CVE-2025-15659

CVE-2025-15659 concerns the WordPress Elizaibots plugin (versions

CVE-2016-20071 WordPress 404 Redirection Manager Plugin 1.0 SQL Injection

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloa...

WordPress Spreadsheet - Cross-Site Scripting

WordPress Spreadsheet plugin contains a reflected cross-site scripting vulnerability in /dhtmlxspreadsheet/codebase/spreadsheet.php. id: CVE-2013-6281 info: name: WordPress Spreadsheet - Cross-Site Scripting author: random-robbie severity: medium description: | WordPress Spreadsheet plugin contai...

WordPress Contact Form 7 Captcha <0.1.2 - Cross-Site Scripting

WordPress Contact Form 7 Captcha plugin before 0.1.2 contains a reflected cross-site scripting vulnerability. It does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute. id: CVE-2022-2187 info: name: WordPress Contact Form 7 Captcha 0.1.2 - Cross-Site Scripting...

WordPress Japanized for WooCommerce <2.5.5 - Cross-Site Scripting

WordPress Japanized for WooCommerce plugin before 2.5.5 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This...

WordPress e-search <=1.0 - Cross-Site Scripting

WordPress e-search 1.0 and before contains a reflected cross-site scripting vulnerability via titleaz.php which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...

Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion

A directory traversal vulnerability in the JE Form Creator comjeformcr component for Joomla!, when magicquotesgpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE -- the original researcher states that the...

WordPress Welcart e-Commerce <2.8.5 - Arbitrary File Access

WordPress Welcart e-Commerce plugin before 2.8.5 is susceptible to arbitrary file access. The plugin does not validate user input before using it to output the content of a file, which can allow an attacker to read arbitrary files on the server, obtain sensitive information, modify data, and/or...

WordPress GTranslate <2.8.52 - Cross-Site Scripting

WordPress GTranslate plugin before 2.8.52 contains an unauthenticated reflected cross-site scripting vulnerability via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option. id: CVE-2020-11930 info: name: WordPress GTranslate 2.8.52 -...

Show all comments < 7.0.1 - Cross-Site Scripting

The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. id: CVE-2022-4295 info: name: Show all commen...

Header Footer Code Manager < 1.1.24 - Cross-Site Scripting

The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. id: CVE-2022-0899 info: name: Header Footer Code Manager 1.1.24 - Cross-Site Scripting author:...

WordPress Master Elements <=8.0 - SQL Injection

WordPress Master Elements plugin through 8.0 contains a SQL injection vulnerability. The plugin does not validate and escape the metaids parameter of its removepostmetacondition AJAX action, available to both unauthenticated and authenticated users, before using it in a SQL statement. An attacker...

WordPress HTML2WP <=1.0.0 - Arbitrary File Upload

WordPress HTML2WP plugin through 1.0.0 contains an arbitrary file upload vulnerability. The plugin does not perform authorization and CSRF checks when importing files and does not validate them. As a result, an attacker can upload arbitrary files on the remote server. id: CVE-2022-1574 info: name...

WordPress Gwyn's Imagemap Selector <=0.3.3 - Cross-Site Scripting

Wordpress Gwyn's Imagemap Selector plugin 0.3.3 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize the id and class parameters before returning them back in attributes. id: CVE-2022-1221 info: name: WordPress Gwyn's Imagemap Selector =0.3.3 - Cross-Site...

Unyson < 2.7.27 - Cross Site Scripting

The plugin does not sanitise and escape the QUERYSTRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters id: CVE-2022-2219 info: name: Unyson 2.7.27 - Cross Site Scripting author: r3Y3r53 severity: high description:...

WordPress Ninja Job Board < 1.3.3 - Direct Request

WordPress Ninja Job Board plugin prior to 1.3.3 is susceptible to a direct request vulnerability. The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated directory listing which allows the download of uploaded resumes. id: CVE-2022-2544...

WordPress Awin Data Feed <=1.6 - Cross-Site Scripting

WordPress Awin Data Feed plugin 1.6 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action, available to both unauthenticated and authenticated users. id: CVE-2022-1937 info: name: WordPress Awin Data Feed...

AdPush < 1.44 - Cross-Site Scripting

The adsense-plugin aka Google AdSense plugin before 1.44 for WordPress has multiple XSS issues. id: CVE-2017-18487 info: name: AdPush 1.44 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The adsense-plugin aka Google AdSense plugin before 1.44 for WordPress has multip...

Updater by BestWebSoft < 1.35 - Cross-Site Scripting

The updater plugin before 1.35 for WordPress has multiple XSS issues. id: CVE-2017-18565 info: name: Updater by BestWebSoft 1.35 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The updater plugin before 1.35 for WordPress has multiple XSS issues. impact: | Authenticat...

User Role by BestWebSoft < 1.5.6 - Cross-Site Scripting

The user-role plugin before 1.5.6 for WordPress has multiple XSS issues. id: CVE-2017-18566 info: name: User Role by BestWebSoft 1.5.6 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The user-role plugin before 1.5.6 for WordPress has multiple XSS issues. impact: |...