280 matches found
WordPress Plugin SEO Change Monitor SQL Injection Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A SQL injection vulnerability exists in...
CVE-2023-48770 WordPress Aparat Plugin <= 1.7.1 is vulnerable to Cross Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Nima Saberi Aparat allows Stored XSS.This issue affects Aparat: from n/a through 1.7.1...
CVE-2023-5454 Templately < 2.2.6 - Arbitrary post trashing via Missing Authorization
The Templately WordPress plugin before 2.2.6 does not properly authorize the saved-templates/delete REST API call, allowing unauthenticated users to delete arbitrary posts...
CVE-2023-4796 Booster for WooCommerce <= 7.1.0 - Authenticated (Subscriber+) Information Disclosure via Shortcode
The Booster for WooCommerce for WordPress is vulnerable to Information Disclosure via the 'wcjwpoption' shortcode in versions up to, and including, 7.1.0 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with...
PT-2023-28720 · WordPress · Woo Custom Emails
Name of the Vulnerable Software and Affected Versions: The Woo Custom Emails for WordPress versions up to, and including, 2.2 Description: The issue is related to Reflected Cross-Site Scripting via the wcemails edit parameter due to insufficient input sanitization and output escaping. This allows...
PT-2023-23459 · WordPress · Post Smtp Mailer
Name of the Vulnerable Software and Affected Versions: POST SMTP Mailer WordPress plugin versions prior to 2.5.7 Description: The issue concerns a lack of proper CSRF checks in some AJAX actions within the plugin. This could allow attackers to make logged-in users with the manage postman smtp...
CVE-2023-1889 Directorist <= 7.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task
The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listingtask function. This makes it possible for authenticated attackers, with subscriber-level...
CVE-2023-1888 Directorist <= 7.5.4 - Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset th...
CVE-2021-4370 uListing <= 1.6.6 - Missing Authorization
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated...
PT-2023-21073 · WordPress · Groundhogg
Name of the Vulnerable Software and Affected Versions: Groundhogg plugin for WordPress versions up to, and including, 2.7.9.8 Description: The issue is related to Stored Cross-Site Scripting via the 'gh form' shortcode due to insufficient input sanitization and output escaping on user-supplied...
CVE-2023-0644 PushAssist <= 3.0.8 - Reflected Cross-Site Scripting
The Push Notifications for WordPress by PushAssist WordPress plugin through 3.0.8 does not sanitise and escape various parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CVE-2022-28222 CleanTalk AntiSpam <= 5.173 Reflected XSS
The CleanTalk AntiSpam plugin = 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting XSS via the $REQUEST'page' parameter in/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php...
CVE-2021-23174 WordPress Download Monitor plugin <= 4.4.6 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Authenticated admin+ Persistent Cross-Site Scripting XSS vulnerability discovered in Download Monitor WordPress plugin versions = 4.4.6 Vulnerable parameters: &posttitle, &downloadablefileversion0...
WordPress Authorization Issues Vulnerability (CNVD-2021-53345)
WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An authorization issue vulnerability exists in WordPress Plugin CM Download Manager, which can be...
EUVD-2022-5657
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the orderid parameter in a fetchorderstatus action...
UBUNTU-CVE-2020-28032
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php...
CVE-2014-4537
CVE-2014-4537 affects WordPress Keyword Strategy Internal Links Plugin (
CVE-2008-6762
Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter...
CVE-2006-5705
Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the 1 backup and 2 fragment parameters in a GET request...
WordPress Core 1.2 - 'bookmarklet.php' Multiple Cross-Site Scripting Vulnerabilities
source: https://www.securityfocus.com/bid/11268/info It is reported that Wordpress is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input. Wordpress 1.2 is reported vulnerable, however, other...