CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

220312 matches found

WordPress Calendar Event Multi View <1.4.01 - Cross-Site Scripting

WordPress Calendar Event Multi View plugin before 1.4.01 contains an unauthenticated reflected cross-site scripting vulnerability. It does not sanitize or escape the 'start' and 'end' GET parameters before outputting them in the page via php/edit.php. id: CVE-2021-24498 info: name: WordPress...

6.1CVSS6.2AI score0.25481EPSS

Exploits2References4

Nuclei•added yesterday•35 views

WOOF WordPress plugin - Cross-Site Scripting

The WOOF WordPress plugin does not sanitize or escape the woofredrawelements parameter before reflecting it back in an admin page, leading to a reflected cross-site scripting. id: CVE-2021-25085 info: name: WOOF WordPress plugin - Cross-Site Scripting author: Maximus Decimus severity: medium...

6.1CVSS6.3AI score0.03204EPSS

Exploits2References4

Nuclei•added yesterday•9 views

Blinko <= 1.8.3 - Path Traversal via /plugins

Blinko = 1.8.3 contains a path traversal caused by improper path concatenation without verification in the plugin file server endpoint, letting remote attackers access arbitrary files, exploit requires network access. id: CVE-2026-23483 info: name: Blinko = 1.8.3 - Path Traversal via /plugins...

6.9CVSS5.9AI score0.02152EPSS

Exploits0References2

Nuclei•added yesterday•12 views

WP Go Maps <= 9.0.29 - Cross-Site Scripting

WP Go Maps formerly WP Google Maps plugin for WordPress versions before 9.0.30 is vulnerable to Reflected Cross-Site Scripting via the 'mapid' parameter in the admin map edit page. id: CVE-2024-29931 info: name: WP Go Maps = 9.0.29 - Cross-Site Scripting author: Shivam Kamboj severity: medium...

7.1CVSS7.3AI score0.12864EPSS

Exploits0References3

Nuclei•added yesterday•23 views

WordPress Easy Social Icons Plugin < 3.0.9 - Cross-Site Scripting

The Easy Social Icons plugin = 3.0.8 for WordPress echoes out the raw value of $SERVER'PHPSELF' in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path...

6.1CVSS6.3AI score0.13873EPSS

Exploits2References5

Nuclei•added yesterday•11 views

Rank Math SEO <= 1.0.40.2 - Privilege Escalation via Unprotected REST API Endpoint

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint. id: CVE-2020-115...

9.8CVSS7.5AI score0.65538EPSS

Exploits2References3

Nuclei•added yesterday•32 views

WordPress Simple Image Manipulator < 1.0 - Local File Inclusion

WordPress Simple Image Manipulator 1.0 is vulnerable to local file inclusion in ./simple-image-manipulator/controller/download.php because no checks are made to authenticate users or sanitize input when determining file location. id: CVE-2015-1000010 info: name: WordPress Simple Image Manipulator...

7.5CVSS7.1AI score0.31974EPSS

Exploits2References4

Nuclei•added yesterday•13 views

Site Reviews < 7.2.5 - Unauthenticated Stored XSS

Site Reviews WordPress plugin before 7.2.5 contains a stored cross-site scripting caused by improper sanitization and escaping of review fields, letting unauthenticated users execute malicious scripts, exploit requires no authentication. id: CVE-2025-1232 info: name: Site Reviews 7.2.5 -...

8.8CVSS7.2AI score0.20938EPSS

Exploits1References3

Nuclei•added yesterday•55 views

WordPress WP Courses Plugin Information Disclosure

WordPress WP Courses Plugin 2.0.29 contains a critical information disclosure which exposes private course videos and materials. id: CVE-2020-26876 info: name: WordPress WP Courses Plugin Information Disclosure author: dwisiswant0 severity: high description: WordPress WP Courses Plugin 2.0.29...

7.5CVSS7.1AI score0.37398EPSS

Exploits1References5

Nuclei•added yesterday•14 views

Download Monitor < 4.4.5 - SQL Injection

The Download Monitor plugin for WordPress is vulnerable to SQL injection via the 'orderby' parameter in versions before 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attacker...

7.2CVSS7.1AI score0.02235EPSS

Exploits5References3

Nuclei•added yesterday•18 views

Event Monster <= 1.4.3 - Information Exposure Via Visitors List Export

The Event Monster Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename...

5.3CVSS6.4AI score0.54175EPSS

Exploits2References5

Nuclei•added yesterday•91 views

Crypto <= 2.15 - Authentication Bypass

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'cryptoconnectajaxprocess::login' function in the 'cryptoconnectajaxprocess' function. This makes it possible for unauthenticated...

9.8CVSS6AI score0.92893EPSS

Exploits0References5

Nuclei•added yesterday•24 views

Ditty < 3.1.25 - Cross-Site Scripting

The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. id: CVE-2023-4148 info: name: Ditty 3.1.25 ...

6.1CVSS6.9AI score0.12746EPSS

Exploits2References2

Nuclei•added yesterday•12 views

MStore API <= 3.9.1 - Authentication Bypass

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated...

9.8CVSS7.3AI score0.7226EPSS

Exploits0References3

Nuclei•added yesterday•20 views

Gravity SMTP WordPress Plugin - Sensitive Information Exposure

Gravity SMTP WordPress plugin = 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication. id:...

7.5CVSS5.8AI score0.12901EPSS

Exploits0References3

Nuclei•added yesterday•14 views

Easy Digital Downloads - Privilege Escalation

Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Privilege Escalation. This issue affects Easy Digital Downloads: from 3.1 through 3.1.1.4.1. id: CVE-2023-30869 info: name: Easy Digital Downloads - Privilege Escalation author: daffainfo severity: critical...

9.8CVSS7.3AI score0.31349EPSS

Exploits0References3

Nuclei•added yesterday•19 views

WordPress Checklist <1.1.9 - Cross-Site Scripting

WordPress Checklist plugin before 1.1.9 contains a cross-site scripting vulnerability. The fill parameter is not correctly filtered in the checklist-icon.php file. id: CVE-2019-16525 info: name: WordPress Checklist 1.1.9 - Cross-Site Scripting author: daffainfo severity: medium description:...

6.1CVSS6.2AI score0.13835EPSS

Exploits2References5

Nuclei•added yesterday•37 views

WordPress Spider Calendar <=1.5.65 - Cross-Site Scripting

WorsPress Spider Calendar plugin through 1.5.65 is susceptible to cross-site scripting. The plugin does not sanitize and escape the callback parameter before outputting it back in the page via the window AJAX action, available to both unauthenticated and authenticated users. An attacker can injec...

6.1CVSS5.9AI score0.01167EPSS

Exploits2References3

Nuclei•added yesterday•21 views

WooCommerce Designer Pro <= 1.9.28 - Arbitrary File Read

WooCommerce Designer Pro theme for WordPress = 1.9.28 contains an arbitrary file read vulnerability caused by improper input validation, letting unauthenticated attackers read arbitrary files including sensitive configuration files, exploit requires no authentication. id: CVE-2025-10897 info: nam...

8.6CVSS5.9AI score0.16252EPSS

Exploits0References2

Nuclei•added yesterday•47 views

WordPress GiveWP <2.17.3 - Cross-Site Scripting

WordPress GiveWP plugin before 2.17.3 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the formid parameter before returning it in the response of an unauthenticated request via the givecheckoutlogin AJAX action. An attacker can inject arbitrary script in the...

6.1CVSS6.4AI score0.02406EPSS

Exploits2References5

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by