45686 matches found
WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.6.2 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Brandon James Roldan in WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin versions = 1.3.6.2. Solution Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest...
WordPress Amelia plugin <= 1.0.46 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vinay Kumar Trellix in WordPress Amelia plugin versions = 1.0.46. Solution Update the WordPress Amelia plugin to the latest available version at least 1.0.47...
WordPress Bank Mellat plugin <= 1.3.7 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Bank Mellat plugin versions = 1.3.7. Solution Deactivate and delete. This plugin has been closed as of February 16, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Modern Events Calendar Lite plugin <= 6.3.0 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Rohan Chaudhari in WordPress Modern Events Calendar Lite plugin versions = 6.3.0. Solution Update the WordPress Modern Events Calendar Lite plugin to the latest available version at least 6.4.0...
WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin < 1.17.0.4 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin versions 1.17.0.4. Solution Update the WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin to the latest available version at least...
WordPress MasterStudy LMS plugin <= 2.7.5 - Unauthenticated Admin Account Creation vulnerability
Unauthenticated Admin Account Creation vulnerability discovered by Numan Türle in WordPress MasterStudy LMS plugin versions = 2.7.5. Solution Update the WordPress MasterStudy LMS plugin to the latest available version at least 2.7.6...
WordPress Grand FlaGallery plugin <= 6.1.2 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Tyler Miller in WordPress Grand FlaGallery plugin versions = 6.1.2. Solution Deactivate and delete. This plugin has been closed as of November 12, 2021 and is not available for download. Reason: Security Issue...
WordPress AP Custom Testimonial plugin <= 1.4.7 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Rafael Castilho in WordPress AP Custom Testimonial plugin versions = 1.4.7. Solution Update the WordPress AP Custom Testimonial plugin to the latest available version at least 1.4.8...
WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability was discovered by Brandon Roldan Patchstack Alliance in the WordPress Better Messages plugin versions = 1.9.9.148. Solution Update the WordPress Better Messages plugin to the latest available version at least 1.9.9.149...
WordPress Remove Footer Credit plugin <= 1.0.10 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Remove Footer Credit plugin versions = 1.0.10. Solution Update the WordPress Remove Footer Credit plugin to the latest available version at least 1.0.11...
WordPress Arrival theme <= 1.4.2 - Arbitrary File Upload vulnerability
Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Arrival theme versions = 1.4.2. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...
WordPress WP-DownloadManager plugin <= 1.68.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability
Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien in WordPress WP-DownloadManager plugin versions = 1.68.6. Solution Update the WordPress WP-DownloadManager plugin to the latest available version at least 1.68.7...
WordPress Chaty Pro premium plugin <= 2.8.1 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof ZajÄ…c in WordPress Chaty Pro premium plugin versions = 2.8.1. Solution Update the WordPress Chaty Pro premium plugin to the latest available version at least 2.8.2...
WordPress MOLIE – Instructure Canvas Linking tool plugin <= 0.5 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Jeremie Amsellem in WordPress MOLIE – Instructure Canvas Linking tool plugin versions = 0.5. Solution Deactivate and delete. This plugin has been closed as of November 29, 2021 and is not available for download. Reason: Security Issue...
WordPress WOOCS – Currency Switcher for WooCommerce plugin <= 1.3.7 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress WOOCS – Currency Switcher for WooCommerce plugin versions = 1.3.7. Solution Update the WordPress WOOCS – Currency Switcher for WooCommerce plugin to the latest available version at least 1.3.7.1...
WordPress Slider Hero plugin <= 8.2.6 - SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability discovered by apple502j in WordPress Slider Hero plugin versions = 8.2.6. Solution Update the WordPress Slider Hero plugin to the latest available version at least 8.2.7...
WordPress Export Users With Meta plugin <= 0.6.4 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Asif Nawaz Minhas in WordPress Export Users With Meta plugin versions = 0.6.4. Solution Update the WordPress Export Users With Meta plugin to the latest available version at least 0.6.5...
WordPress WP Hotel Booking plugin <= 1.10.2 - Unauthenticated Remote Code Execution (RCE) via Arbitrary Object Deserialisation vulnerability
Unauthenticated Remote Code Execution RCE via Arbitrary Object Deserialisation vulnerability discovered by Nick Blundell AppCheck Ltd in WordPress WP Hotel Booking plugin versions = 1.10.2. Solution Update the WordPress WP Hotel Booking plugin to the latest available version at least 1.10.3...
WordPress <= 5.5.1 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found by Erwan LR in WordPress versions = 5.5.1. Solution Update the WordPress to the latest available version at least 5.5.2...
WordPress Chop Slider 3 plugin <= 3.4 - Blind SQL injection (SQLi) vulnerability
Blind SQL injection SQLi vulnerability found by Callum Murphy in WordPress Chop Slider 3 plugin versions = 3.4. Solution 2021-01-12 - we were unable to find a patched version of this plugin...
WordPress YITH WooCommerce Multi Vendor plugin <=3.4.0 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability
Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Multi Vendor plugin versions =3.4.0. Solution Update the WordPress YITH WooCommerce Multi Vendor plugin to the latest available version at least 3.4.1...
WordPress Widget Logic plugin <= 5.10.2 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found in WordPress Widget Logic plugin versions = 5.10.2. Solution Update the WordPress Widget Logic plugin to the latest available version at least 5.10.3...
WordPress Category Order and Taxonomy Terms Order plugin <=1.5.2.2 - Authenticated PHP Object Injection vulnerability
Authenticated PHP Object Injection vulnerability found in WordPress Category Order and Taxonomy Terms Order plugin versions =1.5.2.2. Solution Update the WordPress Category Order and Taxonomy Terms Order plugin to the latest available version at least 1.5.3...
WordPress <=4.7.4 - Post Meta Data Values Improper Handling in XML-RPC API
WordPress versions starting from 2.5 to 4.7.4 have the improper handling of post meta data values in the XML-RPC Remote Procedure Call API. Discovered and reported by Sam Thomas. Solution Update WordPress core to the latest possible version at least 4.7.5...
WordPress Mail Masta plugin <= 1.0 - Local File Inclusion (LFI) vulnerability
A Local File Inclusion vulnerability exists in WordPress Mail Masta Plugin 1.0 plugin. This vulnerability allows remote attackers to include arbitrary files on the server by "dynamic file inclusion" mechanism in Mail Masta Plugin. Solution This plugin has been closed and is no longer available fo...
WordPress <= 4.5.2 - Session Hijacking
This vulnerability allows an attacker to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. Solution Update WordPress...
WordPress <= 4.3.0 - BYPASS
The vulnerability is in the XMLRPC subsystem, in wp-includes/class-wp-xmlrpc-server.php. It allows an authenticated user to bypass intended access restrictions via unspecified vectors. Solution Update WordPress...
WordPress Slider Revolution Plugin <= 3.0.95 - Multiple Vulnerabilities
Because of these vulnerabilities, the attackers can upload and execute arbitrary files, create, update, import or export arbitrary sliders via unspecified vectors, also, delete arbitrary sliders. Solution Update the plugin...
WordPress XCloner Plugin <= 3.1.2 - XSS
Because of this vulnerability, remote authenticated users can inject arbitrary web script or HTML in the xclonershow page via the "exclmanual" parameter to wpadmin/plugins.php. Solution Update the plugin...
WordPress ReFlex Gallery Plugin <= 3.1.3 - Unrestricted File Upload
This vulnerability is in admin/scripts/FileUploader/php.php. It allows an attacker to execute arbitrary PHP code by uploading a file with a PHP extension. And then an attacker can access it via a direct request to the file in uploads/ directory. Solution Update the plugin...
WordPress BulletProof Security Plugin <= .51 - XSS
Because of this vulnerability in admin/htaccess/bpsunlock.php, the attackers can inject arbitrary web script or HTML via the "dbhost" parameter. Solution Update the plugin...
WordPress Yahoo! Updates Plugin <= 1.0 - Multiple XSS
Because of these multiple vulnerabilities in yupdatesapplication.php, the attackers can inject arbitrary web script or HTML via the 3 parameters: "secret", appid" or "key". Solution Update the plugin...
WordPress AdRotate Plugin 3.9.4 - SQL Injection
This WordPress AdRotate plugin's clicktracker.php "track param" parameter is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin to 3.9.5...
WordPress <= 3.5.1 - Denial of Service Attacks
This WordPress version is prone to denial of service attacks via a crafted value of a certain wp-postpass cookie. Solution Update WordPress...
WordPress Nest Theme - SQL Injection
This WordPress Nest theme's "codigo" parameter is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the theme...
WordPress <= 3.4.1 - BYPASS
Because of this vulnerability, remote authenticated users can bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol feature. Solution Update the plugin...
WordPress <= 3.3.1 - BYPASS
This vulnerability allows the authenticated site administrators to bypass intended access restrictions via unspecified vectors. Solution Update WordPress...
WordPress All-in-One Event Calendar Plugin 1.4 - "title" Parameter XSS
WordPress All-in-One Event Calendar plugin's /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php "title" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the...
WordPress <= 3.1.2 - SQL Injection
wp-includes/taxonomy.php has unknown impact and attack vectors, that possibly involving SQL injection. Solution Update WordPress...
WordPress <= 3.1.2 - Multiple Unspecified Remote vulnerabilities
Because of these vulnerabilities, the attackers can determine usernames of non-authors via canonical redirects. Solution Update WordPress...
WordPress <= 2.8.2 - Multiple Vulnerabilities #1
Because of these vulnerabilities, the attackers can make unauthorized edits or additions via a direct request to edit-category-form.php, edit-pages.php, edit-comments.php, edit-link-category-form.php, or edit.php. Solution Update WordPress...
WordPress <= 2.6.9 - Open Redirection
Because of this vulnerability in wp-admin/upgrade.php, the attackers can redirect users to arbitrary web sites and conduct phishing attacks via a URL in the "backto" parameter. Solution Update WordPress...
WordPress <= 2.6.1 - SQL Truncation Vulnerability #2
The attackers can change an arbitrary user's password to a random value by registering a similar username and then requesting a password reset, related to a "SQL column truncation vulnerability.", because this WordPress does not properly handle MySQL warnings about insertion of username strings...
WordPress <= 2.1.2 - SQL Injection vulnerability
Because of this vulnerability in xmlrpc, the authenticated users can execute arbitrary SQL commands. Solution Update the WordPress to the latest available version at least 2.1.3...
WordPress <= 2.1.2 RC2 - XSS
Because of this vulnerability in wp-admin/vars.php, the authenticated users with theme privileges can inject arbitrary web script or HTML via the PATHINFO. Solution Update the WordPress to the latest available version at least 2.1.3...
WordPress <= 2.0.5 - SQL Injection
Because of this vulnerability, the attackers can bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets. Solution Update the WordPress to the latest available version at least 2.0.6...
WordPress <= 1.5.1.2 - SQL injection
Because of this vulnerability in XMLRPC server, attackers can execute arbitrary SQL commands via input that is not filtered in the HTTPRAWPOSTDATA variable, which stores the data in an XML file. Solution Update the WordPress to the latest available version at least 1.5.1.3...
WordPress REST API | Custom API Generator For Cross Platform And Import Export In WP plugin <= 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function vulnerability
Missing Authorization to Unauthenticated Privilege Escalation via processhandler Function vulnerability discovered by kr0d in WordPress Plugin REST API | Custom API Generator For Cross Platform And Import Export In WP versions = 2.0.3...
WordPress Leopard - WordPress offload media Plugin <= 3.1.1 is vulnerable to Broken Access Control
Software Leopard - WordPress offload media Type Plugin Vulnerable versions = 3.1.1 Fixed in 3.1.2 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-10589 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 9f2ff23f7d2f Credits Tonn...
WordPress Category Ajax Filter Plugin <= 2.8.2 is vulnerable to Local File Inclusion
Software Category Ajax Filter Type Plugin Vulnerable versions = 2.8.2 Fixed in 2.8.3 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2024-10871 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 41b4026eef43 Credits Le Ngoc Anh Required privilege...