CVE-2025-14719 Relevanssi (Free < 4.26.0, Premium < 2.29.0) - Contributor+ SQLi

The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks...

EUVD-2023-34410

Malicious code in bioql PyPI...

CVE-2024-9645

The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform...

Beaver Builder < 2.7.2.1 - Contributor+ Stored XSS

Description The plugin does not sanitise and escape some of its settings available to Contributor and above roles, which could allow them to perform Stored Cross-Site Scripting attacks...

Contact Form Generator <= 2.7.1 - Contributor+ SQLi

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by Contributor roles and above...

PT-2023-19233 · WordPress · Profilepress Membership Team Profilepress

Name of the Vulnerable Software and Affected Versions: ProfilePress Membership Team ProfilePress plugin versions = 4.5.4 Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability. This vulnerability requires authentication and affects users with contributor or higher...

PT-2023-16216 · WordPress · Loan Comparison Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Loan Comparison WordPress plugin versions prior to 1.5.3 Description: The issue arises from the plugin's failure to validate and escape some of its shortcode attributes before outputting them back in a page or post where the shortcode is...

CVE-2021-24842

The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts...

Design/Logic Flaw

The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts...

CVE-2021-24661

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID...

Default credentials

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID...

CVE-2021-24661 PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Private Content Disclosure

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID...

CVE-2021-24525 Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS

The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by...

WordPress WPBakery plugin cross-site scripting vulnerability

WordPress is a blogging platform from the WordPress Foundation developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.Wpbakery Page Builder is a plugin that is applied to generate an editor on a web page. A cross-site scripting...

CVE-2020-28650

The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls ksesremovefilters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles...

WordPress Cross-Site Scripting Vulnerability (CNVD-2015-05124)

WordPress is a blogging platform developed using the PHP language by the WordPress Software Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the wp-includes/kses.php and wp-includes/shortcodes.php script...