15885 matches found
CVE-2023-4620
The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators...
CVE-2023-4703
The All in One B2B for WooCommerce WordPress plugin through 1.0.3 does not properly validate parameters when updating user details, allowing an unauthenticated attacker to update the details of any user. Updating the password of an Admin user leads to privilege escalation...
CVE-2023-4820
The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.0.12 does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin...
CVE-2023-4950
The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks...
CVE-2023-4300
The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution...
CVE-2023-4252
The EventPrime WordPress plugin through 3.2.9 specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment...
CVE-2018-21003
The buddyforms plugin before 2.2.8 for WordPress has SQL injection...
CVE-2018-18576
The Hustle aka wordpress-popup plugin through 6.0.5 for WordPress allows Directory Traversal to obtain a directory listing via the views/admin/dashboard/ URI...
CVE-2018-6002
The Soundy Background Music plugin 3.9 and below for WordPress has Cross-Site Scripting via soundy-background-music\templates\front-end.php warsoundypreview parameter...
CVE-2018-19346
The u3d plugin 9.3.0.10809 aka plugins\U3DBrowser.fpi in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service out-of-bounds read or obtain sensitive information via a U3D sample because of a "Data from Faulting Address controls Branch Selection starting...
CVE-2021-28115
The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation...
CVE-2016-10889
The nextgen-gallery plugin before 2.1.57 for WordPress has SQL injection via a gallery name...
CVE-2016-10919
The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats widget or the wassupURI::addsiteurl method, a different vulnerability than CVE-2012-2633...
CVE-2016-10955
The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking...
CVE-2016-10874
The wp-database-backup plugin before 4.3.3 for WordPress has CSRF...
CVE-2016-10883
The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users...
CVE-2016-10928
The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcoded @@@nopass@@@ password for just-in-time provisioned users...
CVE-2016-10916
The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319...
CVE-2016-10879
The wp-live-chat-support plugin before 6.2.02 for WordPress has XSS...
CVE-2016-10981
The kento-post-view-counter plugin through 2.8 for WordPress has stored XSS via kentopvcnumberslang, kentopvctodaytext, or kentopvctotaltext...