Lucene search
K

386 matches found

Wordfence Blog
Wordfence Blog
added 2022/07/13 5:52 p.m.26 views

PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability

The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been...

7.5CVSS9.8AI score0.4214EPSS
Exploits3
Vulnrichment
Vulnrichment
added 2022/06/21 7:0 p.m.6 views

CVE-2022-31095 Exposure of Sensitive Information in discourse-chat

discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily...

4.3CVSS6.5AI score0.00542EPSS
Exploits0References1
Prion
Prion
added 2022/06/13 2:15 p.m.17 views

Cross site scripting

The Keep Backup Daily plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘t’ parameter in versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

4.3CVSS6AI score0.01031EPSS
Exploits0References4Affected Software1
wpexploit
wpexploit
added 2022/03/15 12:0 a.m.97 views

NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality

An unprivileged user could use the functionality of the plugin to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain. Search for a vulnerable domain with the dork:...

7.5CVSS1AI score0.01211EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2022/02/28 12:0 a.m.21 views

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection PoC 1. Install the vulnerable plugin...

9.8CVSS0.6AI score0.01821EPSS
Exploits2References1Affected Software1
wpexploit
wpexploit
added 2022/02/28 12:0 a.m.130 views

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection 1. Install the vulnerable plugin...

9.8CVSS0.4AI score0.01821EPSS
Exploits2References1
Prion
Prion
added 2022/02/24 7:15 p.m.20 views

Cross site scripting

The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the /includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes...

4.3CVSS6AI score0.03193EPSS
Exploits0References2Affected Software1
VulnCheck KEV
VulnCheck KEV
added 2022/01/26 12:0 a.m.5 views

VulnCheck KEV: CVE-2017-5611

SQL injection vulnerability in wp-includes/class-wp-query.php in WPQuery in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name...

9.8CVSS7.2AI score0.09933EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2021/12/14 12:0 a.m.15 views

Link List Manager <= 1.0 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting via the category parameter found in the /llm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0...

6.1CVSS4.9AI score0.00757EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2021/11/08 12:0 a.m.4 views

WordPress 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on PHP and MySQL servers. A cross-site scripting vulnerability exists in the WordPress plugin Export any WordPress data to XML/CSV...

4.8CVSS4.9AI score0.00598EPSS
Exploits2References2
Cvelist
Cvelist
added 2021/09/10 1:32 p.m.27 views

CVE-2021-38348 Advance Search <= 1.1.2 Reflected Cross-Site Scripting

The Advance Search WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the wpasid parameter found in the /inc/admin/views/html-advance-search-admin-options.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.2...

6.1CVSS6.2AI score0.00895EPSS
Exploits1References2
Prion
Prion
added 2021/09/09 7:15 p.m.11 views

Cross site scripting

The User Activation Email WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the uae-key parameter found in the /user-activation-email.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.0...

4.3CVSS6.1AI score0.00938EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2021/09/09 12:0 a.m.20 views

OSD Subscribe <= 1.2.3 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting via the osdsubscribemessage parameter found in the /options/osdsubscribeoptionssubscribers.php file which allows attackers to inject arbitrary web scripts...

6.1CVSS4.6AI score0.00895EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/08/24 12:0 a.m.29 views

Booster for WooCommerce < 5.4.4 - Authentication Bypass

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the processemailverification function due to a random token generation weakness in the resetandmailactivationlink function found in the...

9.8CVSS3AI score0.50869EPSS
Exploits8References1Affected Software1
Prion
Prion
added 2021/08/19 4:15 p.m.13 views

Cross site request forgery (csrf)

The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the savecurrencysettings function found in the /admin/inc/wpeasycartadmininitialsetup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0...

6.8CVSS8.5AI score0.00638EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/08/19 3:25 p.m.19 views

CVE-2021-34645 Shopping Cart & eCommerce Store <= 5.1.0 Cross-Site Request Forgery to Stored Cross-Site Scripting

The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the savecurrencysettings function found in the /admin/inc/wpeasycartadmininitialsetup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0...

8.8CVSS8.7AI score0.00638EPSS
Exploits0References2
Prion
Prion
added 2021/08/16 7:15 p.m.17 views

Cross site scripting

The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2...

4.3CVSS6.1AI score0.02446EPSS
Exploits2References2Affected Software1
Prion
Prion
added 2021/08/16 7:15 p.m.11 views

Cross site scripting

The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the /Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5...

4.3CVSS6.1AI score0.00938EPSS
Exploits2References2Affected Software1
WPVulnDB
WPVulnDB
added 2021/08/16 12:0 a.m.17 views

SP Project & Document Manager < 4.26 - Reflected Cross-Site Scripting

The plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the /functions.php file which allows attackers to inject arbitrary web scripts PoC https://example.com/wp-admin/admin.php?page=sp-client-document-manager=" style=animation-name:rotation...

6.1CVSS3.3AI score0.00938EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2021/08/11 3:0 p.m.14 views

CVE-2021-34640 Securimage-WP-Fixed <= 3.5.4 Reflected Cross-Site Scripting

The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /securimage-wp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.4...

6.1CVSS6.2AI score0.02313EPSS
Exploits2References2
Rows per page
Query Builder