PT-2026-1747

Name of the Vulnerable Software and Affected Versions The Quiz Maker WordPress plugin versions prior to 6.7.0.89 Description The software does not properly sanitize and escape certain settings, potentially allowing users with high privileges, such as administrators, to carry out Stored Cross-Site...

PT-2025-44373

Name of the Vulnerable Software and Affected Versions NS Maintenance Mode for WP WordPress plugin versions through 1.3.1 Description The plugin does not properly sanitize and escape certain settings, potentially allowing users with high privileges, such as administrators, to carry out Stored...

EUVD-2022-34349

Malicious code in bioql PyPI...

EUVD-2022-25053

Malicious code in bioql PyPI...

EUVD-2023-58536

Malicious code in bioql PyPI...

CVE-2010-5296

wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the deleteusers capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action...

CVE-2025-1363

The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2024-3636 Pinpoint Booking System < 2.9.9.4.8 - Admin+ Stored XSS

The Pinpoint Booking System WordPress plugin before 2.9.9.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5807 Business Card <= 1.0.0 - Admin+ File Upload

The Business Card WordPress plugin through 1.0.0 does not prevent high privilege users like administrators from uploading malicious PHP files, which could allow them to run arbitrary code on servers hosting their site, even in MultiSite configurations...

CVE-2024-4469

The WP STAGING WordPress Backup Plugin WordPress plugin before 3.5.0 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations...

CVE-2024-3265

The CVE-2024-3265 entry affects the WordPress plugin Advanced Search (versions up to and including 1.1.6). The root cause is improper escaping of parameters appended to an SQL query, which can enable an SQL Injection in multisite WordPress configurations when performed by users with the administr...

CVE-2024-3265 WP Advanced Search <= 1.1.6 - Admin+ SQL Injection

The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations...

Server side request forgery (ssrf)

The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations...

WordPress Plugin Popup Builder Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

CVE-2023-3721

The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-38498 Discourse vulnerable to DoS via defer queue

Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installation. The issue is patche...

CVE-2023-38498

Discourse (open source forum software) is affected by CVE-2023-38498. Prior to Discourse 3.0.6 (stable) and 3.1.0.beta7 (beta/tests-passed), a malicious user can cause the defer queue to not progress promptly on multisite installations within the same site. The vulnerability is fixed in 3.0.6 (st...

Simple Yearly Archive < 2.1.9 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2022-4157

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cgoptionid POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges i.e. on multisite...

Cross site request forgery (csrf)

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wpuserid GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges i.e. on multisite...