281 matches found
CVE-2024-5252 Ultimate Addons for WPBakery Page Builder <= 3.19.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimateinfotable shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2024-4463 Squelch Tabs and Accordions Shortcodes <= 0.4.7 - Cross-Site Request Forgery
The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.7. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to modify...
CVE-2024-3472 Modal Window < 5.3.10 - Modal Deletion via CSRF
The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack...
PT-2024-18215 · WordPress · Print Labels With Barcodes
Name of the Vulnerable Software and Affected Versions: The Print Labels with Barcodes plugin for WordPress versions up to, and including, 3.4.6 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the template and javascrip...
CVE-2024-2336 Popup Maker – Popup for opt-ins, lead gen, & more <= 1.18.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Popup Maker – Popup for opt-ins, lead gen, & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2023-7074 WP Social Bookmark Menu <= 1.2 - Settings Update via CSRF
The WP SOCIAL BOOKMARK MENU WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
CVE-2023-5233 Font Awesome Integration <= 5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Font Awesome Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'fawesome' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
PT-2023-13775 · WordPress +1 · 3Dprint +1
Name of the Vulnerable Software and Affected Versions: 3DPrint WordPress plugin versions prior to 3.5.6.9 Description: The issue allows an attacker to craft a malicious request, exploiting the lack of protection against CSRF attacks in the modified version of Tiny File Manager. This can trick a...
PT-2023-17641 · WordPress · Buy Me A Coffee – Button/Widget Plugin
Name of the Vulnerable Software and Affected Versions: Buy Me a Coffee – Button and Widget Plugin versions up to, and including, 3.6 Description: The issue arises from insufficient sanitization and escaping on the text value set via the bmc post reception action, allowing authenticated attackers...
CVE-2023-0368 Responsive Tabs For WPBakery Page Builder <= 1.1 - Contributor+ Stored XSS
The Responsive Tabs For WPBakery Page Builder formerly Visual Composer WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to...
PT-2023-15219 · WordPress · Wp Easy Pay Wp Easypay – Square
Name of the Vulnerable Software and Affected Versions: WP Easy Pay WP EasyPay – Square for WordPress plugin versions = 4.1 Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended...
CVE-2023-2120 Thumbnail carousel slider <= 1.1.9 - Reflected Cross-Site Scripting
The Thumbnail carousel slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the searchterm parameter in versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2022-47163 WordPress WP CSV to Database Plugin <= 2.6 is vulnerable to Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery CSRF vulnerability in Tips and Tricks HQ, josh401 WP CSV to Database – Insert CSV file content into WordPress plugin = 2.6 versions...
CVE-2023-0717 Wicked Folders <= 2.18.16 - Missing Authorization via ajax_delete_folder
The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajaxdeletefolder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke th...
CVE-2022-4680 Revive Old Posts – Social Media Auto Post and Scheduling Plugin < 9.0.11 - PHP Object Injection
The Revive Old Posts WordPress plugin before 9.0.11 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...
CVE-2022-3359 Shortcodes and extra features for Phlox theme < 2.10.7 - PHP Objection Injection
The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports intentionally or not a malicious file and a suitable gadget chain is present on the blog...
CVE-2022-4029
The Simple:Press plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sforummd5 hash of the WordPress URL' cookie value in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...
CVE-2022-40128 WordPress Advanced Order Export For WooCommerce plugin <= 3.3.2 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in Advanced Order Export For WooCommerce plugin = 3.3.2 on WordPress leading to export file download...
CVE-2022-29441 WordPress Private Messages For WordPress plugin <= 2.1.10 - Sending Messages via Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in Private Messages For WordPress plugin = 2.1.10 at WordPress allows attackers to send messages...
CVE-2017-1002014
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/adminsetting.php via galleryname parameter...