CVE-2021-38324 SP Rental Manager <= 1.5.3 Unauthenticated SQL Injection

The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the /user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and including 1.5.3...

Sql injection

The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the eventid POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue...

CVE-2021-24372

The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $SERVER'REQUESTURI' before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue...

RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS

The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed. Vulnerable parameters: &ytnetw=, &ytnetwspan=, &ytfeedbacknetw=...

WordPress Supsystic Digital Publications 1.6.9 XSS / DoS / Traversal

Exploit Title: WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities Date: 24/07/2020 Exploit Author: Erik David Martin Vendor Homepage: https://supsystic.com/ Software Link: https://downloads.wordpress.org/plugin/digital-publications-by-supsystic.1.6.9.zip Version: 1.6...

CVE-2015-9480

The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter...

WP Google Map Plugin < 4.1.0 - CSRF to Unauthenticated PHP Object Injection

The WP Google Map Plugin WordPress plugin was affected by a CSRF to Unauthenticated PHP Object Injection security vulnerability...

CVE-2019-15773

The nd-travel plugin before 1.7 for WordPress has a nopriv AJAX action that allows modification of the siteurl setting...

CVE-2017-18536

The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS...

CVE-2017-18533

The rimons-twitter-widget plugin before 1.3 for WordPress has XSS...

CVE-2015-9308

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature...

CVE-2017-18504

The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF...

CVE-2019-9914

The yop-poll plugin before 6.0.3 for WordPress has wp-admin/admin.php?page=yop-polls&action=view-votes pollid XSS...

Breadcrumb NavXT <= 6.1.0 - Username Disclosure via REST API

The Breadcrumb NavXT WordPress plugin was affected by an Username Disclosure via REST API security vulnerability. http://www.example.com/wp-json/bcn/v1/author/1...

WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution

WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution Exploit Title: Plugin Woocommerce CSV importer 3.3.6 – RCE – Unlink Date: 08/04/2018 Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/woocommerce-csvimport/ Software Link:...

CVE-2014-2674

Directory traversal vulnerability in the Ajax Pagination twitter Style plugin 1.1 for WordPress allows remote attackers to read arbitrary files via a .. dot dot in the loop parameter in an ajaxnavigation action to wp-admin/admin-ajax.php...

bijouterieronaldfortier.com XSS vulnerability

Open Bug Bounty ID: OBB-303054 Description| Value ---|--- Affected Website:| bijouterieronaldfortier.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

WordPress Photocrati NextGEN Gallery Plugin File Upload Vulnerability

WordPress is the WordPress Software Foundation's set of blogging platform developed using the PHP language, the platform supports personal blog sites set up on PHP and MySQL servers.Photocrati NextGEN Gallery plugin is one of the image management plugin. A security vulnerability exists in the...

W3 Total Cache <= 0.9.4.1 - Weak Validation of Amazon SNS Push Messages

The W3 Total Cache WordPress plugin was affected by a Weak Validation of Amazon SNS Push Messages security vulnerability...

CVE-2015-7683: Absolute Path Traversal in the Font WordPress Plugin

Details ================ Software: Font Version: 7.5 Homepage: https://wordpress.org/plugins/font/ CVE: CVE-2015-7683 Pending CVSS: 6.3 Medium; AV:N/AC:M/Au:S/C:C/I:N/A:N CWE: CWE-22 Description ================ An absolute path traversal vulnerability in Font 7.5 allows WordPress admins read...