CVE-2014-9523

Multiple cross-site request forgery CSRF vulnerabilities in the Our Team Showcase our-team-enhanced plugin before 1.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 change plugin settings via unspecified vectors or 2 conduct cross-site...

CVE-2024-11719

The CVE-2024-11719 entry concerns the tarteaucitron-wp WordPress plugin prior to version 0.3.0, which lacks CSRF checks in certain areas and omits sanitisation and escaping. This could allow a logged-in attacker to trigger a Stored XSS payload via a CSRF attack. The issue is documented across mul...

PT-2025-21432

Name of the Vulnerable Software and Affected Versions: WP DeskLite WordPress plugin versions 1.0.0 and earlier Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page...

PT-2025-21454 · WordPress · Calculated Fields Form

Name of the Vulnerable Software and Affected Versions: Calculated Fields Form WordPress plugin versions prior to 5.2.64 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is...

📄 WordPress Easy Restaurant Manager 1.0 XSS / SQL Injection / IDOR

WordPress Easy Restaurant Manager plugin version 1.0 suffers from persistent cross site scripting, insecure direct object reference, a missing access control, and remote SQL injection vulnerabilities. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title WordPress...

CVE-2024-9230 PowerPress Podcasting < 11.9.18 - Author+ XSS via Podcast URL

The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow author and above users to perform Stored Cross-Site Scripting attacks...

CVE-2025-32536

CVE-2025-32536 refers to a Reflected Cross-Site Scripting vulnerability in the HTML5 Video Player with Playlist WordPress plugin. The vulnerability affects the plugin version range up to 2.50 (HTML5 Video Player with Playlist). The root cause, as stated in connected documentation, is improper inp...

CVE-2025-2804

The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'accountid' and 'accountusername' parameters in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible...

GHSA-72QV-J8VR-XVFV Mattermost Fails to Enforce MFA on Plugin Endpoints

Mattermost versions 10.4.x = 10.4.2, 10.3.x = 10.3.3, 9.11.x = 9.11.8, 10.5.x = 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes...

CVE-2024-13809

The Hero Slider - WordPress Slider Plugin plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 1.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

GHSA-7WRW-R4P8-38RX vulnerabilities

Vulnerabilities for packages: cosign, timoni, flux-source-controller, kubecolor, prometheus-pushgateway, dive, flux-notification-controller, victoriametrics-operator, cluster-autoscaler, kubernetes, k9s, linkerd2-proxy-init, ini-file, terraform-docs, hivemind, modelmesh-runtime-adapter,...

WordPress Yoast SEO Plugin < 1.5.7, 1.6.x < 1.6.4, 1.7.x < 1.7.4 Multiple Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:yoast:yoastseo"; if description...

CVE-2024-11895

The WordPress plugin Online Payments – Get Paid with PayPal, Square & Stripe is affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability via shortcode attributes in versions up to 3.20.0, caused by insufficient input sanitization and output escaping. This allows authenticated ...

WordPress File Manager Plugin < 7.2.2 Multiple Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:webdesi9:filemanager"; if description...

CVE-2021-4394

The Locations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the saveCustomFields function. This makes it possible for unauthenticated attackers to update custom field meta data via ...

CVE-2021-4337

Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wpajaxsvxajaxfactory function in various versions listed below. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to...

WordPress ProfilePress Plugin < 4.15.15 Multiple Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:properfraction:profilepress"; if description...

WordPress ProfilePress Plugin < 4.15.0 Multiple Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:properfraction:profilepress"; if description...

CVE-2024-13530

The Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the lpshandledeletealllogs, lpshandledeleteloginlog, and...

CVE-2024-45341 vulnerabilities

Vulnerabilities for packages: k8ssandra-client, kubernetes-event-exporter-fips, prometheus-operator, splunk-otel-collector, wgcf, gitsign, prometheus-alertmanager-fips, git-sync-fips, supercronic, crossplane-provider-keycloak-fips, nsc, jaeger-operator-fips, sftpgo, confluent-common-docker,...