46606 matches found
WordPress LMS by LifterLMS plugin <= 4.21.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Amirmuhammad Vakili in WordPress LMS by LifterLMS plugin versions = 4.21.0. Solution Update the WordPress LMS by LifterLMS plugin to the latest available version at least 4.21.1...
WordPress Select All Categories and Taxonomies, Change Checkbox to Radio Buttons plugin <= 1.3.1 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Select All Categories and Taxonomies, Change Checkbox to Radio Buttons plugin versions = 1.3.1. Solution Update the WordPress Select All Categories and Taxonomies, Change Checkbox to Radio Buttons plugin to the lates...
WordPress Modern WPBakery Page Builder Addons premium plugin <= 3.0.1 - Arbitrary File Upload/Deletion vulnerabilities
Arbitrary File Upload/Deletion vulnerabilities discovered by Robin Goodfellow in WordPress Modern WPBakery Page Builder Addons premium plugin versions = 3.0.1. Solution Plugin removed from Envato repository. Deactivate and delete...
WordPress Tutor LMS plugin <= 1.8.7 - Authenticated Local File Inclusion vulnerability
Authenticated Local File Inclusion vulnerability discovered by sasa in WordPress Tutor LMS plugin versions = 1.8.7 Solution Update the WordPress Tutor LMS plugin to the latest available version at least 1.8.8...
WordPress bbPress plugin <= 2.6.4 - Unauthenticated Privilege Escalation vulnerability
Unauthenticated Privilege Escalation vulnerability discovered by Raphael Karger in WordPress bbPress plugin versions = 2.6.4. Solution Update the WordPress bbPress plugin to the latest available version at least 2.6.5...
WordPress Appointment Hour Booking plugin <= 1.1.45 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability found by ivoschyk-cs in WordPress Appointment Hour Booking plugin versions = 1.1.45. Solution Update the WordPress Appointment Hour Booking plugin to the latest available version at least 1.1.46...
WordPress HTML5 Maps plugin <= 1.6.5.6 - Cross-Site Request Forgery CSRF and Cross-Site Scripting (XSS) vulnerabilities
Cross-Site Request Forgery CSRF and Cross-Site Scripting XSS vulnerabilities found by Cryptography Laboratory in WordPress HTML5 Maps plugin versions = 1.6.5.6. Solution Update the WordPress HTML5 Maps plugin to the latest available version at least 1.6.5.7...
WordPress 360 Product Rotation plugin <= 1.4.7 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability found by ImplosionSec in WordPress 360 Product Rotation plugin versions = 1.4.7. Solution Update the WordPress 360 Product Rotation plugin to the latest available version at least 1.4.8...
WordPress Captcha plugin <=4.4.4 - Backdoored
Backdoor found by WordFence team in WordPress Captcha plugin versions 4.3.6–4.4.4. Solution WordPress plugin repository team patched the plugin, but you need to decide on your own to use this plugin further or not...
WordPress <=4.9 - Authenticated JavaScript File Upload vulnerability
Authenticated JavaScript File Upload vulnerability found in WordPress versions =4.9 Solution Update the WordPress to the latest available version at least 4.9.1...
WordPress <=4.7.4 - Insufficient Redirect Validation vulnerability
All WordPress versions from 2.7 to 4.7.4 suffers from insufficient redirect validation in the HTTP class that leads to SSRF Server Side Request Forgery. Solution Update WordPress core to the latest possible version at least 4.7.5...
WordPress Pie Register Plugin <= 2.0.18 - Multiple SQL Injection
An SQL Injection exsist in pie-register/pie-register.php. It allows the administrators to execute arbitrary SQL commands via the 1. selectinvitaioncodebulkoption or 2. invidelid parameter in the pie-invitation-codes page to wp-admin/admin.php. Solution Update the plugin...
WordPress Appointment Booking Calendar Plugin <= 1.1.7 - SQL Injection
This vulnerability allows an attacker to execute arbitrary SQL commands via unspecified vectors that are related to updating the username. Solution Update the plugin...
WordPress Symposium Plugin 15.1 - SQL Injection #2
WP Symposium plugin's "size" parameter is prone to an SQL injection via getalbumitem.php. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Related records:...
WordPress Google Analyticator <= 6.4.9.5 - Multiple XSS
These vulnerabilities allow an attacker to inject arbitrary web script or HTML via the 1. gadownloadsprefix 2. gadownloads 3. gaadsense 4. gaadmindisableDimentionIndex 5. gaoutboundprefix parameter in the google-analyticator page to wp-admin/admin.php. Solution Update the plugin...
WordPress Modern Tribe Eventbrite Tickets Plugin <= 3.10.1 - XSS
This vulnerability is in the Event Import page. It allows an attacker to inject arbitrary web script or HTML via the "error" parameter to wp-admin/edit.php. Solution Update the plugin...
WordPress ReFlex Gallery Plugin <= 3.1.3 - Unrestricted File Upload
This vulnerability is in admin/scripts/FileUploader/php.php. It allows an attacker to execute arbitrary PHP code by uploading a file with a PHP extension. And then an attacker can access it via a direct request to the file in uploads/ directory. Solution Update the plugin...
WordPress Genericons Plugin <= 4.2.1 - XSS
This vulnerability is in example.html and allows an attacker to inject arbitrary web script or HTML via a fragment identifier. Solution Update the plugin...
WordPress AB Google Map Travel Plugin <= 3.9 - Multiple CSRF
Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests that conduct cross site scripting attacks via the "lat", "long", "zoom", "mapheight" or "mapwidth" parameters in the abmapoptions page to wp-admin/admin.php. Solution Update the plugin...
WordPress Web Dorado Spider Event Calendar Plugin 1.4.9 - SQL Injection
This Web Dorado Spider Event Calendar plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...
WordPress Symposium Plugin 14.10 - SQL Injection
This WordPress Symposium plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update to version 14.11...
WordPress WP Google Maps Plugin <= 6.0.26 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the "polyid" parameter. Solution Update the plugin...
WordPress <= 3.9.1 - Unsafe Serialization
wp-includes/class-wp-customize-widgets.php in the widget implementation in allow the attackers to execute arbitrary code via crafted serialized data. Solution Update WordPress...
WordPress Video Gallery Plugin 2.5 - Multiple Vulnerabilities
Video Gallery plugin is prone to multiple vulnerabilities, such as SQL injection and XSS vulnerabilities. Solution Upgrade the plugin...
WordPress Login Rebuilder Plugin <= 1.1.9 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of arbitrary users. Solution Update the plugin...
WordPress Landing Pages Plugin <=1.2.3 - SQL Injection
Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "post" parameter to index.php. Solution Update the plugin...
WordPress VideoWhisper Live Streaming Integration Plugin <= 4.25.3 - Multiple XSS
Because of these multiple vulnerabilities in ls/htmlchat.php, the attackers can inject arbitrary web script or HTML via the "name" or "message" parameter. Solution Update the plugin...
WordPress PodPress Plugin - Cross Site Scripting
WordPress PodPress plugin's "playerID" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress YouSayToo Auto-Publishing Plugin 1.0 - Cross Site Scripting
WordPress YouSayToo Auto-Publishing plugin's "submit" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacke...
WordPress <= 3.3.1 - Multiple XSS
Because of these vulnerabilities in wp-admin/setup-config.php, the attackers can inject arbitrary web script or HTML. Solution Update WordPress...
WordPress Hybrid Theme 0.9 - Cross-Site Scripting
WordPress Hybrid theme's "cpage" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress <= 2.6.9 - Denial Of Service Attacks
Because of this vulnerability in the wp-admin/upgrade.php, the attackers can upgrade the application, and possibly cause a denial of service attacks. Solution Update WordPress...
WordPress Restaurant & Cafe Addon for Elementor Plugin <= 1.5.9 is vulnerable to Broken Access Control
Software Restaurant & Cafe Addon for Elementor Type Plugin Vulnerable versions = 1.5.9 Fixed in 1.6.0 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Access Control CVE CVE-2024-10780 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID...
WordPress NiceJob Plugin <= 3.7.1 is vulnerable to Cross Site Scripting (XSS)
Software NiceJob Type Plugin Vulnerable versions = 3.7.1 Fixed in 3.7.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10887 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID e99b9ef723fc Credits Peter Thaleikis Required...
WordPress Attesa Extra Plugin <= 1.4.2 is vulnerable to Broken Access Control
Software Attesa Extra Type Plugin Vulnerable versions = 1.4.2 Fixed in 1.4.3 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Access Control CVE CVE-2024-10688 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 5de7d31066fa Credits Francesco...
WordPress Airin Blog Theme <= 1.6.1 is vulnerable to PHP Object Injection
Software Airin Blog Type Theme Vulnerable versions = 1.6.1 Fixed in 1.6.3 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-52413 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 5d3bd1ffdbab Credits Mika Required privilege Unauthenticated...
WordPress Order Notification for Telegram Plugin <= 1.0.1 is vulnerable to Broken Access Control
Software Order Notification for Telegram Type Plugin Vulnerable versions = 1.0.1 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-9686 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID c9ae0bfdb3a8 Credits István Márton...
WordPress Post Grid and Gutenberg Blocks Plugin <= 2.2.93 is vulnerable to Cross Site Scripting (XSS)
Software Post Grid and Gutenberg Blocks Type Plugin Vulnerable versions = 2.2.93 Fixed in 2.2.94 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50432 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID cc84fa172af9 Credits João Pedro S Alcântar...
WordPress Time Clock Plugin <= 1.2.2 is vulnerable to Remote Code Execution (RCE)
Software Time Clock Type Plugin Vulnerable versions = 1.2.2 Fixed in 1.2.3 OWASP Top 10 A3: Injection Classification Remote Code Execution RCE CVE CVE-2024-9593 Patch priority High CVSS severity High 8.3 Developer Claim ownership PSID ba1ac64c553d Credits István Márton Required privilege...
WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Plugin <= 1.5.121 is vulnerable to Remote Code Execution (RCE)
Software Unlimited Elements For Elementor Free Widgets, Addons, Templates Type Plugin Vulnerable versions = 1.5.121 Fixed in 1.5.122 OWASP Top 10 A3: Injection Classification Remote Code Execution RCE CVE CVE-2024-49271 Patch priority High CVSS severity High 9.1 Developer Unlimited Elements PSID...
WordPress myCred Plugin <= 2.7.2 is vulnerable to Cross Site Scripting (XSS)
Software myCred Type Plugin Vulnerable versions = 2.7.2 Fixed in 2.7.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-43353 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID a2faf75ac250 Credits LVT-tholv2k Required privilege Contributor...
WordPress Email Subscribers & Newsletters Plugin <= 5.7.20 is vulnerable to SQL Injection
Software Email Subscribers & Newsletters Type Plugin Vulnerable versions = 5.7.20 Fixed in 5.7.21 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-4295 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 50be2b9566fd Credits 1337Wannabe Required privilege...
WordPress Soledad Theme <= 8.4.5 is vulnerable to Broken Access Control
Software Soledad Type Theme Vulnerable versions = 8.4.5 Fixed in 8.4.6 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-31368 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID 82c791d66976 Credits Rafie Muhammad Patchstack Required...
WordPress MapPress Maps for WordPress Plugin < 2.88.15 is vulnerable to Cross Site Scripting (XSS)
Software MapPress Maps for WordPress Type Plugin Vulnerable versions 2.88.15 Fixed in 2.88.15 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0420 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 127ee0002ebf Credits Salvatore...
WordPress Calculated Fields Form Plugin <= 1.2.52 is vulnerable to Cross Site Scripting (XSS)
Software Calculated Fields Form Type Plugin Vulnerable versions = 1.2.52 Fixed in 1.2.53 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0963 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 51ba9c951440 Credits Richard Telleng...
WordPress Media Library Assistant Plugin <= 3.09 is vulnerable to Remote Code Execution (RCE)
Software Media Library Assistant Type Plugin Vulnerable versions = 3.09 Fixed in 3.10 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2023-4634 Patch priority High CVSS severity High 10 Developer Claim ownership PSID a9f84b644a17 Credits Pepitoh Required privilege...
WordPress EmbedPress Plugin <= 3.8.2 is vulnerable to Broken Access Control
Software EmbedPress Type Plugin Vulnerable versions = 3.8.2 Fixed in 3.8.3 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-4282 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 9300647917bb Credits Lana Codes Required privilege...
WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.4.2 is vulnerable to Arbitrary File Upload
Software Online Booking & Scheduling Calendar for WordPress by vcita Type Plugin Vulnerable versions = 4.4.2 Fixed in N/A OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-2414 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 69648001908f Credit...
WordPress fitness-trainer Plugin < 1.4.1 is vulnerable to Privilege Escalation
Software fitness-trainer Type Plugin Vulnerable versions 1.4.1 Fixed in 1.4.1 OWASP Top 10 A5: Broken Access Control Classification Privilege Escalation CVE CVE-2020-36666 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 4ffd920db47c Credits Omar Badran Required privilege...
WordPress WPML Multilingual CMS premium plugin <= 4.5.13 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to status change of translation job discovered by Dave Jong Patchstack in WordPress WPML Multilingual CMS premium plugin versions = 4.5.13. Solution Update the WordPress Multilingual CMS plugin to the latest available version at least 4.5.14...