CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

260988 matches found

WordPress FeedWordPress < 2022.0123 - Authenticated Cross-Site Scripting

The plugin is affected by a cross-site scripting vulnerability within the "visibility" parameter. id: CVE-2021-25055 info: name: WordPress FeedWordPress 2022.0123 - Authenticated Cross-Site Scripting author: DhiyaneshDK severity: medium description: | The plugin is affected by a cross-site...

6.1CVSS6.1AI score0.01696EPSS

Exploits2References4

Nuclei•added yesterday•24 views

WordPress Advanced Order Export For WooCommerce <3.1.8 - Authenticated Cross-Site Scripting

WordPress Advanced Order Export For WooCommerce plugin before 3.1.8 contains an authenticated cross-site scripting vulnerability via the tab parameter in the admin panel. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can...

6.1CVSS6.2AI score0.01858EPSS

Exploits5References5

Nuclei•added yesterday•8 views

Registrations for The Events Calendar < 2.7.5 - Authenticated Reflected Cross-Site Scripting

The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting id: CVE-2021-24876 info: name: Registrations for The Events Calendar 2.7.5 - Authenticated Reflected...

6.1CVSS6.3AI score0.00246EPSS

Exploits2References2

Nuclei•added yesterday•104 views

WordPress Jannah Theme <5.4.5 - Cross-Site Scripting

WordPress Jannah theme before 5.4.5 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action. id: CVE-2021-24407 info: name: WordPress Jannah Theme 5.4.5 - Cross-Site Scripting author: pikpikcu severity:...

6.1CVSS6.1AI score0.20956EPSS

Exploits2References4

Nuclei•added yesterday•23 views

Count Per Day <= 3.1 - download.php f Parameter Traversal Arbitrary File Access

An absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter. id: CVE-2012-0896 info: name: Count Per Day = 3.1 - download.php f Parameter Traversal Arbitrary File Access author:...

5CVSS8AI score0.00827EPSS

Exploits1References5

Nuclei•added yesterday•13 views

WordPress ProfilePress <= 3.1.3 - Privilege Escalation

ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including wpcapabilities, during profile updates. This enables a user to escalate their privileges to...

9.8CVSS7.9AI score0.61563EPSS

Exploits2References2

Nuclei•added yesterday•9 views

GiveWP - Missing Authorization to Settings Update

GiveWP plugin through 2.5.9 for WordPress contains an unauthenticated settings change caused by insecure access in includes/gateways/stripe/includes/admin/admin-actions.php, letting attackers modify settings without authentication, exploit requires no authentication. id: CVE-2020-20627 info: name...

5.3CVSS5.9AI score0.02812EPSS

Exploits0References4

Nuclei•added yesterday•11 views

Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass

An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled. id: CVE-2020-13125 info...

9.9CVSS7.1AI score0.67023EPSS

Exploits1References2

Nuclei•added yesterday•20 views

WordPress Simple Job Board <2.9.4 - Local File Inclusion

WordPress Simple Job Board prior to version 2.9.4 is vulnerable to arbitrary file retrieval vulnerabilities because it does not validate the sjbfile parameter when viewing a resume, allowing an authenticated user with the downloadresume capability such as HR users to download arbitrary files from...

7.7CVSS7.3AI score0.77927EPSS

Exploits7References5

Nuclei•added yesterday•111 views

WordPress wpDiscuz <=7.0.4 - Remote Code Execution

WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server. id: CVE-2020-24186 info: nam...

10CVSS8.7AI score0.94221EPSS

Exploits18References5

Nuclei•added yesterday•54 views

InstaWP Connect < 0.1.0.86 - Local PHP File Inclusion

The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files ...

8.1CVSS8.6AI score0.068EPSS

Exploits0References3

Nuclei•added yesterday•9 views

Premium Addons for Elementor - Unauthenticated Information Disclosure

Premium Addons for Elementor plugin for WordPress version 4.11.53 and below contains an unauthenticated information disclosure vulnerability.The vulnerability exists due to a missing authorization check in the gettemplatecontent AJAX handler, allowing unauthenticated attackers to retrieve private...

5.3CVSS5.4AI score0.0049EPSS

Exploits0References4

Nuclei•added yesterday•19 views

WordPress Laborator Neon Theme 2.0 - Cross-Site Scripting

WordPress Laborator Neon theme 2.0 contains a cross-site scripting vulnerability via the data/autosuggest-remote.php q parameter. id: CVE-2019-20141 info: name: WordPress Laborator Neon Theme 2.0 - Cross-Site Scripting author: knassar702 severity: medium description: WordPress Laborator Neon them...

6.1CVSS6.1AI score0.12494EPSS

Exploits1References5

Nuclei•added yesterday•21 views

WordPress Social Warfare <3.5.3 - Cross-Site Scripting

WordPress Social Warfare plugin before 3.5.3 contains a cross-site scripting vulnerability via the wp-admin/admin-post.php?swpdebug=loadoptions swpurl parameter, affecting Social Warfare and Social Warfare Pro. id: CVE-2019-9978 info: name: WordPress Social Warfare 3.5.3 - Cross-Site Scripting...

6.1CVSS6.8AI score0.88711EPSS

Exploits18References5

Nuclei•added yesterday•27 views

WordPress Sell Media 2.4.1 - Cross-Site Scripting

WordPress Plugin Sell Media v2.4.1 contains a cross-site scripting vulnerability in /inc/class-search.php that allows remote attackers to inject arbitrary web script or HTML via the keyword parameter aka $searchterm or the Search field. id: CVE-2019-6112 info: name: WordPress Sell Media 2.4.1 -...

6.1CVSS6.3AI score0.15827EPSS

Exploits1References5

Nuclei•added yesterday•24 views

Visualizer <3.3.1 - Blind Server-Side Request Forgery

Visualizer prior to 3.3.1 suffers from a blind server-side request forgery vulnerability via the /wp-json/visualizer/v1/upload-data endpoint. id: CVE-2019-16932 info: name: Visualizer 3.3.1 - Blind Server-Side Request Forgery author: akincibor severity: critical description: | Visualizer prior to...

10CVSS7.7AI score0.80844EPSS

Exploits2References5

Nuclei•added yesterday•21 views

WP Hotel Booking < 1.10.4 - PHP Object Injection

The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpresshotelbooking1 cookie in load in includes/class-wphb-sessions.php. id: CVE-2020-29047 info: name: WP Hotel Booking 1.10.4 - PHP Object...

9.8CVSS8.3AI score0.8462EPSS

Exploits2References3

Nuclei•added yesterday•14 views

Nova Lite < 1.3.9 - Cross-Site Scripting

Nova Lite before 1.3.9 for WordPress is susceptible to reflected cross-site scripting via search.php. id: CVE-2020-17362 info: name: Nova Lite 1.3.9 - Cross-Site Scripting author: daffainfo severity: medium description: Nova Lite before 1.3.9 for WordPress is susceptible to reflected cross-site...

6.1CVSS6.1AI score0.03855EPSS

Exploits1References4

Nuclei•added yesterday•2 views

WordPress WPCOM Member <= 1.7.6 - SQL Injection

WPCOM Member plugin for WordPress up to 1.7.6 contains a time-based SQL Injection caused by insufficient escaping and lack of preparation on the 'userphone' parameter, letting unauthenticated attackers extract sensitive information, exploit requires sending crafted 'userphone' parameter. id:...

7.5CVSS8AI score0.20421EPSS

Exploits0References3

Nuclei•added yesterday•74 views

WordPress Visitor Statistics <=5.7 - SQL Injection

WordPress Visitor Statistics plugin through 5.7 contains multiple unauthenticated SQL injection vulnerabilities. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2022-33965 info:...

9.8CVSS8.1AI score0.42778EPSS

Exploits0References5

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by