45948 matches found
WordPress Parsi Font Plugin <= 4.2.5 - Cross Site Scripting (XSS)
This plugin is prone to a reflected cross site scripting vulnerability. Vulnerable file is /parsi-font/css.php. Solution Update the plugin...
WordPress <= 4.2.1 - XSS
This vulnerability in wp-includes/wp-db.php allows an attacker to inject arbitrary web script or HTML via a long comment which is improperly stored because there are some limitations on the MySQL TEXT data type. Solution Update WordPress...
WordPress <= 4.4.1 - Open Redirect
This vulnerability in the wpvalidateredirect function in wp-includes/pluggable.php allows an attacker to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL which triggers incorrect hostname parsing. Solution Update WordPress...
WordPress Pie Register Plugin <= 2.0.18 - XSS
This vulnerability allows an attacker to inject arbitrary web script or HTML via the invitaioncode parameter in a pie-register page to the default URL. Solution Update the plugin...
WordPress Easy2Map Plugin 1.24 - SQL Injection
This WordPress Easy2Map plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...
WordPress ZM Ajax Login & Register Plugin 1.0.9 - Local File Inclusion
Because of this vulnerability attacker can include a local file specified in "template" post parameter by exploiting the wpajaxnoprivloadtemplate action and without any validation. Solution Update the plugin...
WordPress Free Counter Plugin 1.1 - Stored XSS
This vulnerability works by using wpajaxnoprivcheckstat action. Any user can perform a stored XSS attack. Solution Upgrade the plugin...
WordPress Simple Ads Manager Plugin <= 2.7.96 - Multiple SQL Injection
Because of these vulnerabilities, the attackers can execute arbitrary SQL commands via the "cstr" parameter in a loadposts action to sam-ajax-admin.php, "hits" parameter in a samhits action to sam-ajax.php, the "searchTerm" parameter in a loadcombodata action to sam-ajax-admin.php or the "editor"...
WordPress WPML Plugin <= 3.1.8 - SQL Injection #2
Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "lang" parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed. Related records:...
WordPress Welcart e-Commerce Plugin <= 1.3.12 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML in an adddeliverymethod action to wp-admin/admin-ajax.php via 4 parameters: "name", "intl", "nocod", or "time parameter". Solution Update the plugin...
WordPress WhyDoWork AdSense Plugin <= 1.2 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of administrators for requests. Solution Update the plugin...
WordPress <= 4.0.0 - CSRF
Because of this vulnerability in wp-login.php, the attackers can hijack the authentication of arbitrary users for requests that reset passwords. Solution Update WordPress...
WordPress <= 4.0.0 - Multiple Vulnerabilities #1
There are multiple vulnerabilities in WordPress wp-login.php, such as cross site scripting, denial of service attacks, hash comparison, SSRF, CSRF. Because of these vulnerabilities, attackers can reset passwords by leveraging access to an e-mail account that received a password-reset message...
WordPress Creative Contact Form Plugin - Shell Upload
This Creative Contact Form plugin is prone to a shell upload vulnerability, in which the administrator or author could upload shell script, in the other words, default settings. Solution Upgrade the plugin...
WordPress Pods Plugin <= 2.4 - Multiple CSRF
Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests that conduct cross-site scripting attacks via the "toggled" parameter in the pods-components page to wp-admin/admin.php, reset pod settings and data via the "podsreset" parameter in the...
WordPress Wordfence Security Plugin <= 5.1.3 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "whoisval" parameter on the WordfenceWhois page to wp-admin/admin.php. Solution Update the plugin...
WordPress Pay Per Media Player Plugin <= 1.24 - Multiple XSS
Because of these vulnerabilities in payper/payper.php, the attackers to inject arbitrary web script or HTML. Solution Update the plugin...
WordPress <= 3.0.5
Because of this vulnerability, remote authenticated users can perform publish actions by leveraging the Contributor role. Solution Update WordPress...
WordPress <= 3.0.1 - BYPASS
wp-includes/capabilities.php does not require the Super Admin role for the deleteusers capability that allows remote authenticated administrators to bypass intended access restrictions via a delete action. Solution Update WordPress...
WordPress Firefox Adsense Plugin <= 3.0 - CSRF and XSS
Because of this vulnerability in askapache-firefox-adsense.php, the attackers can hijack the authentication of administrators for requests that conduct cross-site scripting attacks. Solution Update the plugin...
WordPress qTranslate Plugin <= 2.5.34 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. Solution Update the plugin...
WordPress BackupBuddy Plugin <= 2.2.4 - Sensitive Data Exposure #3
This vulnerability is in the importbuddy.php. It allows the attackers to obtain sensitive information, or overwrite or delete files. Solution Update the plugin...
WordPress Welcart Plugin <= 1.2.1 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of arbitrary users for requests that complete a purchase. Solution Update the plugin...
WordPress Quick Post Widget Plugin <= 1.9.1 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress Adminimize Plugin 1.7.21 - Cross Site Scripting
WordPress Adminimize plugin's "page" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress Pixiv Custom Theme 2.1.5 - Cross Site Scripting
WordPress Pixiv Custom theme's "cpage" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress <= 2.3.1 - Cookie Authentication Vulnerability
Because of this vulnerability, the attackers can bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash. Solution Update WordPress...
WordPress Blix Theme <= 0.9.1 - XSS
Because of this vulnerability in index.php, the attackers can inject arbitrary web script or HTML via the PATHINFO. Solution Update the theme...
WordPress <= 2.0.10 - XSS
Because of this vulnerability in wp-includes/general-template.php, the attackers can inject arbitrary web script or HTML via the "year" parameter in the wptitle function. Solution Update the WordPress to the latest available version at least 2.0.11...
WordPress <= 2.1.1 - Multiple Vulnerabilities
The attackers can execute arbitrary commands via an eval injection vulnerability in the "ix" parameter to wp-includes/feed.php. Also, there is command execution backdoor vulnerability. Solution Update the WordPress to the latest available version at least 2.1.2...
WordPress <=1.2 - Multiple Cross-Site Scripting (XSS) vulnerabilities
Because of these vulnerabilities, attackers can inject arbitrary web script or HTML. Solution Update WordPress to the latest possible version...
WordPress Sunshine Photo Cart plugin <= 3.6.7 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Dave Jong Patchstack in WordPress Plugin Sunshine Photo Cart versions = 3.6.7...
WordPress WP to LinkedIn Auto Publish plugin <= 1.9.8 - Reflected Cross-Site Scripting via PostMessage vulnerability
Reflected Cross-Site Scripting via PostMessage vulnerability discovered by Nicolai Hellesnes nico in WordPress Plugin WP to LinkedIn Auto Publish versions = 1.9.8...
WordPress MagOne Theme <= 8.5 is vulnerable to Cross Site Scripting (XSS)
Software MagOne Type Theme Vulnerable versions = 8.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-39488 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 150089f804cf Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunit...
WordPress Spam protection, AntiSpam, FireWall by CleanTalk Plugin <= 6.44 is vulnerable to Broken Authentication
Software Spam protection, AntiSpam, FireWall by CleanTalk Type Plugin Vulnerable versions = 6.44 Fixed in 6.45 OWASP Top 10 A1: Broken Access Control Classification Broken Authentication CVE CVE-2024-10781 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 0bd21f35fe5e...
WordPress CM Pop-Up banners Plugin 1.7.5 is vulnerable to Cross Site Scripting (XSS)
Software CM Pop-Up banners Type Plugin Vulnerable versions 1.7.5 Fixed in 1.7.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-11202 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID f58e5244f29c Credits Peter Thaleikis...
WordPress NextGEN Gallery Plugin < 3.59.5 is vulnerable to Cross Site Scripting (XSS)
Software NextGEN Gallery Type Plugin Vulnerable versions 3.59.5 Fixed in 3.59.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-6393 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 0e6857ff3928 Credits WPscan Required privileg...
WordPress WordPress Announcement & Notification Banner Plugin – Bulletin Plugin <= 3.11.7 is vulnerable to Cross Site Scripting (XSS)
Software WordPress Announcement & Notification Banner Plugin – Bulletin Type Plugin Vulnerable versions = 3.11.7 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10682 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownersh...
WordPress Backup and Staging by WP Time Capsule Plugin <= 1.22.21 is vulnerable to Arbitrary File Upload
Software Backup and Staging by WP Time Capsule Type Plugin Vulnerable versions = 1.22.21 Fixed in 1.22.22 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-8856 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 3a293a6ce154 Credits Rein Daelman...
WordPress Automation By Autonami Plugin < 3.3.0 is vulnerable to SQL Injection
Software Automation By Autonami Type Plugin Vulnerable versions 3.3.0 Fixed in 3.3.0 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-9186 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 0bc9c96e6168 Credits y4ng0615 Required privilege Unauthenticated...
WordPress Postify: Post Layout For Elementor Plugin <= 1.0.1 is vulnerable to Cross Site Scripting (XSS)
Software Postify: Post Layout For Elementor Type Plugin Vulnerable versions = 1.0.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-51893 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 9a15834c2f21 Credits Gab Required privileg...
WordPress Property Lot Management System Plugin <= 4.2.38 is vulnerable to Arbitrary File Upload
Software Property Lot Management System Type Plugin Vulnerable versions = 4.2.38 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-49331 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID 5524e01a8194 Credits CTRL Chance Required...
WordPress Hunk Companion Plugin <= 1.8.4 is vulnerable to Broken Access Control
Software Hunk Companion Type Plugin Vulnerable versions = 1.8.4 Fixed in 1.8.5 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-9707 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 20cecbb53904 Credits Sean Murphy Required privileg...
WordPress WP-Advanced-Search Plugin < 3.3.9.2 is vulnerable to SQL Injection
Software WP-Advanced-Search Type Plugin Vulnerable versions 3.3.9.2 Fixed in 3.3.9.2 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-9796 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 872f69a2765a Credits Wojciech Jezowski Required privilege...
WordPress ACF Images Search And Insert Plugin <= 1.1.4 is vulnerable to Arbitrary File Upload
Software ACF Images Search And Insert Type Plugin Vulnerable versions = 1.1.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-48035 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID a12f4662ed6d Credits stealthcopter Required...
WordPress Themify Builder Plugin <= 7.6.2 is vulnerable to Cross Site Scripting (XSS)
Software Themify Builder Type Plugin Vulnerable versions = 7.6.2 Fixed in 7.6.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9385 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 2ab445f01cba Credits Colin Xu Required...
WordPress Hash Form Plugin <= 1.1.9 is vulnerable to Arbitrary File Upload
Software Hash Form Type Plugin Vulnerable versions = 1.1.9 Fixed in 1.2.0 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-9417 Patch priority High CVSS severity High 6.1 Developer Claim ownership PSID 599a3ecad6e0 Credits Rein Daelman trein Required privilege...
WordPress TinyPNG Plugin <= 3.4.3 is vulnerable to Cross Site Request Forgery (CSRF)
Software TinyPNG Type Plugin Vulnerable versions = 3.4.3 Fixed in 3.4.4 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-47635 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 9470f9a7ceb0 Credits Rafie Muhammad Patchstack...
WordPress Uncanny Groups for LearnDash Plugin <= 6.1.0.1 is vulnerable to Broken Access Control
Software Uncanny Groups for LearnDash Type Plugin Vulnerable versions = 6.1.0.1 Fixed in 6.1.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-8350 Patch priority Low CVSS severity Low 2.7 Developer Claim ownership PSID d89e217025ab Credits Karl Emil Nikka...
WordPress WP Hardening Plugin <= 1.2.6 is vulnerable to Bypass Vulnerability
Software WP Hardening Type Plugin Vulnerable versions = 1.2.6 Fixed in 1.2.7 OWASP Top 10 A4: Insecure Design Classification Bypass Vulnerability CVE CVE-2024-6641 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 5e3f8dc1dce6 Credits Felipe Caon Required privilege...