45686 matches found
WordPress Stats Plugin <= 2.51 - Multiple Vulnerabilities
This plugin is prone to cross site scripting and cross site request forgery vulnerabilities. Solution Update the plugin...
WordPress Velvet Theme - XSS
This WordPress theme is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the theme...
WordPress Weather Station Plugin <= 3.8.12 is vulnerable to Cross Site Request Forgery (CSRF)
Software Weather Station Type Plugin Vulnerable versions = 3.8.12 Fixed in 3.8.13 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-25478 Patch priority Low CVSS severity Low 4.3 Developer Jason Rouet PSID aa96ede98f40 Credits Mika Required privile...
WordPress BookingPress plugin <= 1.0.10 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress BookingPress plugin versions = 1.0.10. Solution Update the WordPress BookingPress plugin to the latest available version at least 1.0.11...
WordPress core <= 6.0.2 - SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability due to improper sanitization in WPDateQuery discovered by Michael Mazzolini in WordPress core versions = 6.0.2. Solution Update the WordPress WordPress wordpress to the latest available version at least 6.0.3...
WordPress Template Debugger Plugin <= 3.1.2 is vulnerable to Cross Site Request Forgery (CSRF)
Software Template Debugger Type Plugin Vulnerable versions = 3.1.2 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-35773 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 56b91763eae2 Credits Nguyen Xuan Chien...
WordPress Multi-day Booking Calendar Plugin <= 1.0.1 is vulnerable to Cross Site Scripting (XSS)
Software Multi-day Booking Calendar Type Plugin Vulnerable versions = 1.0.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-51873 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 1e4344dc5b6c Credits SOPROBRO Required privilege...
WordPress Music Theme - Full Path Disclosure
Because of this vulnerability, the attackers can obtain sensitive information via an invalid upload request. Solution Update the theme...
WordPress Google Maps Anywhere plugin <= 1.2.6.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vinay Varma Mudunuri, Krishna Harsha Kondaveeti in WordPress Google Maps Anywhere plugin versions = 1.2.6.3. Solution Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download...
WordPress File Uploader Plugin - File Upload
This plugin is prone to PHP file upload vulnerability. Solution Update the plugin...
WordPress Core Tweaks WP Setup plugin <= 4.1 - Arbitrary Admin Account Creation / Admin Email Update via Cross-Site Request Forgery (CSRF) vulnerability
Arbitrary Admin Account Creation / Admin Email Update via Cross-Site Request Forgery CSRF vulnerability discovered by Francesco Carlucci in WordPress Core Tweaks WP Setup plugin versions = 4.1. Solution Deactivate and delete. This plugin has been closed as of October 7, 2021 and is not available...
WordPress Basic Theme - File Upload Arbitrary Code Execution
A "themify-ajax.php" file upload arbitrary PHP code execution vulnerability was found in WordPress Basic theme. Solution Update the theme...
WordPress Slideshow Plugin - Multiple Cross Site Scripting Vulnerabilities
WordPress Slideshow plugin is prone to multiple cross-site scripting vulnerabilities. These vulnerabilities allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. In that way, an attacker can steal cookie-based authentication...
WordPress Kubio AI Page Builder Plugin <= 2.2.4 is vulnerable to Cross Site Scripting (XSS)
Software Kubio AI Page Builder Type Plugin Vulnerable versions = 2.2.4 Fixed in 2.2.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-39661 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 1f99ae38011a Credits João Pedro S Alcântara Kinorth...
WordPress Download Manager Plugin <= 1.60 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of arbitrary users for requests that insert cross site scripting sequences. Solution Update the plugin...
WordPress Expose Theme - Cross Site Scripting
Because of this vulnerability, an attacker can inject arbitrary web script or HTML. Solution Update the theme...
WordPress Finder Plugin - Cross Site Scripting
WordPress Finder plugin's "order" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress Source Theme - Cross Site Scripting
This WordPress theme is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the theme...
WordPress File Manager plugin <= 2.9 - Authenticated Cross-Site Scripting (XSS) vulnerability
Authenticated Cross-Site Scripting XSS vulnerability found by ly55521 in WordPress File Manager plugin versions = 2.9. Solution Update the WordPress File Manager plugin to the latest available version at least 3.0...
WordPress External Links Plugin <= 1.80 - Multiple Cross Site Scripting
This vulnerability allows remote attackers to inject malicious script codes to the application-side of the vulnerable modules. Solution Update the plugin...
WordPress Rename Plugin <= 1.0 - Absolute Path Traversal
Absolute path traversal vulnerability in mysqldumpdownload.php in the WordPress Rename plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the dumpfname parameter. Solution Update the plugin...
WordPress WooCommerce plugin <= 6.5.1 - Authenticated Stored HTML Injection vulnerability
Authenticated Stored HTML Injection vulnerability discovered by Taurus Omar in WordPress WooCommerce plugin versions = 6.5.1. Solution Update the WordPress WooCommerce plugin to the latest available version at least 6.6.0...
WordPress TheCartPress plugin <= 1.5.3.6 - Unauthenticated Privilege Escalation vulnerability
Unauthenticated Privilege Escalation vulnerability discovered by spacehen in WordPress TheCartPress plugin versions = 1.5.3.6. Solution Deactivate and delete. This plugin has been closed as of October 5, 2021 and is not available for download. This closure is temporary, pending a full review...
WordPress Purity Theme - Multiple Cross Site Scripting Vulnerabilities
WordPress Purity theme is prone to multiple cross-site scripting vulnerabilities. These vulnerabilities fail to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress Dark Mode plugin <=1.6 - Multiple stored Cross-Site Scripting (XSS) vulnerabilities
Multiple stored Cross-Site Scripting XSS vulnerabilities found by d4wner in WordPress Dark Mode plugin versions =1.6. XSS exists via the wp-admin/profile.php darkmodestart parameter and darkmodeend parameter. Solution Update the WordPress Dark Mode plugin to the latest available version at least...
WordPress Add to Feedly Plugin <= 1.2.11 - Cross Site Request Forgery (CSRF) Vulnerability
Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Add to Feedly versions = 1.2.11...
WordPress Disable Right Click For WP plugin <= 1.1.6 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability discovered by Rasi Afeef Patchstack Alliance in WordPress Disable Right Click For WP plugin versions = 1.1.6. Solution No patched version is available. No reply from the vendor...
WordPress Elementor plugin <= 3.5.5 - Unauthenticated DOM-based Reflected Cross-Site Scripting (XSS) vulnerability
Unauthenticated DOM-based Reflected Cross-Site Scripting XSS vulnerability discovered by Rotem Bar Patchstack Alliance in WordPress Elementor plugin versions = 3.5.5. Solution Update the WordPress Elementor plugin to the latest available version at least 3.5.6...
WordPress RAYS Grid plugin <= 1.2.2 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability discovered by Jerome Bruandet NinTechNet in WordPress RAYS Grid plugin versions = 1.2.2. Solution Update the WordPress RAYS Grid plugin to the latest available version at least 1.2.3...
WordPress Duplicate Post plugin <= 1.1.9 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by AppCheck in WordPress Duplicate Post plugin versions = 1.1.9. Solution Update the WordPress Duplicate Post plugin to the latest available version at least 1.2.0...
WordPress <= 6.0.1 - Authenticated SQL Injection (SQLi) vulnerability via Link API
Authenticated SQL Injection SQLi vulnerability via Link API discovered by FVD in WordPress core versions = 6.0.1. Solution Update the WordPress to the latest available version at least 6.0.2 or another patched version...
WordPress WPForms Pro premium plugin <= 1.7.6 - CSV Injection vulnerability
CSV Injection vulnerability discovered by Francesco Carlucci in WordPress WPForms Pro premium plugin versions = 1.7.6. Solution Update the WordPress WPForms Pro plugin to the latest available version at least 1.7.7...
WordPress Electric Studio Client Login Plugin <= 0.8.1 is vulnerable to Cross Site Scripting (XSS)
Software Electric Studio Client Login Type Plugin Vulnerable versions = 0.8.1 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-27425 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID e719915b675a Credits Padavishree...
WordPress Telegram for WP plugin <= 1.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability
Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Nabil Irawan in WordPress Plugin Telegram for WP versions = 1.6.1...
WordPress core <= 5.8 - Data Exposure via REST API vulnerability
Data Exposure via REST API vulnerability discovered by Michael Adams in WordPress core versions = 5.8. Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1...
WordPress < 5.8 - Plugin Confusion vulnerability
Plugin Confusion vulnerability discovered by Kamil Vavra in WordPress versions = 5.7.4. Solution Update WordPress to the latest available version at least 5.8 or other patched version...
WordPress <= 5.8.2 - SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability discovered by Ngocnb and Khuyenn GiaoHangTietKiem JSC in WordPress versions = 5.8.2. Solution Update WordPress to the latest available version at least 5.8.3...
WordPress File Upload plugin <= 4.12.2 - Directory Traversal vulnerability leading to Remote Code Execution (RCE)
Directory Traversal vulnerability leading to Remote Code Execution RCE discovered by p4w in WordPress File Upload plugin versions = 4.12.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.13.0...
WordPress Thanh Toán Quét Mã QR Code Tự Động Plugin <= 2.0.1 is vulnerable to Cross Site Scripting (XSS)
Software Thanh Toán Quét Mã QR Code Tự Động Type Plugin Vulnerable versions = 2.0.1 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8914 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID 39d2756c43d9 Credits Frances...
WordPress <= 5.8.2 - SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability discovered by Ben Bidner in WordPress versions = 5.8.2. Solution Update WordPress to the latest available version at least 5.8.3...
WordPress core <= 5.8 - Command injection vulnerability in the Lodash library
Command injection vulnerability in the Lodash library in WordPress core versions = 5.8. Version update list: 5.8 updated to 5.8.1, 5.7.2 updated to 5.7.3, 5.7.1 updated to 5.7.3, 5.7 updated to 5.7.3, 5.6.4 updated to 5.6.5, 5.6.3 updated to 5.6.5, 5.6.2 updated to 5.6.5, 5.6.1 updated to 5.6.5,...
WordPress Hummingbird plugin <= 3.3.1 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress Hummingbird plugin versions = 3.3.1. Solution Update the WordPress Hummingbird plugin to the latest available version at least 3.3.2...
WordPress Yoast SEO plugin 1.2.0-11.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability found by Sybre Waaijer in WordPress Yoast SEO plugin versions 1.2.0-11.5. Solution Update the WordPress Yoast SEO plugin to the latest available version at least 11.6...
WordPress WP Offload SES Lite plugin <= 1.4.4 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Ionut Morosan in WordPress WP Offload SES Lite plugin versions = 1.4.4. Solution Update the WordPress WP Offload SES Lite plugin to the latest available version at least 1.4.5...
WordPress Simple Cart plugin <= 1.0.1 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress Simple Cart plugin versions = 1.0.1. Solution Update the WordPress Simple Cart plugin to the latest available version at least 1.0.2...
WordPress Scoutnet Kalender plugin <= 1.1.0 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability found by Simon Moser in WordPress Scoutnet Kalender plugin versions = 1.1.0. Solution 11.12.2019 - we were unable to find a patched version of this plugin...
WordPress AI Mojo – GPT-3 Playground for WordPress plugin < 0.2.5 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress AI Mojo – GPT-3 Playground for WordPress plugin versions 0.2.5. Solution Update the WordPress AI Mojo – GPT-3 Playground for WordPress plugin to the latest available version at least 0.2.5...
WordPress BuddyForms Plugin <= 2.7.7 is vulnerable to PHP Object Injection
Software BuddyForms Type Plugin Vulnerable versions = 2.7.7 Fixed in 2.7.8 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE N/A Patch priority High CVSS severity High 5.4 Developer Claim ownership PSID 2e9e362a10ab Credits WordFence Required privilege Subscriber Published 21...
WordPress core 4.7-5.7 - Sensitive Data Exposure vulnerability
Sensitive Data Exposure vulnerability discovered by Mikael Korpela in WordPress core versions 4.7-5.7. Solution Update the WordPress core to the latest available version at least 5.7.1...
WordPress WP Contacts Manager plugin <= 2.2.4 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress WP Contacts Manager plugin versions = 2.2.4. Solution Deactivate and delete. This plugin has been closed as of April 20, 2022 and is not available for download. This closure is temporary, pending a full review...