12 matches found
PT-2026-46333
That number got my attention. I've cleaned up enough incidents to know what usually happens when a vulnerability becomes public. Attackers don't wait. Right now there are 145 WordPress plugins/themes with publicly disclosed vulnerabilities that still have no available fix. If you're running any o...
CVE-2024-13362 Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter
Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...
CVE-2024-13362
CVE-2024-13362 concerns Freemius versions <= 2.10.1 used in multiple WordPress plugins/themes. The flaw is a reflected DOM-based XSS via the url parameter , caused by insufficient input sanitization and output escaping. Consequences: unauthenticated attackers could cause a user to execute arbi...
[SECURITY] Fedora 44 Update: kf6-knewstuff-6.25.0-1.fc44
KDE Frameworks 6 Tier 3 module for downloading and sharing additional application data like plugins, themes, motives, etc...
CVE-2025-5092 Multiple Plugins and Themes <= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library
Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library = 2.8.3 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
EUVD-2024-54446
Malicious code in bioql PyPI...
EUVD-2024-48415
Malicious code in bioql PyPI...
CVE-2024-35162
Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switchthemes" privilege may obtain arbitrary files on the server...
CVE-2022-4974
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the getdebuglog, getdboption, and the setdboption functions in versions up to, and...
PT-2022-7031
Name of the Vulnerable Software and Affected Versions WordPress versions prior to 5.8.3 WordPress versions 3.7.37 and earlier Description The issue is related to improper sanitization in the WP Query function of the WordPress content management system, which can lead to SQL injection through...
CVE-2021-24219
The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin...
WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Description Due bad solution of the database abstraction library WordPress exposes itself towards SQL Injection and validation bypass. Beside WordPress itself this issue have huge impact towards complete WP ecosystem. Up to WordPress 4.8.1 is vulnerable, but this time attack is dependent from...