212 matches found
CVE-2022-3036
The Gettext override translations WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite set...
CVE-2021-24826
The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Please note that such attack is still...
CVE-2021-39203
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This...
CVE-2021-24140
Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep5=test...
CVE-2020-8799
A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin through 1.4.5 for WordPress. Once the administrator has submitted the data, the script stored is executed for all the users visiting the website...
CVE-2019-9978
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swpdebug=loadoptions swpurl parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro...
CVE-2015-9342
The wp-rollback plugin before 1.2.3 for WordPress has XSS...
CVE-2019-9910
The kingcomposer plugin 2.7.6 for WordPress has wp-admin/admin.php?page=kc-mapper id XSS...
CVE-2019-15780
The formidable plugin before 4.02.01 for WordPress has unsafe deserialization...
CVE-2019-15112
The wp-slimstat plugin before 4.8.1 for WordPress has XSS...
CVE-2019-18855
A Denial Of Service vulnerability exists in the safe-svg aka Safe SVG plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes...
CVE-2018-20838
ampforwpsavestepsdata in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS...
CVE-2013-7478
The events-manager plugin before 5.5 for WordPress has XSS via EMTicket::getpost...
CVE-2018-20985
The wp-payeezy-pay plugin before 2.98 for WordPress has local file inclusion in pay.php, donate.php, donate-rec, and pay-rec...
CVE-2016-10953
The Headway theme before 3.8.9 for WordPress has XSS via the license key field...
CVE-2016-10904
The olimometer plugin before 2.57 for WordPress has SQL injection...
CVE-2019-20181
The awesome-support plugin 5.8.0 for WordPress allows XSS via the posttitle parameter...
CVE-2015-9300
The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues...
CVE-2018-21002
The js-support-ticket plugin before 2.0.6 for WordPress has CSRF...
CVE-2015-9502
The Auberge theme before 1.4.5 for WordPress has XSS via the genericons/example.html anchor identifier...