46578 matches found
WordPress SpeakOut! Email Petitions plugin <= 2.14.14 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress SpeakOut! Email Petitions plugin versions = 2.14.14. Solution Update the WordPress SpeakOut! Email Petitions plugin to the latest available version at least 2.14.15.1...
WordPress Mapping multiple URLs redirect same page plugin <= 5.8 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Mapping multiple URLs redirect same page plugin versions = 5.8. Solution Deactivate and delete. This plugin has been closed as of February 14, 2022 and is not available for download. This closure is temporary,...
WordPress URL Shortify plugin < 1.5.11 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress URL Shortify plugin versions 1.5.11. Solution Update the WordPress URL Shortify plugin to the latest available version at least 1.5.11...
WordPress AP Pricing Tables Lite plugin <= 1.1.4 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress AP Pricing Tables Lite plugin versions = 1.1.4. Solution Update the WordPress AP Pricing Tables Lite plugin to the latest available version at least 1.1.5...
WordPress Header Footer Code Manager plugin <= 1.1.16 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Ramuel Gall in WordPress Header Footer Code Manager plugin versions = 1.1.16. Solution Update the WordPress Header Footer Code Manager plugin to the latest available version at least 1.1.17...
WordPress UpdraftPlus plugin <= 1.22.1 - Arbitrary Backup Downloads vulnerability
Arbitrary Backup Downloads vulnerability discovered by Marc-Alexandre Montpas Automattic in WordPress UpdraftPlus plugin versions = 1.22.1. Solution Update the WordPress UpdraftPlus plugin to the latest available version at least 1.22.3...
WordPress Simple Ajax Chat plugin <= 20220115 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Philippe Dourassov Patchstack Alliance in WordPress Simple Ajax Chat plugin versions = 20220115. Solution Update the WordPress Simple Ajax Chat plugin to the latest available version at least 20220216...
WordPress Flexi – Guest Submit plugin <= 4.19 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Felipe Tapia Sasot in WordPress Flexi – Guest Submit plugin versions = 4.19. Solution Update the WordPress Flexi – Guest Submit plugin to the latest available version at least 4.20...
WordPress PublishPress Capabilities plugin <= 2.3 - Unauthenticated Settings Change vulnerability
Unauthenticated Settings Change vulnerability discovered by Krzysztof Zając in WordPress PublishPress Capabilities plugin versions = 2.3. Solution Update the WordPress PublishPress Capabilities plugin to the latest available version at least 2.3.1...
WordPress Asgaros Forum plugin <= 1.15.12 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Asgaros Forum plugin versions = 1.15.12. Solution Update the WordPress Asgaros Forum plugin to the latest available version at least 1.15.13...
WordPress Meta Data and Taxonomies Filter (MDTF) plugin <= 1.2.7.2 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability discovered by Ryoma Nishioka in WordPress Meta Data and Taxonomies Filter MDTF plugin versions = 1.2.7.2. Solution Update the WordPress Meta Data and Taxonomies Filter MDTF plugin to the latest available version at least 1.2.8...
WordPress Jannah premium theme <= 5.4.4 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Truoc Phan in WordPress Jannah premium theme versions = 5.4.4. Solution Update the WordPress Jannah premium theme to the latest available version at least 5.4.5...
WordPress LearnPress plugin <= 3.2.6.7 - Authenticated Time Based Blind SQL Injection (SQLi) vulnerability
Authenticated Time Based Blind SQL Injection SQLi vulnerability discovered in WordPress LearnPress plugin versions = 3.2.6.7. Solution Update the WordPress LearnPress plugin to the latest available version at least 3.2.6.8...
WordPress Post PDF Export plugin <= 1.0.1 - Unauthenticated Local File Inclusion (LFI) vulnerability
Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress Post PDF Export plugin versions = 1.0.1. Solution Plugin closed. Deactivate and delete...
WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
WordPress does not properly escape the lang attribute of an HTML element in In wp-includes/general-template.php, which might allow an attacker to exploit XSS via the language setting of a site. Solution Update WordPress to v4.9.1...
WordPress Content Timeline plugin <=4.4.2 - Multiple Blind SQL Injection vulnerabilities
Multiple Blind SQL Injection vulnerabilities found by Jeroen ITNerdbox in premium WordPress plugin - Content Timeline =4.4.2 . It is possible to execute arbitrary SQL commands via the id parameter contenttimelineclass.php, contenttimelineedit.php, contenttimelineindex.php. Solution We were unable...
WordPress Meta Slider Plugin <= 2.1.6 - Full Path Disclosure
This plugin is prone to a full path disclosure vulnerability. Solution Update the plugin...
WordPress ResAds Plugin <= 1.0.1 - Cross Site Scripting
This WordPress plugin is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the plugin...
WordPress Blubrry PowerPress Podcasting Plugin <= 6.0.0 - XSS
This vulnerability allows an attacker to inject arbitrary web script or HTML via the "cat" parameter in the powerpressadmincategoryfeeds.php page to wp-admin/admin.php. Solution Upgrade the plugin...
WordPress W3 Total Cache Plugin <= 0.9.4 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "Cache key" in the HTML-Comments. Solution Update the plugin...
WordPress VideoWhisper Live Streaming Integration Plugin <= 4.29.4 - Multiple Vulnerabilities
The error-handling feature in ls/rtmp.inc.php, videowhisperstreaming.php or bp.php allows the attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. Solution Update the plugin...
WordPress WPStoreCart Plugin 2.5.27 - 2.5.29 - Arbitrary File Upload
WPStoreCart plugin is prone to an arbitrary file upload vulnerability. Restricted access to this script is not properly realized. In that way an attacker can to upload files containing malicious PHP code and run it in the context of the web server process. Other attacks are also possible. Solutio...
WordPress WP Forum Server Plugin <= 2.3 - Multiple SQL Injection
Because of these vulnerabilities, the attackers can execute arbitrary SQL commands. Solution Update the plugin...
WordPress - Privileges Unchecked in admin.php and Multiple Information
This WordPress vulnerability was found in the way that WordPress handles some URL requests. It results the content of plugins configuration pages in some plugins modifying plugin options, unprivileged users viewing and injecting JavaScript code. The code is abitrary and it may be run by a malicio...
WordPress Email Marketing for WooCommerce by Omnisend plugin <= 1.19.0 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Vimalatithyan S. Technieum in WordPress Plugin Email Marketing for WooCommerce by Omnisend versions = 1.19.0...
WordPress REST API | Custom API Generator For Cross Platform And Import Export In WP plugin <= 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function vulnerability
Missing Authorization to Unauthenticated Privilege Escalation via processhandler Function vulnerability discovered by kr0d in WordPress Plugin REST API | Custom API Generator For Cross Platform And Import Export In WP versions = 2.0.3...
WordPress Booking calendar, Appointment Booking System Plugin <= 3.2.15 is vulnerable to Cross Site Scripting (XSS)
Software Booking calendar, Appointment Booking System Type Plugin Vulnerable versions = 3.2.15 Fixed in 3.2.16 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9504 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID...
WordPress Extensions for Elementor Plugin <= 2.0.40 is vulnerable to Cross Site Scripting (XSS)
Software Extensions for Elementor Type Plugin Vulnerable versions = 2.0.40 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-52471 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 37895dfd43f1 Credits Le Ngoc Anh Required...
WordPress Download Monitor Plugin <= 5.0.12 is vulnerable to Broken Access Control
Software Download Monitor Type Plugin Vulnerable versions = 5.0.12 Fixed in 5.0.13 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-10092 Patch priority Low CVSS severity Low 5.4 Developer WPChill PSID 47be9fcd45fd Credits Trương Hữu Phúc truonghuuphuc...
WordPress WPBakery Page Builder Plugin <= 7.7 is vulnerable to Cross Site Scripting (XSS)
Software WPBakery Page Builder Type Plugin Vulnerable versions = 7.7 Fixed in 7.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-5708 Patch priority Low CVSS severity Low 5.9 Developer WPBakery PSID 535392115bbf Credits João Pedro Soares de Alcântar...
WordPress Networker Theme <= 1.1.9 is vulnerable to Broken Access Control
Software Networker Type Theme Vulnerable versions = 1.1.9 Fixed in 1.1.10 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-2962 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID c70a9d136cac Credits Muhammad Zeeshan Xib3rR4dAr Required...
WordPress (Simply) Guest Author Name Plugin <= 4.34 is vulnerable to Cross Site Scripting (XSS)
Software Simply Guest Author Name Type Plugin Vulnerable versions = 4.34 Fixed in 4.35 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0254 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID cc1614290005 Credits Francesco Carlucc...
WordPress OPcache Dashboard Plugin <= 0.3.1 is vulnerable to Cross Site Scripting (XSS)
Software OPcache Dashboard Type Plugin Vulnerable versions = 0.3.1 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-45064 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 88a7f0a12d7e Credits LEE SE HYOUNG...
WordPress Defender Security plugin <= 3.3.2 - Broken Authentication vulnerability
Broken Authentication vulnerability discovered by Calvin Alkan in the WordPress Defender Security plugin versions = 3.3.2. Solution Update the WordPress Defender Security plugin to the latest available version at least 3.3.3...
WordPress Clerk plugin <= 3.8.2 - Auth. Bypass and API Keys Disclosure vulnerability
Auth. Bypass and API Keys Disclosure vulnerability discovered by Francesco Carlucci in the WordPress Clerk plugin versions = 3.8.2. Solution Update the WordPress Clerk plugin to the latest available version at least 4.0...
WordPress WP ALL Export Pro premium plugin <= 1.7.8 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Sanjay Das in WordPress WP ALL Export Pro premium plugin versions = 1.7.8. Solution Update the WordPress WP ALL Export Pro plugin to the latest available version at least 1.7.9...
WordPress miniOrange Discord Integration plugin <= 2.1.5 - Authenticated App Disabling vulnerability
Authenticated App Disabling vulnerability discovered by Lana Codes in WordPress miniOrange Discord Integration plugin versions = 2.1.5. Solution Update the WordPress miniOrange Discord Integration plugin to the latest available version at least 2.1.6...
WordPress WPide plugin <= 2.6 - Authenticated Arbitrary File Edit/Upload vulnerability
Authenticated Arbitrary File Edit/Upload vulnerability discovered by Vlad Vector Patchstack in WordPress WPide plugin versions = 2.6. Solution Update the WordPress WPIDE – File Manager & Code Editor plugin to the latest available version at least 3.0...
WordPress Request a Quote plugin <= 2.3.7 - CSV Injection vulnerability
CSV Injection vulnerability discovered by Benachi in WordPress Request a Quote plugin versions = 2.3.7. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Easy SVG Support plugin <= 3.2.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability via SVG
Authenticated Stored Cross-Site Scripting XSS vulnerability via SVG discovered by Luan Pedersini in WordPress Easy SVG Support plugin versions = 3.2.0. Solution Update the WordPress Easy SVG Support plugin to the latest available version at least 3.3.0...
WordPress Genki Pre-Publish Reminder plugin <= 1.4.1 - Stored XSS and RCE via CSRF vulnerability
Stored XSS and RCE via CSRF vulnerability discovered by Daniel Ruf in WordPress Genki Pre-Publish Reminder plugin versions = 1.4.1. Solution Deactivate and delete. This plugin has been closed as of May 17, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Jupiter premium theme <= 6.10.1 - Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion
Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion discovered by Ramuel Gall Wordfence in WordPress Jupiter premium theme versions = 6.10.1. Solution Update the WordPress Jupiter premium theme to the latest available version at least 6.10.2...
WordPress Responsive Tabs plugin <= 4.0.5 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability was discovered by Ngo Van Thien Patchstack Alliance in WordPress Responsive Tabs plugin versions = 4.0.5. Solution No patched version is available...
WordPress Visual Form Builder plugin <= 3.0.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Entries Deletion/Restoration
Cross-Site Request Forgery CSRF vulnerability leading to Entries Deletion/Restoration discovered by Vishnupriya Ilango in WordPress Visual Form Builder plugin versions = 3.0.7. Solution Update the WordPress Visual Form Builder plugin to the latest available version at least 3.0.8...
WordPress Mycred plugin <= 2.4.4 - User E-mail Addresses Disclosure vulnerability
User E-mail Addresses Disclosure vulnerability discovered by Krzysztof Zając in WordPress Mycred plugin versions = 2.4.4. Solution Update the WordPress Mycred plugin to the latest available version at least 2.4.4.1...
WordPress English WordPress Admin plugin <= 1.5.1 - Unauthenticated Open Redirect vulnerability
Unauthenticated Open Redirect vulnerability discovered by Krzysztof Zając in WordPress English WordPress Admin plugin versions = 1.5.1. Solution Update the WordPress English WordPress Admin plugin to the latest available version at least 1.5.2...
WordPress Responsive Menu plugin <= 4.1.7 - Nonce token leak leading to arbitrary file upload, theme deletion, plugin settings change vulnerability
Nonce token leak leading to arbitrary file upload, theme deletion, plugin settings change vulnerability discovered by Dave Jong Patchstack in WordPress Responsive Menu plugin versions = 4.1.7. Solution Update the WordPress Responsive Menu plugin to the latest available version at least 4.1.8...
WordPress Super Socializer plugin <= 7.13.29 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Super Socializer plugin versions = 7.13.29. Solution Update the WordPress Super Socializer plugin to the latest available version at least 7.13.30...
WordPress Library File Manager plugin <= 5.2.2 - Arbitrary File Creation/Upload/Deletion vulnerability
Arbitrary File Creation/Upload/Deletion vulnerability discovered by Luan Pedersni in WordPress Library File Manager plugin versions = 5.2.2. Solution Update the WordPress Library File Manager plugin to the latest available version at least 5.2.3...
WordPress Tranzly: Automatic Translation plugin <= 1.0.2 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability
Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Tranzly: Automatic Translation plugin versions = 1.0.2. Solution Update the WordPress Tranzly: Automatic Translation plugin to the latest available version at least 1.1.0...