CVE-2021-25117

The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratingsimage parameter from its options page wp-admin/admin.php?page=wp-postratings/postratings-options.php. Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is stil...

CVE-2020-35589

The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed b...

CVE-2019-14682

The acf-better-search aka ACF: Better Search plugin before 3.3.1 for WordPress allows wp-admin/options-general.php?page=acfbsadminpage CSRF...

CVE-2018-17584

The WP Fastest Cache plugin 0.8.8.5 for WordPress has CSRF via the wp-admin/admin.php wpfastestcacheoptions page...

PT-2019-8926 · WordPress · Events Manager

Name of the Vulnerable Software and Affected Versions: Events Manager plugin version 5.9.4 Description: The issue concerns a cross-site scripting XSS problem. It is exploited via the dbem event reapproved email body parameter to the "wp-admin/edit.php?post type=event&page=events-manager-options"...

CVE-2018-6466

A cross-site scripting XSS vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSSset parameter to wp-admin/options-general.php...