62 matches found
CVE-2023-2744
The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the type parameter in the erp/v1/accounting/v1/people REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
CVE-2022-1904
The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape parameter before outputting it back in a page available to any user both authenticated and unauthenticated when a specific setting is enabled, leading to a Reflected Cross-Site Scripting...
CVE-2022-2276
The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog...
CVE-2021-24309
The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the...
CVE-2021-24498
The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page via php/edit.php, leading to a reflected Cross-Site Scripting issue...
CVE-2020-36503
The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue...
CVE-2025-1303
CVE-2025-1303 concerns the Plugin Oficial WordPress plugin (Getnet para WooCommerce) up to version 1.7.3. The issue is a reflected cross-site scripting (XSS) vulnerability caused by a parameter not being sanitised/escaped before being echoed in the page. Exploitation is described against unauthen...
CVE-2024-13053 Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS via Theme Title
The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2024-12679
The CVE-2024-12679 affects the Prisna GWT WordPress plugin and is due to inadequate sanitisation/escaping of certain settings in versions before 1.4.14. This can enable admin-level Stored XSS even when unfiltered_html is disallowed (e.g., multisite). The impact is stored XSS with potential privil...
CVE-2024-13858
The CVE-2024-13858 entry concerns the BuddyBoss Platform plugin for WordPress and BuddyBoss Theme, affected by a Stored Cross-Site Scripting via the invitee_name parameter. Affected versions are all up to 2.8.50 (platform) and 2.8.41 (theme), with insufficient input sanitization and output escapi...
CVE-2024-13381
The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WordPress Eventin plugin <= 4.0.25 - Local File Inclusion Vulnerability
Local File Inclusion Vulnerability discovered by theviper17 in WordPress Plugin Eventin versions = 4.0.25...
CVE-2025-26996 WordPress Sign-up Sheets plugin <= 2.3.0.1 - Shortcode Injection vulnerability
Improper Control of Generation of Code 'Code Injection' vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Code Injection.This issue affects Sign-up Sheets: from n/a through = 2.3.0.1...
WordPress WP_DEBUG Toggle plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by SOPROBRO in WordPress Plugin WPDEBUG Toggle versions = 1.1...
CVE-2025-32525 WordPress Interactive Geo Maps plugin <= 1.6.24 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in MapGeo Interactive Geo Maps interactive-geo-maps allows Reflected XSS.This issue affects Interactive Geo Maps: from n/a through = 1.6.24...
CVE-2025-3433
The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to...
WordPress Testimonial Slider and Showcase Pro plugin <= 2.3.15 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Testimonial Slider And Showcase Pro versions = 2.3.15...
WordPress Review Stream plugin <= 1.6.7 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin Review Stream versions = 1.6.7...
CVE-2025-30548 WordPress Advanced Post Search plugin <= 1.1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in VarDump s.r.l. Advanced Post Search advanced-post-search allows Reflected XSS.This issue affects Advanced Post Search: from n/a through = 1.1.0...
CVE-2025-1623
The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...