WordPress WP01 - Path Traversal

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in wp01ru WP01 allows Path Traversal. This issue affects WP01: from n/a through 2.6.2. id: CVE-2025-30567 info: name: WordPress WP01 - Path Traversal author: s4e-io severity: high description: | Improper...

NewStatPress <=1.0.4 - Cross-Site Scripting

WordPress NewStatPress plugin through 1.0.4 contains a cross-site scripting vulnerability. The plugin utilizes, on lines 28 and 31 of the file "includes/nspsearch.php", several variables from the $GET scope without sanitation. While WordPress automatically escapes quotes on this scope, the output...

Foxit PDF Reader < 2025.2 Multiple Vulnerabilities

According to its version, the Foxit PDF Reader application previously named Foxit Reader installed on the remote Windows host is prior to 2025.2. It is, therefore affected by multiple vulnerabilities: - A memory corruption vulnerability exists in Foxit Reader 2025.1.0.27937 due to the use of an...

CVE-2023-41697

Cross-Site Request Forgery CSRF vulnerability in Nikunj Soni Easy WP Cleaner plugin = 1.9 versions...

CVE-2019-15836

The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS...

WordPress Formulario de contacto SalesUp! plugin <= 1.0.14 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Formulario de contacto SalesUp! versions = 1.0.14...

CVE-2025-2247

The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

WordPress Ads Pro plugin <= 5.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ads Pro versions = 5.0...

CVE-2024-9838 Auto Affiliate Links < 6.4.7 - Admin+ SQL Injection

The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks...

CVE-2024-13619

The CVE-2024-13619 entry concerns the WordPress plugin LifterLMS prior to 8.0.1. The vulnerability is a Reflected XSS caused by insufficient sanitisation/escaping of an input parameter before it is echoed back on the page, which could impact high-privilege users such as admins. Public references ...

WordPress Contact Form Widget plugin <= 1.4.6 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Contact Form Widget versions = 1.4.6...

WordPress DyaPress ERP/CRM plugin <= 18.0.2.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k Patchstack Alliance in WordPress Plugin DyaPress ERP/CRM versions = 18.0.2.0...

WordPress Vehica Core plugin <= 1.0.97 - Authenticated (Subscriber+) Privilege Escalation vulnerability

Authenticated Subscriber+ Privilege Escalation vulnerability discovered by Alyudin Nafiie in WordPress Plugin Vehica Core versions = 1.0.97...

WordPress GB Gallery Slideshow plugin <= 1.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mika in WordPress Plugin GB Gallery Slideshow versions = 1.3...

CVE-2024-11613

The CVE CVE-2024-11613 affects the WordPress File Upload plugin for WordPress, with vulnerable versions up to and including 4.24.15. The flaw arises from insufficient sanitization of the source parameter in wfu_file_downloader.php, allowing an unauthenticated attacker to specify a user-controlled...

WordPress Store Hours for WooCommerce Plugin <= 4.3.20 is vulnerable to Cross Site Scripting (XSS)

Software Store Hours for WooCommerce Type Plugin Vulnerable versions = 4.3.20 Fixed in 4.3.22 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8872 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 68b70cba0cc7 Credits vgo0...

CVE-2024-1780 BizCalendar Web <= 1.1.0.25 - Reflected Cross-Site Scripting via 'tab'

The BizCalendar Web plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.1.0.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2023-32602

Cross-Site Request Forgery CSRF vulnerability in LOKALYZE CALL ME NOW plugin = 3.0 versions...

CVE-2023-29437 WordPress Connections Business Directory Plugin <= 10.4.36 is vulnerable to Cross Site Scripting (XSS)

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Steven A. Zahm Connections Business Directory plugin = 10.4.36 versions...

WordPress Image and Video Lightbox, Image PopUp Plugin <= 2.1.5 is vulnerable to Cross Site Scripting (XSS)

Software Image and Video Lightbox, Image PopUp Type Plugin Vulnerable versions = 2.1.5 Fixed in 2.1.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-24004 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 4d9c16d4d9c1 Credits...