46606 matches found
WordPress Wechat Broadcast plugin <= 1.2.0 - Local/Remote File Inclusion vulnerability
Local/Remote File Inclusion vulnerability found by Manuel Garcia Cardenas in WordPress Wechat Broadcast plugin versions = 1.2.0. Solution 2018 October 3rd - no patched version available to download. We recommend to deactivate and uninstall...
WordPress Apocalypse Meow plugin <=21.2.7 - BCrypt Authentication Bypass vulnerability
BCrypt Authentication Bypass vulnerability found by Steve Sc00bzT in WordPress Apocalypse Meow plugin versions =21.2.7. Solution Update the WordPress Apocalypse Meow plugin to the latest available version at least 21.2.8...
WordPress Mail Masta plugin <= 1.0 - Local File Inclusion (LFI) vulnerability
A Local File Inclusion vulnerability exists in WordPress Mail Masta Plugin 1.0 plugin. This vulnerability allows remote attackers to include arbitrary files on the server by "dynamic file inclusion" mechanism in Mail Masta Plugin. Solution This plugin has been closed and is no longer available fo...
WordPress Ultimate Membership Pro Plugin 3.3 - SQL Injection
This WordPress Ultimate Membership Pro plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update WordPress plugin to the newest stable and safe...
WordPress Ninja Forms Plugin <= 2.9.42.0 - PHP Object Injection
This vulnerability allows an attacker to conduct PHP object injection attacks via crafted serialized values in a POST request. Solution Update the plugin...
WordPress Ninja Forms Plugin <= 2.8.8 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the "ninjaformsfield1" parameter in a ninjaformsajaxsubmit action to wp-admin/admin-ajax.php. Also, multiple cross site scripting vulnerabilities allow the administrators to inject arbitrary web script or...
WordPress <= 3.6.0 - Privilege Escalation
Because of this vulnerability, the authors can create an entry appearing as written by another user. Solution Update the plugin...
WordPress <= 3.6.0 - Multiple vulnerabilities
The attackers can bypass intended redirection restrictions via a crafted string, because this WordPress version and lower versions too does not properly validate URLs before use in an HTTP redirect. Solution Update the plugin...
WordPress Better WP Security Plugin <= 3.2.4 - XSS
Because of this vulnerability in inc/admin/content.php, the attackers can inject arbitrary web script or HTML via the HTTPUSERAGENT header. Solution Update the plugin...
WordPress <= 3.3.1 - Unspecified vulnerability
There is an unspecified vulnerability in wp-includes/js/swfobject.js, that has unknown impact and attack vectors. Solution Update WordPress...
WordPress Block Spam By Math Reloaded Plugin - Bypass
BYPASS vulnerability was discovered in WordPress Block Spam By Math Reloaded plugin. Solution Update the plugin...
WordPress BackWPup Plugin - Remote and Local Code Execution
WordPress BackWPup plugin is prone to a remote and local code execution vulnerability. The input that is passed to the component "wpxmlexport.php" via the "wpabs" variable allows the inclusion and execution of local or remote PHP files as long as a "nonce" value is known. Solution Update the plug...
WordPress <= 2.0.6 - Full Path disclosure
Because of this vulnerability, the attackers can obtain sensitive information via an invalid m parameter. Solution Update the WordPress to the latest available version at least 2.0.7...
WordPress Advanced Custom Fields Plugin <= 6.3.6 is vulnerable to Arbitrary Code Execution
Software Advanced Custom Fields Type Plugin Vulnerable versions = 6.3.6 Fixed in 6.3.6.1 OWASP Top 10 A1: Injection Classification Arbitrary Code Execution CVE CVE-2024-9529 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 2b40e735610b Credits Automattic Security Team...
WordPress WP Testimonial Widget Plugin <= 3.1 is vulnerable to SQL Injection
Software WP Testimonial Widget Type Plugin Vulnerable versions = 3.1 Fixed in N/A OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-43966 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 505085fbb60c Credits hnwmn Required privilege Administrator Publishe...
WordPress TI WooCommerce Wishlist Plugin <= 2.8.2 is vulnerable to SQL Injection
Software TI WooCommerce Wishlist Type Plugin Vulnerable versions = 2.8.2 Fixed in 2.9.0 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-43917 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 55f8b0990265 Credits Rafie Muhammad Patchstack Required...
WordPress MapPress Maps for WordPress Plugin <= 2.88.16 is vulnerable to Cross Site Scripting (XSS)
Software MapPress Maps for WordPress Type Plugin Vulnerable versions = 2.88.16 Fixed in 2.88.17 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-7225 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID fbcdd95991b2 Credits Akbar...
WordPress JetSmartFilters Plugin <= 3.2.2 is vulnerable to Cross Site Request Forgery (CSRF)
Software JetSmartFilters Type Plugin Vulnerable versions = 3.2.2 Fixed in 3.2.2.1 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-48762 Patch priority Low CVSS severity Low 6.3 Developer Crocoblock PSID cc4e59f9bb8e Credits Rafie Muhammad...
WordPress Ajax Archive Calendar Plugin <= 2.6.7 is vulnerable to Cross Site Scripting (XSS)
Software Ajax Archive Calendar Type Plugin Vulnerable versions = 2.6.7 Fixed in 2.6.8 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-46069 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 2c6a1e009987 Credits Ngô Thiên An ancorn from...
WordPress Defender Security Plugin < 4.1.0 is vulnerable to Bypass Vulnerability
Software Defender Security Type Plugin Vulnerable versions 4.1.0 Fixed in 4.1.0 OWASP Top 10 A1: Broken Access Control Classification Bypass Vulnerability CVE CVE-2023-5089 Patch priority Low CVSS severity Low 5.3 Developer WPMU DEV PSID e45ed857552b Credits Juan Pablo Gomez Postigo Required...
WordPress WP-Advanced-Search Plugin <= 3.3.8 is vulnerable to Cross Site Request Forgery (CSRF)
Software WP-Advanced-Search Type Plugin Vulnerable versions = 3.3.8 Fixed in 3.3.9 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2022-47447 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 9c0a9b80e999 Credits rezaduty Require...
WordPress WPTools plugin <= 3.42 - Auth. Arbitrary Plugin Installation vulnerability
Auth. Arbitrary Plugin Installation vulnerability discovered by Lana Codes in WordPress WPTools plugin versions = 3.42. Solution Update the WordPress WP Tools plugin to the latest available version at least 3.43...
WordPress ProfileGrid plugin <= 5.1.0 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by zhangyunpei in the WordPress ProfileGrid plugin versions = 5.1.0. Solution Update the WordPress ProfileGrid plugin to the latest available version at least 5.1.1...
WordPress Font Awesome 4 Menus plugin <= 4.7.0 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by zhangyunpei in WordPress Font Awesome 4 Menus plugin versions = 4.7.0. Solution Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full...
WordPress Booster for WooCommerce plugin <= 5.6.6 - Auth. Arbitrary File Download vulnerability
Auth. Arbitrary File Download vulnerability discovered by WPScan in WordPress Booster for WooCommerce plugin versions = 5.6.6. Solution Update the WordPress Booster for WooCommerce plugin to the latest available version at least 5.6.7...
WordPress WIP Custom Login plugin <= 1.2.7 - Multiple Broken Access Control vulnerabilities
Multiple Broken Access Control vulnerabilities were discovered by Lana Codes Patchstack Alliance in the WordPress WIP Custom Login plugin versions = 1.2.7. Solution Update the WordPress WIP Custom Login plugin to the latest available version at least 1.2.8...
WordPress 3com – Asesor de Cookies plugin <= 3.4.3 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress 3com – Asesor de Cookies plugin versions = 3.4.3. Solution No patched version is available. No reply from the vendor...
WordPress Analytify plugin <= 4.2.2 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to Cache Deletion discovered by Muhammad Daffa Patchstack Alliance in WordPress Analytify plugin versions = 4.2.2 Solution Update the WordPress Analytify plugin to the latest available version at least 4.2.3...
WordPress Awesome Filterable Portfolio plugin <= 1.9.7 - Unauthenticated Plugin Settings Change vulnerability
Unauthenticated Plugin Settings Change vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Awesome Filterable Portfolio plugin versions = 1.9.7. Solution Deactivate and delete. This plugin has been closed as of September 14, 2022 and is not available for download. This...
WordPress Rate my Post – WP Rating System plugin <= 3.3.4 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability that allows arbitrary votes discovered by Nguy Minh Tuan Patchstack Alliance in WordPress Rate my Post – WP Rating System plugin plugin = 3.3.4. Solution Update the WordPress Rate my Post – WP Rating System plugin to the latest available version at...
WordPress MP3 jPlayer plugin <= 2.7.3 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Rasi Afeef Patchstack Alliance in the WordPress MP3-jPlayer plugin versions = 2.7.3. Solution Deactivate and delete. No reply from the vendor...
WordPress Restricted Site Access plugin <= 7.3.1 - Access Bypass via IP Spoofing vulnerability
Access Bypass via IP Spoofing vulnerability discovered by Daniel Ruf in WordPress Restricted Site Access plugin versions = 7.3.1. Solution Update the WordPress Restricted Site Access plugin to the latest available version at least 7.3.2...
WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability
Denial Of Service DoS vulnerability was discovered by Dhakal Ananda Patchstack Alliance in the WordPress Better Messages plugin versions = 1.9.10.57. Solution Update the WordPress BP Better Messages plugin to the latest available version at least 1.9.10.58...
WordPress Download Manager plugin <= 3.2.48 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities
Multiple Authenticated Persistent Cross-Site Scripting XSS vulnerabilities were discovered by Vlad Vector Patchstack in the WordPress Download Manager plugin versions = 3.2.48. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.49...
WordPress WP Hotel Booking plugin <= 1.10.5 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability discovered by Ngo Van Thien Patchstack Alliance in the WordPress WP Hotel Booking plugin versions = 1.10.5. Solution Update the WordPress WP Hotel Booking plugin to the latest available version at least 1.10.6...
WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability
Authentication Bypass vulnerability discovered by Lana Codes in WordPress OAuth 2.0 client for SSO plugin versions = 1.11.3. Solution Update the WordPress OAuth 2.0 client for SSO plugin to the latest available version at least 1.11.4...
WordPress NEX-Forms plugin <= 7.9.6 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Elias Hohl in WordPress NEX-Forms plugin versions = 7.9.6. Solution Update the WordPress NEX-Forms – Ultimate Form Builder plugin to the latest available version at least 7.9.7...
WordPress YaySMTP plugin <= 2.2 - Authenticated Logs Disclosure vulnerability
Authenticated Logs Disclosure vulnerability discovered by Rafshanzani Suhada in WordPress YaySMTP plugin versions = 2.2. Solution Update the WordPress YaySMTP plugin to the latest available version at least 2.2.1...
WordPress Advanced WordPress Reset plugin <= 1.5 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress Advanced WordPress Reset plugin versions = 1.5. Solution Update the WordPress Advanced WordPress Reset plugin to the latest available version at least 1.6...
WordPress Import CSV Files plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Benachi in WordPress Import CSV Files plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of June 16, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Shortcodes and extra features for Phlox theme plugin <= 2.9.7 - Reflected Cross-Site-Scripting (XSS) vulnerability
Reflected Cross-Site-Scripting XSS vulnerability discovered by cydave in WordPress Shortcodes and extra features for Phlox theme plugin versions = 2.9.7. Solution Update the WordPress Shortcodes and extra features for Phlox theme plugin to the latest available version at least 2.9.8...
WordPress eaSYNC plugin <= 1.1.15 - Unauthenticated Arbitrary File Upload vulnerability
Unauthenticated Arbitrary File Upload vulnerability discovered by cydave in WordPress eaSYNC plugin versions = 1.1.15. Solution Update the WordPress eaSYNC plugin to the latest available version at least 1.1.16...
WordPress Mihdan: No External Links plugin <= 5.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vaibhav Nitin Gaikwad in WordPress Mihdan: No External Links plugin versions = 5.0.1. Solution Update the WordPress Mihdan: No External Links plugin to the latest available version at least 5.0.2...
WordPress Export All URLs plugin <= 4.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Universe Patchstack Alliance in WordPress Export All URLs plugin versions = 4.1. Solution Update the WordPress Export All URLs plugin to the latest available version at least 4.2...
WordPress Code Snippets plugin <= 2.14.3 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by BEE-K Patchstack in WordPress Code Snippets plugin versions = 2.14.3. Solution Update the WordPress Code Snippets plugin to the latest available version at least 2.14.4...
WordPress Ask Me premium theme < 6.8.2 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Veshraj Ghimire in WordPress Ask Me premium theme versions 6.8.2. Solution Update the WordPress Ask Me premium theme to the latest available version at least 6.8.2...
WordPress Note Press plugin <= 0.1.10 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability was discovered by Daniel Krohmer and Shi Chen in the WordPress Note Press plugin versions = 0.1.10. Solution Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a...
WordPress Quotes llama plugin < 1.0.0 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Benachi in WordPress Quotes llama plugin versions 1.0.0. Solution Update the WordPress Quotes llama plugin to the latest available version at least 1.0.0...
WordPress Checkout Files Upload for WooCommerce plugin <= 2.1.2 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability was discovered by Lucio Sá Patchstack Alliance in WordPress Checkout Files Upload for WooCommerce plugin versions = 2.1.2. Solution Update the WordPress Checkout Files Upload for WooCommerce plugin to the latest available version at least 2.1.3...
WordPress StaffList plugin <= 3.1.2 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Hassan Khan Yusufzai in WordPress StaffList plugin versions = 3.1.2. Solution Update the WordPress StaffList plugin to the latest available version at least 3.1.5...