111 matches found
CVE-2021-24246
The Workscout Core WordPress plugin before 1.3.4, used by the WorkScout Theme did not sanitise the chat messages sent via the workscoutsendmessagechat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues...
CVE-2021-24431
The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting...
CVE-2015-9310
The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues...
CVE-2024-11719
The CVE-2024-11719 entry concerns the tarteaucitron-wp WordPress plugin prior to version 0.3.0, which lacks CSRF checks in certain areas and omits sanitisation and escaping. This could allow a logged-in attacker to trigger a Stored XSS payload via a CSRF attack. The issue is documented across mul...
PT-2025-21454 · WordPress · Calculated Fields Form
Name of the Vulnerable Software and Affected Versions: Calculated Fields Form WordPress plugin versions prior to 5.2.64 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is...
📄 WordPress Easy Restaurant Manager 1.0 XSS / SQL Injection / IDOR
WordPress Easy Restaurant Manager plugin version 1.0 suffers from persistent cross site scripting, insecure direct object reference, a missing access control, and remote SQL injection vulnerabilities. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title WordPress...
CVE-2025-32536
CVE-2025-32536 refers to a Reflected Cross-Site Scripting vulnerability in the HTML5 Video Player with Playlist WordPress plugin. The vulnerability affects the plugin version range up to 2.50 (HTML5 Video Player with Playlist). The root cause, as stated in connected documentation, is improper inp...
CVE-2024-13809
The Hero Slider - WordPress Slider Plugin plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 1.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
WordPress Yoast SEO Plugin < 1.5.7, 1.6.x < 1.6.4, 1.7.x < 1.7.4 Multiple Vulnerabilities
The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:yoast:yoastseo"; if description...
CVE-2024-11895
The WordPress plugin Online Payments – Get Paid with PayPal, Square & Stripe is affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability via shortcode attributes in versions up to 3.20.0, caused by insufficient input sanitization and output escaping. This allows authenticated ...
WordPress File Manager Plugin < 7.2.2 Multiple Vulnerabilities
The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:webdesi9:filemanager"; if description...
WordPress ProfilePress Plugin < 4.15.15 Multiple Vulnerabilities
The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:properfraction:profilepress"; if description...
WordPress ProfilePress Plugin < 4.15.0 Multiple Vulnerabilities
The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:properfraction:profilepress"; if description...
CVE-2024-13530
The Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the lpshandledeletealllogs, lpshandledeleteloginlog, and...
CVE-2024-13536 1003 Mortgage Application <= 1.87 - Unauthenticated Full Path Disclosure
The 1003 Mortgage Application plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.87. This is due the /inc/class/fnm/export.php file being publicly accessible with error logging enabled. This makes it possible for unauthenticated attackers to retriev...
CVE-2025-0308
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the search parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied...
Hunk Companion Plugin for WordPress < 1.9.0 Arbitrary Plugin Installation
The WordPress Hunk Companion Plugin installed on the remote host is affected by an improper access control vulnerability allowing a remote and unauthenticated attacker to install any plugin on the affected WordPress instance. Note that the scanner has not tester for these issues but has instead...
CVE-2024-54403
CVE-2024-54403 is an explicit cross-site scripting vulnerability in the Visual Recent Posts WordPress plugin. It is described as an Improper Neutralization of Input During Web Page Generation (Reflected XSS) affecting versions up to 1.2.3. The CVSS score is 7.1 (HIGH) with network attack vector, ...
WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Plugin <= 1.5.102 is vulnerable to Remote Code Execution (RCE)
Software Unlimited Elements For Elementor Free Widgets, Addons, Templates Type Plugin Vulnerable versions = 1.5.102 Fixed in 1.5.103 OWASP Top 10 A3: Injection Classification Remote Code Execution RCE CVE CVE-2024-2662 Patch priority Low CVSS severity Low 7.2 Developer Unlimited Elements PSID...
PT-2024-15913 · WordPress · Anonymous Restricted Content
Name of the Vulnerable Software and Affected Versions: Anonymous Restricted Content plugin for WordPress versions up to, and including, 1.6.2 Description: The issue is due to insufficient restrictions through the REST API on protected posts and pages, allowing unauthenticated attackers to access...