CVE-2024-8432

The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveappearance function in all versions up to, and including, 5.0.48. This makes it possible for authenticated attackers...

CVE-2024-0897

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image URL parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-7410

The My Custom CSS PHP & ADS plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.3. This is due the plugin not preventing direct access to the /my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php file and and the file...

CVE-2024-1091

The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reinitialize function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level...

CVE-2024-24941

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL...

CVE-2024-13652

The ECPay Ecommerce for WooCommerce plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clearecpaydebuglog' AJAX action in all versions up to, and including, 1.1.2411060. This makes it possible for authenticated attackers, with Subscriber-leve...

CVE-2024-12158

The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'upcdeletedbdata' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated...

CVE-2023-7247

The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site...

CVE-2023-6845

The CommentTweets WordPress plugin through 0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2023-2326

The Gravity Forms Google Sheet Connector WordPress plugin before 1.3.5, gsheetconnector-gravityforms-pro WordPress plugin through 1.3.5 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF...

CVE-2022-4256

The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2022-4417

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 9.3.3 does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users...

CVE-2022-0693

The Master Elements WordPress plugin through 8.0 does not validate and escape the metaids parameter of its removepostmetacondition AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL Injection...

CVE-2022-2369

The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin...

CVE-2022-1600

The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based limitations to vote in certain situations...

CVE-2021-24455

The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements when outputting it in an attribute, which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered...

CVE-2021-24464

The YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before 2.3.9 did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting issue...

CVE-2020-19228

An issue was found in bludit v3.13.0, unsafe implementation of the backup plugin allows attackers to upload arbitrary files...

CVE-2019-15822

The wps-child-theme-generator plugin before 1.2 for WordPress has classes/helpers.php directory traversal...

CVE-2019-15865

The breadcrumbs-by-menu plugin before 1.0.3 for WordPress has CSRF...