CVE-2021-25087

The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords fixed in 3.2.24 and files Master Keys fixed ...

CVE-2020-35037

The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape some search parameter before outputing them in pages, which could lead to Cross-Site Scripting issues...

CVE-2012-6628

Multiple cross-site scripting XSS vulnerabilities in the Newsletter Manager plugin before 1.0.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 xyzemcampName to admin/createcampaign.php or 2 admin/editcampaign.php, 3 xyzememail parameter to admin/editemail.ph...

CVE-2017-20091

A vulnerability was found in File Manager Plugin 3.0.1. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely...

CVE-2019-15868

The affiliates-manager plugin before 2.6.6 for WordPress has CSRF...

CVE-2013-7477

The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form...

CVE-2015-9298

The events-manager plugin before 5.6 for WordPress has code injection...

CVE-2012-6713

The job-manager plugin before 0.7.19 for WordPress has multiple XSS issues...

CVE-2013-7478

The events-manager plugin before 5.5 for WordPress has XSS via EMTicket::getpost...

CVE-2019-15889

The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or searchpublishdate parameter...

CVE-2017-20095

A vulnerability classified as critical was found in Simple Ads Manager Plugin. This vulnerability affects unknown code. The manipulation leads to code injection. The attack can be initiated remotely...

CVE-2012-6627

Cross-site scripting XSS vulnerability in admin/testmail.php in the Newsletter Manager plugin 1.0.2 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter...

CVE-2015-9300

The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues...

CVE-2015-9467

The broken-link-manager plugin before 0.5.0 for WordPress has wpslDelURL or wpslEditURL SQL injection via the url parameter...

CVE-2017-20093

A vulnerability, which was classified as problematic, was found in Download Manager Plugin 2.8.99. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely...

CVE-2012-6716

The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links...

CVE-2015-9299

The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS...

Cross-site Scripting (XSS)

Overview couleurcitron/tarteaucitron-wp is a Cookie manager WordPress plugin Affected versions of this package are vulnerable to Cross-site Scripting XSS via the addition of HTML into a post/page. An attacker can manipulate web content or hijack user sessions by injecting malicious scripts into t...

CVE-2024-8284

CVE-2024-8284 affects the WordPress plugin Download Manager (versions before 3.2.99). The issue stems from insufficient sanitisation/escaping of certain settings, enabling stored XSS by high-privilege users (e.g., editors) even when unfiltered_html is disallowed. Red Hat’s advisory aligns with th...

PT-2025-21264 · WordPress · Advanced-File-Manager-Pro-Premium +1

Name of the Vulnerable Software and Affected Versions: File Manager Advanced Shortcode WordPress plugin versions up to, and including, 2.5.4 advanced-file-manager-pro-premium versions up to, and including, 2.5.6 Description: The issue allows authenticated attackers with Administrator-level access...