45686 matches found
WordPress Landing Pages Plugin <=1.2.3 - SQL Injection
Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "post" parameter to index.php. Solution Update the plugin...
WordPress <= 3.6.0 - Cross Site Scripting #2
Because of this vulnerability, remote authenticated users can conduct cross-site scripting attacks via a crafted file, that is related to the getallowedmimetypes function in wp-includes/functions.php. Solution Update WordPress...
WordPress <= 3.6.0 - Cross Site Scripting #1
Because of this vulnerability, remote authenticated users can conduct cross-site scripting attacks. Solution Update WordPress...
WordPress <= 3.5.1 - Privilege Escalation
Because of this vulnerability, the authenticated users can bypass intended restrictions on publishing and authorship reassignment via unspecified vectors. Solution Update the plugin...
WordPress Events Manager Plugin <= 5.3.4 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the "scope" parameter to index.php. Solution Update the plugin...
WordPress <= 3.3.1 - XSS #1
This vulnerability is in the wp-comments-post.php. It allows the attackers to conduct XSS attacks via unspecified vectors. Solution Update WordPress...
WordPress All-in-One Event Calendar Plugin 1.4 - "msg" Parameter XSS
WordPress All-in-One Event Calendar plugin's /wp-content/plugins/all-in-one-event-calendar/app/view/savesuccessful.php "msg" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser ...
WordPress <= 3.3.1 - Multiple XSS
Because of these vulnerabilities in wp-admin/setup-config.php, the attackers can inject arbitrary web script or HTML. Solution Update WordPress...
WordPress Hybrid Theme 0.9 - Cross-Site Scripting
WordPress Hybrid theme's "cpage" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress <= 2.0.11 - XSS
Because of this vulnerability in wp-db-backup.php, the attackers can inject arbitrary web script or HTML via the "backup" parameter in a wp-db-backup.php action to wp-admin/edit.php. Solution Update the WordPress...
WordPress Classic Theme <= 1.5 - XSS
Because of this vulnerability in index.php, the attackers can inject arbitrary web script or HTML via the PATHINFO. Solution Update the theme...
WordPress Chartify plugin <= 3.5.9 - Missing Authentication for Administrative Function vulnerability
Missing Authentication for Administrative Function vulnerability discovered by WordFence in WordPress Plugin Chartify versions = 3.5.9...
WordPress Restaurant & Cafe Addon for Elementor Plugin <= 1.5.9 is vulnerable to Broken Access Control
Software Restaurant & Cafe Addon for Elementor Type Plugin Vulnerable versions = 1.5.9 Fixed in 1.6.0 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Access Control CVE CVE-2024-10780 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID...
WordPress JobSearch Plugin <= 2.6.7 is vulnerable to Arbitrary File Upload
Software JobSearch Type Plugin Vulnerable versions = 2.6.7 Fixed in 2.6.8 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-8614 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID d16b486be3a5 Credits Tonn Required privilege Subscriber Published 5...
WordPress e2pdf Plugin <= 1.24.00 is vulnerable to Cross Site Scripting (XSS)
Software e2pdf Type Plugin Vulnerable versions = 1.24.00 Fixed in 1.25.01 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-4367 Patch priority Low CVSS severity Low 4 Developer E2Pdf.com PSID cc24959a7a9a Credits Yudistira Arya Required privilege Author Published 27...
WordPress Email Subscribers & Newsletters Plugin <= 5.7.20 is vulnerable to SQL Injection
Software Email Subscribers & Newsletters Type Plugin Vulnerable versions = 5.7.20 Fixed in 5.7.21 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-4295 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 50be2b9566fd Credits 1337Wannabe Required privilege...
WordPress Template Kit – Import Plugin <= 1.0.14 is vulnerable to Cross Site Scripting (XSS)
Software Template Kit – Import Type Plugin Vulnerable versions = 1.0.14 Fixed in 1.0.15 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-2334 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 3ba95df4bab0 Credits Colin Xu Require...
WordPress WP SMS Plugin <= 6.6.2 is vulnerable to Cross Site Request Forgery (CSRF)
Software WP SMS Type Plugin Vulnerable versions = 6.6.2 Fixed in 6.6.3 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-30454 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID d4f7f075b7f4 Credits Peng Zhou Required privilege...
WordPress MapPress Maps for WordPress Plugin < 2.88.15 is vulnerable to Cross Site Scripting (XSS)
Software MapPress Maps for WordPress Type Plugin Vulnerable versions 2.88.15 Fixed in 2.88.15 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0420 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 127ee0002ebf Credits Salvatore...
WordPress Dan's Embedder for Google Calendar Plugin <= 1.2 is vulnerable to Cross Site Scripting (XSS)
Software Dan's Embedder for Google Calendar Type Plugin Vulnerable versions = 1.2 Fixed in 1.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-51504 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID e9f89f8b2081 Credits Ngô Thiên An ancorn fro...
WordPress Icons Font Loader Plugin <= 1.1.2 is vulnerable to Arbitrary File Upload
Software Icons Font Loader Type Plugin Vulnerable versions = 1.1.2 Fixed in 1.1.3 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-5860 Patch priority Low CVSS severity Low 7.2 Developer Claim ownership PSID e7c1b6cac566 Credits Alex Thomas Required privilege...
WordPress Media Library Assistant Plugin <= 3.09 is vulnerable to Remote Code Execution (RCE)
Software Media Library Assistant Type Plugin Vulnerable versions = 3.09 Fixed in 3.10 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2023-4634 Patch priority High CVSS severity High 10 Developer Claim ownership PSID a9f84b644a17 Credits Pepitoh Required privilege...
WordPress File Manager Advanced Shortcode Plugin <= 2.3.2 is vulnerable to Remote Code Execution (RCE)
Software File Manager Advanced Shortcode Type Plugin Vulnerable versions = 2.3.2 Fixed in N/A OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2023-2068 Patch priority High CVSS severity High 10 Developer Claim ownership PSID f57871788c33 Credits Mateus Machado Tesser...
WordPress bolster Theme < 10 is vulnerable to Arbitrary File Upload
Software bolster Type Theme Vulnerable versions 10 Fixed in N/A OWASP Top 10 A6: Security Misconfiguration Classification Arbitrary File Upload CVE CVE-2022-0316 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 8b3d84068dc9 Credits Joshua Small Required privilege...
WordPress Community Events plugin <= 1.4.8 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Hoang Van Hiep sk4rl1ghT in the WordPress Community Events plugin versions = 1.4.8. Solution Update the WordPress Community Events plugin to the latest available version at least 1.4.9...
WordPress All In One WP Security plugin <= 5.1.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Rafie Muhammad Patchstack in the WordPress All In One WP Security plugin versions = 5.1.0. Solution Update the WordPress All In One WP Security & Firewall plugin to the latest available version at least 5.1.1...
WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability
Broken Access Control vulnerability leading to post/page status change to draft or published discovered by Dave Jong Patchstack in the WordPress Betheme premium theme versions = 26.6.1. Solution Update the WordPress Betheme theme to the latest available version at least 26.6.3...
WordPress Appointment Booking Calendar plugin <= 1.3.69 - Missing Authorization vulnerability
Missing Authorization vulnerability leading to Feedback Submission discovered by Lana Codes Patchstack Alliance in the WordPress Appointment Booking Calendar plugin versions = 1.3.69. Solution Update the WordPress Appointment Booking Calendar plugin to the latest available version at least 1.3.70...
WordPress Ask Me premium theme < 6.8.7 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to Post Deletion discovered by Srijan Adhikari in WordPress Ask Me premium theme versions 6.8.7. Solution Update the WordPress Ask Me theme to the latest available version at least 6.8.7...
WordPress tagDiv Composer plugin < 3.5 - Unauthenticated Account Takeover vulnerability
Unauthenticated Account Takeover vulnerability discovered by Truoc Phan Techlab Corporation in WordPress tagDiv Composer plugin versions 3.5. Solution Update the WordPress tagDiv Composer plugin to the latest available version at least 3.5...
WordPress 3com – Asesor de Cookies plugin <= 3.4.3 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress 3com – Asesor de Cookies plugin versions = 3.4.3. Solution No patched version is available. No reply from the vendor...
WordPress HREFLANG Tags Lite plugin <= 2.0.0 - Unauthenticated Plugin Data Reset vulnerability
Unauthenticated Plugin Data Reset vulnerability discovered by Rasi Afeef Patchstack Alliance in WordPress HREFLANG Tags Lite plugin versions = 2.0.0. Solution No patched version is available. No reply from the vendor...
WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability
Insecure direct object references IDOR vulnerability that allows subscriber+ users to mark any forum post as Solved/Unsolved was discovered by Dhakal Ananda Patchstack Alliance in the WordPress wpForo Forum plugin versions = 2.0.5. Solution Update the WordPress wpForo Forum plugin to the latest...
WordPress SEO Redirection plugin <= 8.9 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to deletion of 404 errors and redirection history was discovered by Muhammad Daffa Patchstack Alliance in the WordPress SEO Redirection plugin versions = 8.9. Solution Update the WordPress SEO Redirection plugin to the latest available version...
WordPress Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.3 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to plugin settings change discovered by Muhammad Daffa Patchstack Alliance in WordPress Advanced Dynamic Pricing for WooCommerce plugin versions = 4.1.3 Solution Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the lates...
WordPress Read more By Adam plugin <= 1.1.8 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability discovered by ptsfence Patchstack Alliance in WordPress Read more By Adam plugin versions = 1.1.8. Solution No patched version is available. No reply from the vendor...
WordPress WP Taxonomy Import plugin <= 1.0.4 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by kaikaix in WordPress WP Taxonomy Import plugin versions = 1.0.4. Solution Deactivate and delete. This plugin has been closed as of August 5, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Arbitrary File Upload vulnerability
Authenticated Arbitrary File Upload vulnerability discovered by Universe Patchstack Alliance in WordPress Uploading SVG, WEBP and ICO files plugin versions = 1.0.1. Solution No patched version is available. Ignored by the vendor...
WordPress Duplicator plugin <= 1.4.6 - Unauthenticated Backup Download vulnerability
Unauthenticated Backup Download vulnerability discovered by Ihsan Sencan in WordPress Duplicator plugin versions = 1.4.6. Solution Update the WordPress Duplicator plugin to the latest available version at least 1.4.7...
WordPress WooCommerce PDF Invoices & Packing Slips plugin <= 3.0.0 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WooCommerce PDF Invoices & Packing Slips plugin versions = 3.0.0. Solution Update the WordPress WooCommerce PDF Invoices & Packing Slips plugin to the latest available version at least 3.0.1...
WordPress ActiveDEMAND plugin <= 0.2.27 - Broken Authentication vulnerability
Broken Authentication vulnerability leading to unauthenticated post update/create/delete discovered by Tien Nguyen Anh Patchstack Alliance in WordPress ActiveDEMAND plugin versions = 0.2.27. Solution Update the WordPress ActiveDEMAND plugin to the latest available version at least 0.2.28...
WordPress WP Hotel Booking plugin <= 1.10.5 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability discovered by Ngo Van Thien Patchstack Alliance in the WordPress WP Hotel Booking plugin versions = 1.10.5. Solution Update the WordPress WP Hotel Booking plugin to the latest available version at least 1.10.6...
WordPress Shortcode Addons plugin <= 3.1.2 - Authenticated WordPress Options Change vulnerability
Authenticated WordPress Options Change vulnerability discovered by m0ze Patchstack in WordPress Shortcode Addons plugin versions = 3.1.2. Solution Update the WordPress Shortcode Addons plugin to the latest available version at least 3.2.0...
WordPress Transposh WordPress Translation plugin <= 1.0.8.1 - Unauthorized Settings Change vulnerability
Unauthorized Settings Change vulnerability discovered by Julien Ahrens in WordPress Transposh WordPress Translation plugin versions = 1.0.8.1. Solution Deactivate and delete. This plugin has been closed as of February 7, 2022 and is not available for download. Reason: Security Issue...
WordPress TranslatePress plugin <= 2.3.2 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Elias Hohl in WordPress TranslatePress plugin versions = 2.3.2. Solution Update the WordPress TranslatePress plugin to the latest available version at least 2.3.3...
WordPress Testimonials plugin <= 3.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Testimonials plugin versions = 3.0.1. Solution No patched version is available. No way to contact the vendor...
WordPress E Unlocked - Student Result plugin <= 1.0.4 - Arbitrary File Upload via Cross-Site Request Forgery (CSRF) vulnerability
Arbitrary File Upload via Cross-Site Request Forgery CSRF vulnerability discovered by Raad Haddad in WordPress E Unlocked - Student Result plugin versions = 1.0.4. Solution Deactivate and delete. This plugin has been closed as of July 11, 2022 and is not available for download. This closure is...
WordPress Inspiro Pro premium theme < 7.2.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fortune Sam Okon in WordPress Inspiro Pro premium theme versions 7.2.3. Solution Update the WordPress Inspiro premium theme to the latest available version at least 7.2.3...
WordPress Yellow Yard Searchbar plugin <= 2.7.27 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Victor Pasman in WordPress Yellow Yard Searchbar plugin versions = 2.7.27. Solution No patched version available...
WordPress Download Manager plugin <= 3.2.43 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress Download Manager plugin versions = 3.2.43. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.44...