1398 matches found
WordPress Plugin Oxygen Builder Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
CVE-2023-7044
CVE-2023-7044 affects the WordPress plugin Essential Addons for Elementor (Best Elementor Templates, Widgets, Kits & WooCommerce Builders). It is a stored XSS via a custom ID in versions up to and including 5.9.2 caused by insufficient input sanitization and output escaping. Exploitation requires...
Schema & Structured Data for WP & AMP < 1.24 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...
Image Regenerate & Select Crop < 7.3.1 - Sensitive Information Exposure
Description The plugin discloses sensitive information via log files which are publicly accessibe...
Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion
Description The plugin does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server PoC To download /etc/passwd: curl...
Quiz Maker < 6.4.9.5 - Reflected Cross-Site Scripting
Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting PoC Visit the following URL: https://example.com/wp-admin/admin.php?page=quiz-maker-questions%22%3E%3Cscript%3Ealert/xss/%3C/script%3E=something...
WordPress Plugin Add Local Avatar Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
Elementor Addon Elements < 1.12.8 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WordPress Plugin Products, Order & Customers Export for WooCommerce Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...
Simple Giveaways < 2.46.1 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
The Awesome Feed – Custom Feed <= 2.2.5 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
PT-2023-29909 · Brainstorm Force · Ultimate Addons For Wpbakery Page Builder
Name of the Vulnerable Software and Affected Versions: Brainstorm Force Ultimate Addons for WPBakery Page Builder plugin versions = 3.19.14 Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability. It affects users with contributor or higher permissions. There is no...
Article Analytics <= 1.0 - Unauthenticated SQL injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection vulnerability. PoC On a Wordpress blog using MySQL the following PoC allows to extract the hash of the...
Simple Tweet <= 1.4.0.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WordPress Plugin wp-report-post Cross-Site Scripting Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting vulnerability...
Product Category Tree <= 2.5 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
PT-2023-29819 · Unknown · Qwerty23 Rocket Font Plugin
Name of the Vulnerable Software and Affected Versions: Qwerty23 Rocket Font plugin versions 1.2.3 and earlier Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a...
CVE-2023-4402
The WordPress Essential Blocks plugin (versions up to and including 4.2.0) is affected by a PHP Object Injection via deserialization of untrusted input in the get_products/get_posts path. The vulnerability allows unauthenticated attackers to inject a PHP Object; exploitation may enable deletion o...
WordPress Plugin Security & Malware scan by CleanTalk Security Breach
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...
PT-2023-20094 · Ezoic · Ezoic Ampedsense – Adsense Split Tester
Name of the Vulnerable Software and Affected Versions: Ezoic AmpedSense – AdSense Split Tester plugin versions = 4.68 Description: The issue is an Unauth. Reflected Cross-Site Scripting XSS vulnerability. This means that an attacker can inject malicious scripts into a website, potentially allowin...