Lucene search
K

36 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.3 views

CVE-2026-3512

The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'p' GET parameter in all versions up to and including 0.1. This is due to insufficient input sanitization and output escaping in the bjlwprintstylocommentsnav function. The function directly...

6.1CVSS6AI score0.00205EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/01/28 6:43 a.m.6 views

CVE-2025-9082

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. This makes it possible for authenticat...

6.4CVSS6AI score0.0027EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/01/28 1:32 a.m.7 views

WordPress Easy Replace Image plugin <= 3.5.2 - Missing Authorization to Authenticated (Contributor+) Arbitrary Attachment Replacement vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Attachment Replacement vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Easy Replace Image versions = 3.5.2...

5.3CVSS5.9AI score0.00254EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.12 views

PT-2026-1585

Name of the Vulnerable Software and Affected Versions ACF to REST API plugin for WordPress versions through 3.3.4 Description The ACF to REST API plugin for WordPress is affected by an Insecure Direct Object Reference issue. Insufficient capability checks in the update item permissions check meth...

4.3CVSS6.1AI score0.00289EPSS
Exploits1References5
NVD
NVD
added 2025/10/24 9:15 a.m.4 views

CVE-2025-10748

The RapidResult plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

6.5CVSS0.00271EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/05/23 8:21 a.m.5 views

CVE-2024-1326

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tag attributes in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and abo...

6.4CVSS7.4AI score0.00505EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:42 a.m.5 views

CVE-2023-0709

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mflastname' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to injec...

5.4CVSS5.3AI score0.00556EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 5:39 a.m.10 views

CVE-2023-0584

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'updateoptions' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change the 'vkfontawesomeversion' option to an arbitrar...

4.3CVSS5.6AI score0.00508EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:4 a.m.12 views

CVE-2023-6924

The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in versions up to, and including, 1.8.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

4.8CVSS5.7AI score0.00461EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 12:1 a.m.6 views

CVE-2022-4306

The Panda Pods Repeater Field WordPress plugin before 1.5.4 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a user having at least Contributor permission...

5.4CVSS6.2AI score0.00841EPSS
Exploits2References1
Cvelist
Cvelist
added 2025/05/15 8:6 p.m.11 views

CVE-2024-11267 JSP Store Locator <= 1.0 - Contributor+ SQL Injection

The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks...

0.00467EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2024/07/04 8:32 a.m.17 views

CVE-2024-6318 IMGspider <= 2.3.10 - Authenticated (Contributor+) Arbitrary File Upload via 'upload_img_file'

The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'uploadimgfile' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload...

8.8CVSS7.7AI score0.00939EPSS
Exploits0References3
CVE
CVE
added 2024/06/19 8:33 a.m.57 views

CVE-2024-4632

CVE-2024-4632 affects the WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress. Stored XSS via the custom_upload_mimes function is possible in versions up to 2.0.7, exploitable by authenticated attackers with Contributor+ privileges to inject scripts executed on user pages. The...

6.4CVSS5.9AI score0.00391EPSS
Exploits0References3
OSV
OSV
added 2024/06/07 3:15 a.m.3 views

CVE-2024-1768

The Clever Fox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's info box block in all versions up to, and including, 25.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

5.4CVSS5.9AI score0.00257EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2024/05/24 12:0 a.m.15 views

The Plus Addons for Elementor < 5.5.3 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘xaiusername’ parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in page...

6.4CVSS5.8AI score0.00707EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2024/05/16 12:0 a.m.5 views

PT-2024-31916 · WordPress · Rank Math Seo

Name of the Vulnerable Software and Affected Versions: Rank Math SEO with AI Best SEO Tools plugin for WordPress versions up to, and including, 1.0.218 Description: The issue is related to Stored Cross-Site Scripting via the id parameter due to insufficient input sanitization and output escaping...

6.4CVSS5.9AI score0.00371EPSS
Exploits0References7
OSV
OSV
added 2024/04/09 7:15 p.m.3 views

CVE-2024-2311

The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

5.4CVSS6AI score
Exploits0References5
CVE
CVE
added 2024/04/09 7:5 p.m.43 views

CVE-2023-6694

Beaver Themer (WordPress plugin) contains a Stored XSS in shortcode handling for versions up to 1.4.9, exploitable by authenticated users with contributor+ permissions; the vulnerability allows injection of scripts that execute when pages are viewed. No public patch/mitigation details are provide...

6.4CVSS6AI score0.00334EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2024/03/28 3:15 a.m.3 views

CVE-2024-2091

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.13.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

4.6CVSS6AI score0.00516EPSS
Exploits0References3
OSV
OSV
added 2024/03/27 7:15 a.m.2 views

CVE-2024-2120

The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Navigation widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied...

5.4CVSS7.4AI score
Exploits0References2
Rows per page
Query Builder