Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting

The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. id: CVE-2021-25065 info: name: Smash Balloon Social Post Feed 4.1.1 - Authenticated Reflected Cross-Site Scripting author: Harsh severity: medium description: | The plugin was affected by a reflected XSS in...

WooCommerce PDF Invoices & Packing Slips WordPress Plugin < 2.10.5 - Cross-Site Scripting

The Wordpress plugin WooCommerce PDF Invoices & Packing Slips before 2.10.5 does not escape the tab and section parameters before reflecting it an attribute, leading to a reflected cross-site scripting in the admin dashboard. id: CVE-2021-24991 info: name: WooCommerce PDF Invoices & Packing Slips...

Registrations for The Events Calendar < 2.7.5 - Authenticated Reflected Cross-Site Scripting

The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting id: CVE-2021-24876 info: name: Registrations for The Events Calendar 2.7.5 - Authenticated Reflected...

SupportCandy < 2.2.7 - Reflected Cross-Site Scripting

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue id: CVE-2021-24878 info: name: SupportCandy 2.2.7 - Reflected Cross-Site...

WordPress Like Button Rating <2.6.32 - Server-Side Request Forgery

WordPress Like Button Rating plugin before 2.6.32 is susceptible to server-side request forgery. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2021-24150 info: name: WordPress Like Button Rating 2.6.32 - Server-Side Request Forgery...

WordPress Ninja Forms <3.4.34 - Open Redirect

WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wpajaxnfoauthconnect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive...

WordPress Select All Categories and Taxonomies <1.3.2 - Cross-Site Scripting

WordPress Select All Categories and Taxonomies plugin before 1.3.2 contains a cross-site scripting vulnerability. The settings page of the plugin does not properly sanitize the tab parameter before outputting it back. An attacker can inject arbitrary script in the browser of an unsuspecting user ...

WordPress Advanced Order Export For WooCommerce <3.1.8 - Authenticated Cross-Site Scripting

WordPress Advanced Order Export For WooCommerce plugin before 3.1.8 contains an authenticated cross-site scripting vulnerability via the tab parameter in the admin panel. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can...

Tom M8te (tom-m8te) Plugin 1.5.3 - Directory Traversal

Directory traversal vulnerability in the Tom M8te tom-m8te plugin 1.5.3 for WordPress allows remote attackers to read arbitrary files via the file parameter to tom-download-file.php. id: CVE-2014-5187 info: name: Tom M8te tom-m8te Plugin 1.5.3 - Directory Traversal author: DhiyaneshDK severity:...

WordPress RobotCPA 5 - Directory Traversal

The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter. id: CVE-2015-9480 info: name: WordPress RobotCPA 5 - Directory Traversal author: daffainfo severity: high description: The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter...

WordPress AJAX Random Post <=2.00 - Cross-Site Scripting

WordPress AJAX Random Post 2.00 is vulnerable to reflected cross-site scripting. id: CVE-2016-1000127 info: name: WordPress AJAX Random Post =2.00 - Cross-Site Scripting author: daffainfo severity: medium description: WordPress AJAX Random Post 2.00 is vulnerable to reflected cross-site scripting...

WordPress My Calendar <= 3.1.9 - Cross-Site Scripting

WordPress plugin My Calendar = 3.1.10 or apply the vendor-provided patch to fix the XSS vulnerability. reference: - https://wpscan.com/vulnerability/9267 - https://wordpress.org/plugins/my-calendar/developers - https://nvd.nist.gov/vuln/detail/CVE-2019-15713 -...

Social Login by BestWebSoft < 0.2 - Cross-Site Scripting

The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues. id: CVE-2017-18501 info: name: Social Login by BestWebSoft 0.2 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues...

Pagination by BestWebSoft < 1.0.7 - Cross-Site Scripting

The pagination plugin before 1.0.7 for WordPress has multiple XSS issues. id: CVE-2017-18527 info: name: Pagination by BestWebSoft 1.0.7 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The pagination plugin before 1.0.7 for WordPress has multiple XSS issues. impact: |...

Magento Mass Importer <0.7.24 - Remote Auth Bypass

Magento Mass Importer aka MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. id: CVE-2020-5777 info: name: Magento Mass Importer 0.7.24 - Remote Auth Bypass author: dwisiswant0...

WordPress Tidio Gallery <=1.1 - Cross-Site Scripting

WordPress plugin tidio-gallery v1.1 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

WordPress Hero Maps Pro 2.1.0 - Cross-Site Scripting

WordPress Hero Maps Pro 2.1.0 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials...

Google Maps by BestWebSoft < 1.3.6 - Cross-Site Scripting

The bws-google-maps plugin before 1.3.6 for WordPress has multiple XSS issues. id: CVE-2017-18557 info: name: Google Maps by BestWebSoft 1.3.6 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The bws-google-maps plugin before 1.3.6 for WordPress has multiple XSS issues...

WordPress Simpel Reserveren <=3.5.2 - Cross-Site Scripting

WordPress plugin Simpel Reserveren 3.5.2 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...

AdPush < 1.44 - Cross-Site Scripting

The adsense-plugin aka Google AdSense plugin before 1.44 for WordPress has multiple XSS issues. id: CVE-2017-18487 info: name: AdPush 1.44 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The adsense-plugin aka Google AdSense plugin before 1.44 for WordPress has multip...