3367 matches found
CVE-2016-10992
The music-store plugin before 1.0.43 for WordPress has XSS via the wp-admin/admin.php?page=music-store-menu-reports fromyear parameter...
CVE-2016-10903
The GoDaddy godaddy-email-marketing-sign-up-forms plugin before 1.1.3 for WordPress has CSRF...
CVE-2016-10943
The zx-csv-upload plugin 1 for WordPress has SQL injection via the id parameter...
CVE-2022-23911
The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection...
CVE-2022-33994
The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the "Insert from URL" feature. NOTE: the XSS payload does not execute in the context of the WordPress instance's domain; however, analogous attempts by low-privileged users to...
CVE-2022-0535
The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2022-0478
The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the postauthorgutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection...
CVE-2022-0641
The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the aysfbtab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...
CVE-2022-0448
The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
CVE-2022-0628
The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...
CVE-2022-0471
The Favicon by RealFaviconGenerator WordPress plugin before 1.3.23 does not properly sanitise and escape the jsonresulturl parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue...
CVE-2022-0662
The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...
CVE-2017-12947
classes\controller\admin\modals.php in the Easy Modal plugin before 2.1.0 for WordPress has SQL injection in an untrash action with the id, ids, or modal parameter to wp-admin/admin.php, exploitable by administrators...
CVE-2017-18538
The weblibrarian plugin before 3.4.8.5 for WordPress has XSS via front-end short codes...
CVE-2017-18567
The wp-all-import plugin before 3.4.6 for WordPress has XSS...
CVE-2017-18510
The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions...
CVE-2017-18499
The simple-membership plugin before 3.5.7 for WordPress has XSS...
CVE-2017-18496
The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues...
CVE-2017-18610
The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWPCreateCustomFieldPage.php custom-group-id parameter...
CVE-2017-18519
The customer-area plugin before 7.4.3 for WordPress has XSS via admin pages...