46606 matches found
WordPress XCloner Standalone Plugin <= 3.5 - Multiple CSRF
Because of these multiple vulnerabilities, the attackers can hijack the authentication of administrators for requests that change the administrator password via the config task to index2.php. Solution Update the plugin...
WordPress <= 3.0.1
wp-includes/comment.php does not properly whitelist trackbacks and pingbacks in the blogroll. In that way the attackers can bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. Solution Update WordPress...
WordPress WP Cron Dashboard Plugin <= 1.1.5 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "procname" parameter to wp-admin/tools.php. Solution Update the plugin...
WordPress <= 3.8.1 - Privilege Escalation
Because of this vulnerability, authenticated users can publish posts. Solution Update the plugin...
WordPress BackupBuddy Plugin <= 2.2.25 - Sensitive Data Exposure
This vulnerability is in importbuddy.php. It allows remote attackers to obtain configuration information via a step 0 phpinfo action. Solution Update the plugin...
WordPress User Photo Plugin <= 0.9.5.1 - XSS
Because of this vulnerability in user-photo.php, attackers can inject arbitrary web script or HTML via the PATHINFO to wp-admin/options-general.php. Solution Update the plugin...
WordPress <= 0.7 - SQL injection
Because of this vulnerability in log.header.php, the attackers can execute arbitrary SQL commands via the posts variable. Solution Update the plugin...
WordPress WP-Syntax Plugin <= 0.9.1 - Remote Command Execution
In general, WP-Syntax plugin is the most popular plugin for WordPress to provide clean syntax highlighting for embedding source code within pages or posts. It uses the library, called GeShi, that implements all the functionality to review the syntax for each language HTML-code. The vulnerability ...
WordPress <= 2.8.0 - Multiple Existing/Non-Existing Username Enumeration Weaknesses
Because of this vulnerability, the attackers can enumerate valid usernames. Solution Update WordPress...
WordPress WP Comment Remix Plugin <= 1.4.3 - SQL Injection
Because of this vulnerability in ajaxcomments.php, the attackers can execute arbitrary SQL commands via the "p" parameter. Solution Update the plugin...
WordPress - Cross Site Scripting
This vulnerability is in sidebar.php. It allows the attackers to inject arbitrary web script or HTML via the query string. Solution Update WordPress...
WordPress <= 2.0.5 - Dictionnary & Bruteforce attack
In WordPress 2.0.5 and previous versions, there's a different error message if a user exists or not, which allows attackers to obtain sensitive information. Solution Update the WordPress to the latest available version at least 2.0.6...
WordPress <= 1.2 - Remote Code Execution
Because of this vulnerability in The httpsrequest function in Snoopy, the attackers can execute arbitrary commands via shell metacharacters in an HTTPS URL to an SSL protected web page, that is not properly handled by the fetch function. Solution Update the WordPress to the latest available versi...
WordPress <= 1.3.0 - Eval Injection
Because of this vulnerability in PEAR XMLRPC, attackers can execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. Solution Update the WordPress to the latest available version at least 1.4...
WordPress Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin <= 5.0.4 - Authenticated (Custom+) Stored Cross-Site Scripting vulnerability
Authenticated Custom+ Stored Cross-Site Scripting vulnerability discovered by hackthesoul - TossBank in WordPress Plugin Dokan versions = 5.0.4...
WordPress Sunshine Photo Cart plugin <= 3.6.7 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Dave Jong Patchstack in WordPress Plugin Sunshine Photo Cart versions = 3.6.7...
WordPress Multilingual CMS Plugin <= 4.6.12 is vulnerable to Remote Code Execution (RCE)
Software Multilingual CMS Type Plugin Vulnerable versions = 4.6.12 Fixed in 4.6.13 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2024-6386 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID 31c994cd7315 Credits stealthcopter Required...
WordPress LearnPress Plugin <= 4.2.6.8.1 is vulnerable to Broken Access Control
Software LearnPress Type Plugin Vulnerable versions = 4.2.6.8.1 Fixed in 4.2.6.8.2 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-6099 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID b7595fc9b77e Credits shaman0x01 Required privile...
WordPress Slider Revolution Plugin <= 6.7.7 is vulnerable to Cross Site Scripting (XSS)
Software Slider Revolution Type Plugin Vulnerable versions = 6.7.7 Fixed in 6.7.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-4092 Patch priority Low CVSS severity Low 6.5 Developer ThemePunch PSID 82a59957f3ec Credits wesley wcraft Required...
WordPress Ultimate Member Plugin 2.1.3-2.8.2 is vulnerable to SQL Injection
Software Ultimate Member Type Plugin Vulnerable versions 2.1.3-2.8.2 Fixed in 2.8.3 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-1071 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID d52d7ae096c8 Credits Christiaan Swiers Required privilege...
WordPress BuddyBoss Theme Theme <= 2.4.60 is vulnerable to Settings Change
Software BuddyBoss Theme Type Theme Vulnerable versions = 2.4.60 Fixed in 2.4.61 OWASP Top 10 A1: Broken Access Control Classification Settings Change CVE CVE-2023-51477 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 91b38329ee46 Credits Dave Jong Patchstack Required...
WordPress ChatBot Plugin <= 4.8.9 is vulnerable to Arbitrary File Deletion
Software ChatBot Type Plugin Vulnerable versions = 4.8.9 Fixed in 4.9.1 OWASP Top 10 A4: Insecure Design Classification Arbitrary File Deletion CVE CVE-2023-5212 Patch priority High CVSS severity High 9.6 Developer Claim ownership PSID cac6c246df55 Credits Marco Wotschka Chloe Chamberland Require...
WordPress Post grid and filter ultimate Plugin <= 1.5.2 is vulnerable to Broken Access Control
Software Post grid and filter ultimate Type Plugin Vulnerable versions = 1.5.2 Fixed in 1.5.3 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-40200 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID e3f31b8b5385 Credits Abdi Pranata...
WordPress Cream Magazine Theme <= 2.1.4 is vulnerable to Cross Site Scripting (XSS)
Software Cream Magazine Type Theme Vulnerable versions = 2.1.4 Fixed in 2.1.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-28687 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 7a491754a1a0 Credits László Radnai...
WordPress WooCommerce Payments Plugin <= 5.6.1 is vulnerable to Privilege Escalation
Software WooCommerce Payments Type Plugin Vulnerable versions = 5.6.1 Fixed in 5.6.2 OWASP Top 10 A2: Broken Authentication Classification Privilege Escalation CVE CVE-2023-28121 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID af825d1466e0 Credits Michael Mazzolini...
WordPress Sales Report for WooCommerce Plugin <= 3.5.7.6 is vulnerable to Broken Access Control
Software Sales Report for WooCommerce Type Plugin Vulnerable versions = 3.5.7.6 Fixed in 3.5.7.7 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2022-45813 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 203694b99e41 Credits István Márto...
WordPress Watu Quiz Plugin < 3.3.8.3 is vulnerable to Cross Site Scripting (XSS)
Software Watu Quiz Type Plugin Vulnerable versions 3.3.8.3 Fixed in 3.3.8.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0429 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 5337ca5b2dc2 Credits Felipe Restrepo Rodriguez...
WordPress Image Map Pro premium plugin <= 5.5.0 - Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS)
Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS discovered by Dave Jong Patchstack in the WordPress Image Map Pro premium plugin versions = 5.5.0. Solution No patched version is available. No reply from the vendor for a long time...
WordPress All In One WP Security plugin <= 5.1.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Rafie Muhammad Patchstack in the WordPress All In One WP Security plugin versions = 5.1.0. Solution Update the WordPress All In One WP Security & Firewall plugin to the latest available version at least 5.1.1...
WordPress WP Stripe Checkout plugin <= 1.2.2.20 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Lana Codes in WordPress WP Stripe Checkout plugin versions = 1.2.2.20. Solution Update the WordPress WP Stripe Checkout plugin to the latest available version at least 1.2.2.21...
WordPress BeCustom premium plugin <= 1.0.5.2 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to plugin settings change discovered by Julien Ahrens RCE Security in the WordPress BeCustom premium plugin versions = 1.0.5.2. Solution Update the WordPress BeCustom plugin to the latest available version at least 1.0.5.3...
WordPress Seed Social plugin <= 2.0.3 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by zhangyunpei in the WordPress Seed Social plugin versions = 2.0.3. Solution Update the WordPress Seed Social plugin to the latest available version at least 2.0.4...
WordPress REST API Authentication plugin <= 2.4.0 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to plugin settings change discovered by Lana Codes Patchstack Alliance in WordPress REST API Authentication plugin versions = 2.4.0. Solution Update the WordPress WordPress REST API Authentication plugin to the latest available version at leas...
WordPress OWM Weather plugin <= 5.6.8 - Auth. SQL Injection (SQLi) vulnerability
Auth. SQL Injection SQLi vulnerability discovered by Kunal Sharma University of Kaiserslautern and Daniel Krohmer Fraunhofer IESE in the WordPress OWM Weather plugin versions = 5.6.8. Solution Update the WordPress OWM Weather plugin to the latest available version at least 5.6.9...
WordPress Event Monster plugin <= 1.2.0 - Auth. SQL Injection (SQLi) vulnerability
Auth. SQL Injection SQLi vulnerability discovered by Thura Moe Myint in the WordPress Event Monster plugin versions = 1.2.0. Solution Update the WordPress Event Management Tickets Booking plugin to the latest available version at least 1.2.1...
WordPress Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to Plugin Settings Import was discovered by Muhammad Daffa Patchstack Alliance in WordPress Advanced Dynamic Pricing for WooCommerce plugin versions = 4.1.5. Solution Update the WordPress Advanced Dynamic Pricing for WooCommerce plugin to the...
WordPress Ultimate Member plugin <= 2.5.0 - Auth. Remote Code Execution vulnerability
Auth. Remote Code Execution vulnerability discovered by Ruijie Li in WordPress Ultimate Member plugin versions = 2.5.0. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.5.1...
WordPress BuddyForms plugin <= 2.7.2 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in the WordPress BuddyForms plugin versions = 2.7.2. Solution No patched version is available...
WordPress Mantenimiento web plugin <= 0.13 - Auth. Cross-Site Scripting (XSS) vulnerability
Auth. Cross-Site Scripting XSS vulnerability discovered by Mika Patchstack Alliance in the WordPress Mantenimiento web plugin versions = 0.13. Solution Update the WordPress Mantenimiento web plugin to the latest available version at least 0.14...
WordPress Customer Reviews for WooCommerce plugin <= 5.3.5 - Authenticated Broken Access Control vulnerability
Authenticated Broken Access Control vulnerability leading to review export discovered by Muhammad Daffa Patchstack Alliance in WordPress Customer Reviews for WooCommerce plugin versions = 5.3.5. Solution Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version ...
WordPress Culture Object plugin <= 4.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress Culture Object plugin versions = 4.0.1. Solution Update the WordPress Culture Object plugin to the latest available version at least 4.1.1...
WordPress Login Block IPs plugin <= 1.0.0 - Arbitrary Setting Update via Cross-Site Request Forgery (CSRF) vulnerability
Arbitrary Setting Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress Login Block IPs plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of September 5, 2022 and is not available for download. This closure is temporar...
WordPress Blossom Recipe Maker plugin <= 1.0.7 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities were discovered by Ngo Van Thien Patchstack Alliance in the WordPress Blossom Recipe Maker plugin versions = 1.0.7. Solution Deactivate and delete. No reply from the vendor...
WordPress WP-UserOnline plugin <= 2.88.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Juampa Rodríguez in WordPress WP-UserOnline plugin versions = 2.88.0. Solution Update the WordPress User Online plugin to the latest available version at least 2.88.1...
WordPress Ajax Load More plugin <= 5.5.3 - Authenticated Arbitrary File Read vulnerability
Authenticated Arbitrary File Read vulnerability discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress Ajax Load More plugin versions = 5.5.3. Solution Update the WordPress Ajax Load More plugin to the latest available version at least 5.5.4...
WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Arbitrary File Upload vulnerability
Authenticated Arbitrary File Upload vulnerability discovered by Universe Patchstack Alliance in WordPress Uploading SVG, WEBP and ICO files plugin versions = 1.0.1. Solution No patched version is available. Ignored by the vendor...
WordPress Download Manager plugin <= 3.2.48 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to template status change discovered by Muhammad Daffa Patchstack Alliance in WordPress Download Manager plugin versions = 3.2.48. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.49...
WordPress MailerLite – Signup forms (official) plugin <= 1.5.7 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to API key change discovered by Muhammad Daffa Patchstack Alliance in WordPress MailerLite – Signup forms official plugin versions = 1.5.7. Solution Update the WordPress MailerLite – Signup forms plugin to the latest available version at least...
WordPress Download Manager plugin <= 3.2.49 - Bypass IP Address Blocking Restriction vulnerability
Bypass IP Address Blocking Restriction vulnerability discovered by Raad Haddad in WordPress Download Manager plugin versions = 3.2.49. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.50...
WordPress Inspiro Pro premium theme < 7.2.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fortune Sam Okon in WordPress Inspiro Pro premium theme versions 7.2.3. Solution Update the WordPress Inspiro premium theme to the latest available version at least 7.2.3...