CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

220446 matches found

WordPress Permalink Manager <2.2.15 - Cross-Site Scripting

WordPress Permalink Manager Lite and Pro plugins before 2.2.15 contain a reflected cross-site scripting vulnerability. They do not sanitize and escape query parameters before outputting them back in the debug page. id: CVE-2022-0201 info: name: WordPress Permalink Manager 2.2.15 - Cross-Site...

6.1CVSS6.2AI score0.17941EPSS

Exploits2References4

Nuclei•added 16 hours ago•25 views

HTML Email Template Designer < 3.1 - Missing Authorization on Rest Route

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the /includes/class-template-designer.php file, in versions up to...

8.3CVSS6.6AI score0.50799EPSS

Exploits3References5

Nuclei•added 16 hours ago•8 views

LearnPress < 4.3.2 - Broken Access Control

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders...

5.3CVSS5.8AI score0.03572EPSS

Exploits0References2

Nuclei•added 16 hours ago•8 views

Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation

The WaspThemes Visual CSS Style Editor aka yellow-pencil-visual-theme-customizer plugin before 7.2.1 for WordPress allows ypoptionupdate CSRF, as demonstrated by use of ypremoteget to obtain admin access. id: CVE-2019-11886 info: name: Yellow Pencil Visual Theme Customizer 7.2.1 - Privilege...

8.8CVSS7.3AI score0.19742EPSS

Exploits1References3

Nuclei•added 16 hours ago•6 views

Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update

Incorrect access control in miglaajaxfunctions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call...

9.8CVSS7.3AI score0.55864EPSS

Exploits1References2

Nuclei•added 16 hours ago•5 views

WordPress Advanced Access Manager - Path Traversal

The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, including sensitive file...

9.8CVSS7.3AI score0.43187EPSS

Exploits1References2

Nuclei•added 16 hours ago•9 views

WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated HTML Content Injection

Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection. id: CVE-2019-17233 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated HTML Content Injection author: daffainfo severity: medium description: | Functions/EWDUFAQImport.ph...

6.1CVSS7.1AI score0.01098EPSS

Exploits1References2

Nuclei•added 16 hours ago•4 views

WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated Options Import and Export

Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows unauthenticated options import. id: CVE-2019-17232 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated Options Import and Export author: daffainfo severity: high description: |...

7.5CVSS7.3AI score0.09189EPSS

Exploits1References4

Nuclei•added 16 hours ago•17 views

Gallery Photoblocks < 1.1.43 - Cross-Site Scripting

The Gallery PhotoBlocks WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. id: CVE-2019-15829 info: name: Gallery Photoblocks 1.1.43 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | The Gallery PhotoBlocks WordPress plugin was affected by...

4.8CVSS5.8AI score0.01471EPSS

Exploits1References5

Nuclei•added 16 hours ago•35 views

WordPress Transposh Translation <1.0.8 - Cross-Site Scripting

WordPress Transposh Translation plugin before 1.0.8 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the a parameter via an AJAX action available to both unauthenticated and authenticated users when the curl library is installed before outputting it back in...

6.1CVSS6.8AI score0.1463EPSS

Exploits4References5

Nuclei•added 16 hours ago•20 views

Hostel < 1.1.5.3 - Cross-Site Scripting

The Hostel WordPress plugin before 1.1.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. id: CVE-2024-3753 info: name: Hostel 1.1.5.3 - Cross-Site Scriptin...

5.9CVSS5.8AI score0.01464EPSS

Exploits1References2

Nuclei•added 16 hours ago•16 views

WordPress Plugin Flexible Custom Post Type < 0.1.7 - Cross-Site Scripting

A cross-site scripting vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. id: CVE-2011-5106 info: name: WordPress Plugin Flexible Custom Post Type 0.1.7 - Cross-Site...

4.3CVSS5.8AI score0.00989EPSS

Exploits1References5

Nuclei•added 16 hours ago•18 views

GRAND FlAGallery 1.57 - Cross-Site Scripting

A cross-site scripting XSS vulnerability in facebook.php in the GRAND FlAGallery plugin flash-album-gallery before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter. id: CVE-2011-4624 info: name: GRAND FlAGallery 1.57 - Cross-Site Scripting...

4.3CVSS5.8AI score0.045EPSS

Exploits1References5

Nuclei•added 16 hours ago•37 views

Brafton WordPress Plugin < 3.4.8 - Cross-Site Scripting

The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php. id: CVE-2016-10973 info: name: Brafton WordPress Plugin 3.4.8 - Cross-Site Scripting author: Harsh severity: medium description: | The Brafton plugin...

6.1CVSS6.4AI score0.0064EPSS

Exploits2References3

Nuclei•added 16 hours ago•23 views

WordPress Plugin MF Gig Calendar 0.9.2 - Cross-Site Scripting

A cross-site scripting vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. id: CVE-2012-4242 info: name: WordPress Plugin MF Gig Calendar 0.9.2 - Cross-Site Scripting author:...

4.3CVSS5.8AI score0.06071EPSS

Exploits3References4

Nuclei•added 16 hours ago•20 views

WordPress Emag Marketplace Connector 1.0 - Cross-Site Scripting

WordPress Emag Marketplace Connector plugin 1.0 contains a reflected cross-site scripting vulnerability because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly. id: CVE-2017-17043 info: name: WordPress Emag...

6.1CVSS6.2AI score0.04015EPSS

Exploits2References5

Nuclei•added 16 hours ago•19 views

WP Planet <= 0.1 - Cross-Site Scripting

A cross-site scripting vulnerability in rss.class/scripts/magpiedebug.php in the WP-Planet plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter. id: CVE-2014-4592 info: name: WP Planet = 0.1 - Cross-Site Scripting author:...

6.1CVSS6.4AI score0.03802EPSS

Exploits2References4

Nuclei•added 16 hours ago•12 views

Shortcode Ninja <= 1.4 - Cross-Site Scripting

A cross-site scripting vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter. id: CVE-2014-4550 info: name: Shortcode Ninja = 1.4 - Cross-Site Scripting...

6.1CVSS6.4AI score0.02712EPSS

Exploits2References3

Nuclei•added 16 hours ago•20 views

WP AmASIN – The Amazon Affiliate Shop - Local File Inclusion

Absolute path traversal vulnerability in reviews.php in the WP AmASIN - The Amazon Affiliate Shop plugin 0.9.6 and earlier for WordPress allows remote attackers to read arbitrary files via a full pathname in the url parameter. id: CVE-2014-4577 info: name: WP AmASIN – The Amazon Affiliate Shop -...

5CVSS7.5AI score0.01825EPSS

Exploits1References3

Nuclei•added 16 hours ago•16 views

PromoBar by BestWebSoft < 1.1.1 - Cross-Site Scripting

The promobar plugin before 1.1.1 for WordPress has multiple XSS issues. id: CVE-2017-18529 info: name: PromoBar by BestWebSoft 1.1.1 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The promobar plugin before 1.1.1 for WordPress has multiple XSS issues. impact: |...

6.1CVSS6.4AI score0.00059EPSS

Exploits1References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by