CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

223885 matches found

WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal

WordPress SE HTML5 Album Audio Player 1.1.0 contains a directory traversal vulnerability in downloadaudio.php that allows remote attackers to read arbitrary files via a .. dot dot in the file parameter. id: CVE-2015-4414 info: name: WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversa...

5CVSS8.5AI score0.18958EPSS

Exploits4References5

Nuclei•added 9 hours ago•80 views

WordPress Workreap - Remote Code Execution

WordPress Workreap theme is susceptible to remote code execution. The AJAX actions workreapawardtempfileuploader and workreaptempfileuploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to th...

9.8CVSS8.9AI score0.60377EPSS

Exploits9References5

Nuclei•added 9 hours ago•32 views

WordPress MW Font Changer <=4.2.5 - Cross-Site Scripting

WordPress MW Font Changer plugin 4.2.5 and before contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.3AI score0.04448EPSS

Exploits2References5

Nuclei•added 9 hours ago•20 views

WordPress Page Layout builder v1.9.3 - Cross-Site Scripting

WordPress plugin Page-layout-builder v1.9.3 contains a cross-site scripting vulnerability. id: CVE-2016-1000141 info: name: WordPress Page Layout builder v1.9.3 - Cross-Site Scripting author: daffainfo severity: medium description: WordPress plugin Page-layout-builder v1.9.3 contains a cross-site...

6.1CVSS5.8AI score0.03462EPSS

Exploits2References4

Nuclei•added 9 hours ago•17 views

WordPress Cab fare calculator < 1.0.4 - Local File Inclusion

The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues. id: CVE-2022-1391 info: name: WordPress Cab fare calculator 1.0.4 - Local File Inclusion author: Splint3r7...

9.8CVSS8.4AI score0.13315EPSS

Exploits2References5

Nuclei•added 9 hours ago•25 views

WordPress FeedWordPress < 2022.0123 - Authenticated Cross-Site Scripting

The plugin is affected by a cross-site scripting vulnerability within the "visibility" parameter. id: CVE-2021-25055 info: name: WordPress FeedWordPress 2022.0123 - Authenticated Cross-Site Scripting author: DhiyaneshDK severity: medium description: | The plugin is affected by a cross-site...

6.1CVSS5.8AI score0.02342EPSS

Exploits2References4

Nuclei•added 9 hours ago•21 views

WordPress Simple Job Board <2.9.4 - Local File Inclusion

WordPress Simple Job Board prior to version 2.9.4 is vulnerable to arbitrary file retrieval vulnerabilities because it does not validate the sjbfile parameter when viewing a resume, allowing an authenticated user with the downloadresume capability such as HR users to download arbitrary files from...

7.7CVSS7.4AI score0.30479EPSS

Exploits7References5

Nuclei•added 9 hours ago•27 views

WordPress WooCommerce <1.13.22 - Cross-Site Scripting

WordPress WooCommerce before 1.13.22 contains a reflected cross-site scripting vulnerability via the slider import search feature because it does not properly sanitize the keyword GET parameter. id: CVE-2021-24300 info: name: WordPress WooCommerce 1.13.22 - Cross-Site Scripting author: cckuailong...

6.1CVSS5.8AI score0.10634EPSS

Exploits5References4

Nuclei•added 9 hours ago•18 views

WordPress Button Generator <2.3.3 - Remote File Inclusion

WordPress Button Generator before 2.3.3 within the wow-company admin menu page allows arbitrary file inclusion with PHP extensions as well as with data:// or http:// protocols, thus leading to cross-site request forgery and remote code execution. id: CVE-2021-25052 info: name: WordPress Button...

8.8CVSS8.4AI score0.0353EPSS

Exploits2References5

Nuclei•added 9 hours ago•16 views

WordPress Securimage-WP-Fixed <=3.5.4 - Cross-Site Scripting

WordPress Securimage-WP-Fixed plugin 3.5.4 and prior contains a cross-site scripting vulnerability due to the use of $SERVER'PHPSELF' in the /securimage-wp.php file, which allows attackers to inject arbitrary web scripts. id: CVE-2021-34640 info: name: WordPress Securimage-WP-Fixed =3.5.4 -...

6.1CVSS6AI score0.02223EPSS

Exploits2References5

Nuclei•added 9 hours ago•12 views

WordPress Quiz and Survey Master <7.1.14 - Cross-Site Scripting

WordPress Quiz and Survey Master plugin prior to 7.1.14 contains a cross-site scripting vulnerability which allows a remote attacker to inject arbitrary script via unspecified vectors. id: CVE-2021-20792 info: name: WordPress Quiz and Survey Master 7.1.14 - Cross-Site Scripting author: dhiyaneshD...

6.1CVSS6.1AI score0.03515EPSS

Exploits1References5

Nuclei•added 9 hours ago•57 views

GLPI plugin Barcode < 2.6.1 - Path Traversal Vulnerability.

Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. id: CVE-2021-43778 info: name: GLPI plugin Barcode 2.6.1 - Path Traversal Vulnerability. author:...

9.1CVSS7.3AI score0.52658EPSS

Exploits2References5

Nuclei•added 9 hours ago•26 views

WordPress Ninja Forms <3.4.34 - Open Redirect

WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wpajaxnfoauthconnect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive...

6.1CVSS6.3AI score0.01643EPSS

Exploits2References5

Nuclei•added 9 hours ago•21 views

WooCommerce PDF Invoices & Packing Slips WordPress Plugin < 2.10.5 - Cross-Site Scripting

The Wordpress plugin WooCommerce PDF Invoices & Packing Slips before 2.10.5 does not escape the tab and section parameters before reflecting it an attribute, leading to a reflected cross-site scripting in the admin dashboard. id: CVE-2021-24991 info: name: WooCommerce PDF Invoices & Packing Slips...

4.8CVSS4.9AI score0.01188EPSS

Exploits3References4

Nuclei•added 9 hours ago•28 views

WordPress Easy Social Icons Plugin < 3.0.9 - Cross-Site Scripting

The Easy Social Icons plugin = 3.0.8 for WordPress echoes out the raw value of $SERVER'PHPSELF' in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path...

6.1CVSS5.9AI score0.02231EPSS

Exploits2References5

Nuclei•added 9 hours ago•23 views

WordPress AnyComment <0.3.5 - Open Redirect

WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wpredirect function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information...

6.1CVSS6.3AI score0.02216EPSS

Exploits2References4

Nuclei•added 9 hours ago•28 views

WordPress Domain Check <1.0.17 - Cross-Site Scripting

WordPress Domain Check plugin before 1.0.17 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the domain parameter before outputting it back in the page. id: CVE-2021-24926 info: name: WordPress Domain Check 1.0.17 - Cross-Site Scripting author: cckuailong...

6.1CVSS5.8AI score0.12913EPSS

Exploits5References4

Nuclei•added 9 hours ago•34 views

WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection

WordPress Visitor Statistics Real Time Traffic plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks. id: CVE-2021-247...

8.8CVSS8.1AI score0.35227EPSS

Exploits5References5

Nuclei•added 9 hours ago•22 views

WordPress MF Gig Calendar <=1.1 - Cross-Site Scripting

WordPress MF Gig Calendar plugin 1.1 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize or escape the id GET parameter before outputting back in the admin dashboard when editing an event. id: CVE-2021-24510 info: name: WordPress MF Gig Calendar =1.2 which...

6.1CVSS5.9AI score0.0231EPSS

Exploits1References4

Nuclei•added 9 hours ago•32 views

The Code Snippets WordPress Plugin < 2.14.3 - Cross-Site Scripting

The Wordpress plugin Code Snippets before 2.14.3 does not escape the snippets-safe-mode parameter before reflecting it in attributes, leading to a reflected cross-site scripting issue. id: CVE-2021-25008 info: name: The Code Snippets WordPress Plugin 2.14.3 - Cross-Site Scripting author: cckuailo...

6.1CVSS5.9AI score0.02268EPSS

Exploits2References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by