EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago47 views

WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution

WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code executio...

6.1CVSS6.8AI score0.02205EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago73 views

ARMember < 3.4.8 - Unauthenticated Admin Account Takeover

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover even the administrator due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username. id:...

8.1CVSS7.1AI score0.0852EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago38 views

WordPress Sensei LMS <4.5.0 - Information Disclosure

WordPress Sensei LMS plugin before 4.5.0 is susceptible to information disclosure. The plugin does not have proper permissions set in a REST endpoint, which can allow an attacker to access private messages. id: CVE-2022-2034 info: name: WordPress Sensei LMS 4.5.0 - Information Disclosure author:...

5.3CVSS6.2AI score0.01868EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago28 views

Wordpress Profile Builder Plugin Cross-Site Scripting

The Profile Builder User Profile & User Registration Forms WordPress plugin is vulnerable to cross-site scripting due to insufficient escaping and sanitization of the siteurl parameter found in the /assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a...

6.1CVSS6.3AI score0.02703EPSS
Exploits3References5
Rows per page
Query Builder