10 matches found
CVE-2026-1317
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...
CVE-2026-1317
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...
CVE-2026-1317 WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...
CVE-2026-1317 WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...
EUVD-2026-3148
The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection XXE in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in...
CVE-2025-14478 Demo Importer Plus <= 2.0.9 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload
The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection XXE in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in...
CVE-2025-14478
The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection XXE in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in...
CVE-2023-2288
The Otter WordPress plugin before 2.2.6 does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP 8.0 using the phar:// stream wrapper...
CVE-2024-5674
The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the checkapikey function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...
PT-2023-18747 · WordPress · Otter
Name of the Vulnerable Software and Affected Versions: Otter WordPress plugin versions prior to 2.2.6 Description: The issue arises from the plugin's failure to sanitize user-controlled file paths, leading to a PHAR deserialization vulnerability. This vulnerability can be exploited on PHP version...