46606 matches found
WordPress Visual Composer Website Builder plugin <= 45.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability via Title
Authenticated Stored Cross-Site Scripting XSS vulnerability via Title discovered by Zhouyuan Yang in WordPress Visual Composer Website Builder plugin versions = 45.0. Solution Update the WordPress Visual Composer Website Builder plugin to the latest available version at least 45.0.1...
WordPress BadgeOS plugin <= 3.7.1.2 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress BadgeOS plugin versions = 3.7.1.2. Solution Update the WordPress BadgeOS plugin to the latest available version at least 3.7.1.3...
WordPress Banner Cycler plugin <= 1.4 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)
Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by MOTEKI TAKERU in WordPress Banner Cycler plugin versions = 1.4. Solution Deactivate and delete. This plugin has been closed as of June 30, 2022 and is not available for download. This closure is...
WordPress Fluent Support plugin <= 1.5.7 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Rafshanzani Suhada in WordPress Fluent Support plugin versions = 1.5.7. Solution Update the WordPress Fluent Support plugin to the latest available version at least 1.5.8...
WordPress E Unlocked - Student Result plugin <= 1.0.4 - Arbitrary File Upload via Cross-Site Request Forgery (CSRF) vulnerability
Arbitrary File Upload via Cross-Site Request Forgery CSRF vulnerability discovered by Raad Haddad in WordPress E Unlocked - Student Result plugin versions = 1.0.4. Solution Deactivate and delete. This plugin has been closed as of July 11, 2022 and is not available for download. This closure is...
WordPress WP OAuth2 Server plugin <= 1.0.1 - Authentication Bypass vulnerability
Authentication Bypass vulnerability discovered by Lana Codes in WordPress WP OAuth2 Server plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed as of June 23, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Exports and Reports plugin <= 0.9.1 - Authenticated CSV Injection vulnerability
Authenticated CSV Injection vulnerability discovered by websafe2021 in WordPress Exports and Reports plugin versions = 0.9.1. Solution Update the WordPress Exports and Reports plugin to the latest available version at least 0.9.2...
WordPress CDI plugin <= 5.1.8 - Reflected Cross-Site-Scripting (XSS) vulnerability
Reflected Cross-Site-Scripting XSS vulnerability discovered by WordPress CDI plugin versions = 5.1.8. Solution Update the WordPress CDI plugin to the latest available version at least 5.1.9...
WordPress Events Made Easy plugin <= 2.2.80 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Events Made Easy plugin versions = 2.2.80. Solution Update the WordPress Events Made Easy plugin to the latest available version at least 2.2.81...
WordPress Admin Management Xtended plugin <= 2.4.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Nguy Minh Tuan Patchstack Alliance in the WordPress Admin Management Xtended plugin versions = 2.4.4. Solution Update the WordPress Admin Management Xtended plugin to the latest available version at least 2.4.5...
WordPress Newsletter plugin <= 7.4.4 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered in WordPress Newsletter plugin versions = 7.4.4. Solution Update the WordPress Newsletter plugin to the latest available version at least 7.4.5...
WordPress Form Maker by 10Web plugin <= 1.14.11 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Abhinav Porwal & Hitesh Kumar in WordPress Form Maker by 10Web plugin versions = 1.14.11. Solution Update the WordPress Form Maker by 10Web plugin to the latest available version at least 1.14.12...
WordPress PNG to JPG plugin <= 4.0 - Cross-Site Request Forgery (CSRF) leading to Persistent Cross-Site Scripting (XSS) vulnerability
Cross-Site Request Forgery CSRF leading to Persistent Cross-Site Scripting XSS vulnerability discovered by Ex.Mi Patchstack in WordPress PNG to JPG plugin versions = 4.0. Solution Update the WordPress PNG to JPG plugin to the latest available version at least 4.1...
WordPress Code Snippets Extended plugin <= 1.4.7 - Cross-Site Request Forgery (CSRF) leading to Remote Code Execution (RCE) vulnerability
Cross-Site Request Forgery CSRF leading to Remote Code Execution RCE vulnerability discovered by Rasi Afeef Patchstack Alliance in WordPress Code Snippets Extended plugin versions = 1.4.7. Solution No patched version is available. No reply from the vendor...
WordPress XML Sitemap Generator for Google plugin <= 2.0.3 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof ZajÄ…c in WordPress XML Sitemap Generator for Google plugin versions = 2.0.3. Solution Update the WordPress XML Sitemap Generator for Google plugin to the latest available version at least 2.0.4...
WordPress Subscribe To Comments Reloaded plugin <= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities discovered by Ex.Mi Patchstack in WordPress Subscribe To Comments Reloaded plugin versions = 211130. Solution Update the WordPress Subscribe To Comments Reloaded plugin to the latest available version at least 220502...
WordPress External Media without Import plugin <= 1.1.2 - Server-Side Request Forgery (SSRF) vulnerability
Server-Side Request Forgery SSRF vulnerability discovered by Luan Pedersini in WordPress External Media without Import plugin versions = 1.1.2. Solution Deactivate and delete. This plugin has been closed as of March 28, 2022 and is not available for download. This closure is temporary, pending a...
WordPress Optimole plugin <= 3.3.1 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Mika in WordPress Optimole plugin versions = 3.3.1. Solution Update the WordPress Optimole plugin to the latest available version at least 3.3.2...
WordPress Slide Anything plugin <= 2.3.40 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered in WordPress Slide Anything plugin versions = 2.3.40. Solution Update the WordPress Slide Anything plugin to the latest available version at least 2.3.41...
WordPress File Upload Pro premium plugin <= 4.16.2 - Stored Cross-Site Scripting (XSS) via Malicious SVG vulnerability
Stored Cross-Site Scripting XSS via Malicious SVG vulnerability discovered by apple502j in WordPress File Upload Pro premium plugin versions = 4.16.2. Solution Update the WordPress File Upload Pro premium plugin to the latest available version at least 4.16.3...
WordPress MasterStudy LMS plugin <= 2.7.5 - Unauthenticated Admin Account Creation vulnerability
Unauthenticated Admin Account Creation vulnerability discovered by Numan Türle in WordPress MasterStudy LMS plugin versions = 2.7.5. Solution Update the WordPress MasterStudy LMS plugin to the latest available version at least 2.7.6...
WordPress Code Snippets plugin <= 2.14.2 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof ZajÄ…c in WordPress Code Snippets plugin versions = 2.14.2. Solution Update the WordPress Code Snippets plugin to the latest available version at least 2.14.3...
WordPress Modern Events Calendar Lite plugin <= 6.1.0 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof ZajÄ…c in WordPress Modern Events Calendar Lite plugin versions = 6.1.0. Solution Update the WordPress Modern Events Calendar Lite plugin to the latest available version at least 6.1.5...
WordPress core <= 5.8.1 - Expired DST Root CA X3 Certificate issue
Expired DST Root CA X3 Certificate issue discovered by Bradley Taylor in WordPress core versions = 5.8.1. Solution 5.8.1 fixed in 5.8.2, 5.8 fixed in 5.8.2, 5.7.3 fixed in 5.7.4, 5.7.2 fixed in 5.7.4, 5.7.1 fixed in 5.7.4, 5.7 fixed in 5.7.4, 5.6.5 fixed in 5.6.6, 5.6.4 fixed in 5.6.6, 5.6.3 fixe...
WordPress WP Fusion Lite plugin <= 3.37.18 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Xu-Liang Liao in WordPress WP Fusion Lite plugin versions = 3.37.18. Solution This plugin has been closed as of August 6, 2021 and is not available for download. This closure is temporary, pending a full review...
WordPress W3 Total Cache plugin <= 2.1.3 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by renniepak in WordPress W3 Total Cache plugin versions = 2.1.3. Solution Update the WordPress W3 Total Cache plugin to the latest available version at least 2.1.4...
WordPress Car Seller – Auto Classifieds Script plugin <= 2.1.0 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar in WordPress Car Seller – Auto Classifieds Script plugin versions = 2.1.0. Solution This plugin has been closed as of April 19, 2021 and is not available for download. This closure is permanent...
WordPress wpDiscuz plugin <= 7.0.4 - Unauthenticated Arbitrary File Upload vulnerability
Unauthenticated Arbitrary File Upload vulnerability found by Chloe Chamberland in WordPress wpDiscuz plugin versions = 7.0.4. Solution Update the WordPress wpDiscuz plugin to the latest available version at least 7.0.5...
WordPress Ultimate Addons for Elementor plugin <= 1.24.1 - Registration Bypass vulnerability
Registration Bypass vulnerability discovered by WordFence in WordPress Ultimate Addons for Elementor plugin versions = 1.24.1. Solution Update the WordPress Ultimate Addons for Elementor plugin to the latest available version at least 1.24.2...
WordPress WPML plugin <= 4.3.6 - Authenticated Cross-Site Request Forgery (CSRF) vulnerability leading to Remote Code Execution (RCE)
Authenticated Cross-Site Request Forgery CSRF vulnerability leading to Remote Code Execution RCE discovered by Gerard Arall in WordPress WPML plugin versions = 4.3.6. Solution Update the WordPress WPML plugin to the latest available version at least 4.3.7...
WordPress YITH WooCommerce Multi Vendor plugin <=3.4.0 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability
Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Multi Vendor plugin versions =3.4.0. Solution Update the WordPress YITH WooCommerce Multi Vendor plugin to the latest available version at least 3.4.1...
WordPress Photo Gallery by 10Web plugin <= 1.5.34 - SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability found in WordPress Photo Gallery by 10Web plugin versions = 1.5.34. Solution Update the WordPress Photo Gallery by 10Web plugin to the latest available version at least 1.5.35...
WordPress Multi Step Form plugin <= 1.2.5 - Multiple Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerabilities
Multiple Unauthenticated Reflected Cross-Site Scripting XSS vulnerabilities found by Javier Olmedo in WordPress Multi Step Form plugin versions = 1.2.5. Solution Update the plugin WordPress Multi Step Form plugin to the latest available version at least 1.2.6...
WordPress <= 4.2.3 - XSS #1
This vulnerability exists in the "refreshAdvancedAccessibilityOfItem" function. It allows an attacker to inject arbitrary web script or HTML via an accessibility-helper title. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-2-3-xss-2 Solution Update WordPress...
WordPress XCloner Plugin <= 3.1.2 - Multiple vulnerabilities
This XCloner plugin is prone to an authenticated command execution and XSS. Because of multiple vulnerabilities in cloner.functions.php, remote authenticated users can execute arbitrary commands via a file containing filenames with shell metacharacters. Solution Update the plugin...
WordPress <= 4.1.1 - Multiple XSS
Because of using MySQL without strict mode, the attackers can inject arbitrary web script or HTML via a four-byte UTF-8 character or invalid character that reaches the database layer. Solution Update WordPress...
WordPress Easing Slider Plugin <= 2.2.0.6 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "edit" parameter. Solution Upgrade the plugin...
WordPress O2Tweet Plugin <= 0.0.4 - Multiple CSRF and XSS
Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution This plugin is closed...
WordPress <= 4.0.0 - Multiple Vulnerabilities #2
Because of multiple vulnerabilities in WordPress 4.0.0 and previous versions, the attackers can obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. Related records:...
WordPress NOSpamPTI Plugin - Blind SQL Injection
NOSpamPTI plugin is prone to a blind SQL injection vulnerability because of the wp-comments-post.php script not properly sanitizing the commentpostID in POST data. The issue allows to manipulate SQL queries in the back-end database. It results manipulation or disclosure of arbitrary data. Solutio...
WordPress Bradesco Gateway Plugin <= 2.0 - XSS
Because of this vulnerability in falha.php, the attackers can inject arbitrary web script or HTML via the QUERYSTRING. Solution Update the plugin...
WordPress Sentinel Plugin <= 1.0.0 - SQL iNJECTION
Because of this vulnerability, the attackers can execute arbitrary SQL commands via unspecified vectors. Solution Update the plugin...
WordPress All-in-One Event Calendar Plugin 1.4 - "title" Parameter XSS
WordPress All-in-One Event Calendar plugin's /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php "title" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the...
NPM: DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)
NPM: DOMPurify: Permanent ALLOWEDATTR pollution via setConfig bypassing the hook clone-guard incomplete fix of the 3.4.7 hook-pollution patch vulnerability discovered by ? in WordPress Npm dompurify versions = 3.4.10...
WordPress Wp Easy Allopass plugin <= 4.1.1 - Cross Site Request Forgery (CSRF) Vulnerability
Cross Site Request Forgery CSRF Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin Wp Easy Allopass versions = 4.1.1...
WordPress AppPresser Plugin <= 4.4.6 is vulnerable to Privilege Escalation
Software AppPresser Type Plugin Vulnerable versions = 4.4.6 Fixed in 4.4.7 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-11024 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 25ae1391ba68 Credits shaman0x01...
WordPress Token Login Plugin <= 1.0.3 is vulnerable to Broken Authentication
Software Token Login Type Plugin Vulnerable versions = 1.0.3 Fixed in N/A OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-50488 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 18531b1d1720 Credits stealthcopte...
WordPress Bit File Manager Plugin <= 6.5.7 is vulnerable to Arbitrary File Upload
Software Bit File Manager Type Plugin Vulnerable versions = 6.5.7 Fixed in 6.5.8 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-8743 Patch priority High CVSS severity High 6.8 Developer Claim ownership PSID c3b2ce42763f Credits TANG Cheuk Hei siunam Required privileg...
WordPress LiteSpeed Cache Plugin <= 6.4.1 is vulnerable to Path Traversal
Software LiteSpeed Cache Type Plugin Vulnerable versions = 6.4.1 Fixed in 6.5.1 OWASP Top 10 A3: Injection Classification Path Traversal CVE CVE-2024-47637 Patch priority Low CVSS severity Low 8.8 Developer Hai Zheng / Lite Speed Cache PSID 9f05c0b173ee Credits TaiYou Required privilege Author...
WordPress Z Y N I T H Plugin <= 7.4.9 is vulnerable to Settings Change
Software Z Y N I T H Type Plugin Vulnerable versions = 7.4.9 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Settings Change CVE CVE-2024-43940 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID b82e28b179e8 Credits Dave Jong Patchstack Required...