11 matches found
GiveWP - Missing Authorization to Settings Update
GiveWP plugin through 2.5.9 for WordPress contains an unauthenticated settings change caused by insecure access in includes/gateways/stripe/includes/admin/admin-actions.php, letting attackers modify settings without authentication, exploit requires no authentication. id: CVE-2020-20627 info: name...
CVE-2026-3480
The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an adminpost action hook 'wp-blockade-shortcode-render' that maps to the rendershortcodepreview function. This function lacks any capability check...
CVE-2025-12411
The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...
CVE-2025-12411
CVE-2025-12411 affects the Premmerce Wholesale Pricing for WooCommerce plugin (WordPress). It is an authenticated SQL Injection via the ID parameter in versions
CVE-2025-12411 Premmerce Wholesale Pricing for WooCommerce <= 1.1.10 - Authenticated (Subscriber+) SQL Injection
The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...
CVE-2025-12411 Premmerce Wholesale Pricing for WooCommerce <= 1.1.10 - Authenticated (Subscriber+) SQL Injection
The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...
PT-2025-34051
Name of the Vulnerable Software and Affected Versions: QuickCMS version 6.8 QuickCMS affected versions not specified Description: QuickCMS is vulnerable to Cross-Site Request Forgery in the article creation functionality. A malicious attacker can craft a special website that, when visited by an...
CVE-2020-11509
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37wplimporttemplate admin-post action which will execute in an administrator's browser if the template is used to create a page...
CVE-2020-11509
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37wplimporttemplate admin-post action which will execute in an administrator's browser if the template is used to create a page...
CVE-2020-11509
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37wplimporttemplate admin-post action which will execute in an administrator's browser if the template is used to create a page...
PT-2020-12656 · WordPress · Wp Lead Plus X
Name of the Vulnerable Software and Affected Versions: WP Lead Plus X plugin versions through 0.98 Description: The issue allows remote attackers to upload page templates containing arbitrary JavaScript via the "c37 wpl import template" admin-post action. This JavaScript will execute in an...