46571 matches found
WordPress Newspaper Theme 6.7.1 - Privilege Escalation
This WordPress Newspaper theme is prone to a privilege escalation vulnerability. Solution Update the plugin...
WordPress Google Tag Manager plugin <= 1.15 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Cory Buecker and notstoppable in WordPress Google Tag Manager plugin versions = 1.15. Solution Update the WordPress Google Tag Manager plugin to the latest available version at least 1.15.1...
WordPress Google Places Reviews plugin <= 1.5.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krishna Harsha Kondaveeti in WordPress Google Places Reviews plugin versions = 1.5.2. Solution Fixed in version 2.0.0, but has been closed as of April 8, 2022 and is not available for download. This closure is temporary,...
WordPress Gutenberg plugin <= 14.3.0 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities
Multiple Stored Cross-Site Scripting XSS vulnerabilities via Search, Feature Image, RSS, and Widget blocks were discovered by Alex Concha WP Security team and a third-party audit in the WordPress Gutenberg plugin versions = 14.3.1. Solution Update the WordPress Gutenberg plugin to the latest...
WordPress 3.7-4.9 - newbloguser Key Bypass
In wp-admin/user-new.php the newbloguser key is set to a string that can be get from the user ID, which allows an attacker to bypass intended access restrictions by entering this string. Solution Update WordPress to 4.9.1...
WordPress Slider Revolution plugin <= 6.7.36 - Authenticated (Contributor+) Arbitrary File Read via 'used_svg' and 'used_images' vulnerability
Authenticated Contributor+ Arbitrary File Read via 'usedsvg' and 'usedimages' vulnerability discovered by stealthcopter in WordPress Plugin Slider Revolution versions = 6.7.36...
WordPress Use Any Font plugin <= 6.1.7 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability was discovered by Rasi Afeef Patchstack Alliance in WordPress Use Any Font plugin versions = 6.1.7. Solution Update the WordPress Use Any Font plugin to the latest available version at least 6.1.8...
WordPress WooCommerce plugin <= 5.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered in WordPress WooCommerce plugin versions = 5.5.0. Solution Update the WordPress WooCommerce plugin to the latest available version at least 5.5.1...
WordPress DeepL Pro API translation Plugin <= 2.4.1.1 is vulnerable to Cross Site Request Forgery (CSRF)
Software DeepL Pro API translation Type Plugin Vulnerable versions = 2.4.1.1 Fixed in 2.4.1.2 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-46620 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 93ab7131fcdf Credits thien...
WordPress Ninja Forms File Uploads Extension premium plugin <= 3.3.0 - Unauthenticated Arbitrary File Upload vulnerability
Unauthenticated Arbitrary File Upload vulnerability discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress Ninja Forms File Uploads Extension premium plugin versions = 3.3.0. Solution Update the WordPress Ninja Forms File Uploads Extension premium plugin to the latest available version at least...
WordPress KingComposer plugin <= 2.9.6 - Open Redirect vulnerability
Open Redirect vulnerability discovered by Krzysztof Zając in WordPress KingComposer plugin versions = 2.9.6. Solution Deactivate and delete. This plugin has been closed as of February 2, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Redux Framework plugin <= 4.2.11 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered by Ram Gall WordFence in WordPress Redux Framework plugin versions = 4.2.11. Solution Update the WordPress Redux Framework plugin to the latest available version at least 4.2.13...
WordPress Site Import Plugin 1.0.1 - Local and Remote File Inclusion
Site Import plugin is prone to local and remote files inclusion. Solution Upgrade the plugin...
WordPress is vulnerable to Cross Site Scripting (XSS)
Software WordPress Type WordPress Core Vulnerable versions 6.5.5 Fixed in 6.5.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-31111 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 41d6eebb2ef0 Credits Rafie Muhammad Patchstack Required...
WordPress WP SVG Icons plugin <= 3.2.3 - Authenticated Remote Code Execution (RCE) vulnerability
Authenticated Remote Code Execution RCE vulnerability discovered by qerogram in WordPress WP SVG Icons plugin versions = 3.2.3. Solution Deactivate and delete. This plugin has been closed as of April 18, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Flo Launch plugin <= 2.4 - Missing Authentication Allows Full Site Takeover vulnerability
Missing Authentication Allows Full Site Takeover vulnerability discovered by Daniel Ruf in WordPress Flo Launch plugin versions = 2.4. Solution Update the WordPress Flo Launch plugin to the latest available version at least 2.4.1...
WordPress J Cart Upsell and Cross-sell for WooCommerce plugin < 2.0.1 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress J Cart Upsell and Cross-sell for WooCommerce plugin versions 2.0.1. Solution Update the WordPress J Cart Upsell and Cross-sell for WooCommerce plugin to the latest available version at least 2.0.1...
WordPress Bot for Telegram on WooCommerce plugin <= 1.2.6 - Broken Access Control Vulnerability
Broken Access Control Vulnerability discovered by ch4r0n in WordPress Plugin Bot for Telegram on WooCommerce versions = 1.2.6...
WordPress Smart Slider 3 plugin <= 3.5.0.8 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Hardik Solanki in WordPress Smart Slider 3 plugin versions = 3.5.0.8. Solution Update the WordPress Smart Slider 3 plugin to the latest available version at least 3.5.0.9...
WordPress <=4.9.6 - Arbitrary Code Execution vulnerability
Arbitrary Code Execution vulnerability found by ripstech in WordPress versions =4.9.6. Solution A new version v4.9.7 including a patch has been released. Please update to 4.9.7 version...
WordPress 10to8 Online Appointment Booking System Plugin <= 1.0.9 is vulnerable to Cross Site Scripting (XSS)
Software 10to8 Online Appointment Booking System Type Plugin Vulnerable versions = 1.0.9 Fixed in 1.1.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-49173 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 11459360bec5 Credits Ngô Thiên An...
WordPress WooCommerce Order Barcodes Plugin <= 1.6.4 is vulnerable to Cross Site Request Forgery (CSRF)
Software WooCommerce Order Barcodes Type Plugin Vulnerable versions = 1.6.4 Fixed in 1.6.5 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-36511 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID d44ca18616f1 Credits Rafie...
WordPress Import any XML or CSV File to WordPress <= 3.6.7 - Authenticated Malicious File Upload vulnerability
Authenticated Malicious File Upload vulnerability discovered by yangkang in WordPress Import any XML or CSV File to WordPress versions = 3.6.7. Solution Update the WordPress Import any XML or CSV File to WordPress plugin to the latest available version at least 3.6.8...
WordPress FooBox Image Lightbox plugin < 2.7.17 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress FooBox Image Lightbox plugin versions 2.7.17. Solution Update the WordPress FooBox Image Lightbox plugin to the latest available version at least 2.7.17...
WordPress Cforms Plugin 14.7 - Remote Code Execution
Cforms plugin is prone to a remote code execution vulnerability, because of script does not check remotely cached files properly. Also, it can attack URL. Solution Upgrade the plugin...
WordPress Popup Builder plugin <= 4.0.6 - Local File Inclusion (LFI) leading to Remote Code Execution (RCE)
Local File Inclusion LFI leading to Remote Code Execution RCE discovered by JrXnm in WordPress Popup Builder plugin versions = 4.0.6. Solution Update the WordPress Popup Builder plugin to the latest available version at least 4.0.7...
WordPress CubeWP Forms – All-in-One Form Builder Plugin <= 1.1.1 is vulnerable to Cross Site Scripting (XSS)
Software CubeWP Forms – All-in-One Form Builder Type Plugin Vulnerable versions = 1.1.1 Fixed in 1.1.2 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-47300 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 126f1788c7ef Credits hunter85...
WordPress WS Form Pro premium plugin <= 1.8.175 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Felipe Restrepo Rodriguez in WordPress WS Form Pro premium plugin versions = 1.8.175. Solution Update the WordPress WS Form Pro premium plugin to the latest available version at least 1.8.176...
WordPress Chatbot Support AI Plugin <= 1.0.2 is vulnerable to Cross Site Scripting (XSS)
Software Chatbot Support AI Type Plugin Vulnerable versions = 1.0.2 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-6722 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID a3c87b3b7064 Credits Kieran Burge Required...
WordPress Team Members Showcase plugin < 4.4.2 - Editor+ Stored XSS vulnerability
Editor+ Stored XSS vulnerability discovered by Krugov Artyom in WordPress Plugin Team versions 4.4.2...
WordPress LiteSpeed Cache plugin <= 4.4.3 - IP Check Bypass to Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
IP Check Bypass to Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Emil Kylander in WordPress LiteSpeed Cache plugin versions = 4.4.3. Solution Update the WordPress LiteSpeed Cache plugin to the latest available version at least 4.4.4...
WordPress YITH WooCommerce Wishlist plugin <=2.1.2 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability found by Sucuri team in WordPress YITH WooCommerce Wishlist plugin versions =2.1.2. Solution Update the WordPress YITH WooCommerce Wishlist plugin to the latest available version at least 2.1.2...
WordPress SEO by Yoast Plugin <= 2.0.1 - Cross Site Scripting
This plugin is prone to cross site scripting vulnerability because of misuse of the addqueryarg and removequeryarg functions. Solution Update the plugin...
WordPress WordPress Custom Settings Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)
Software WordPress Custom Settings Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-23806 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID c898b8c67aa4 Credits Rio Darmawan...
WordPress Rank Math SEO plugin <= 1.0.95 - Server-Side Request Forgery (SSRF) vulnerability
Server-Side Request Forgery SSRF vulnerability was discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in the WordPress Rank Math SEO plugin versions = 1.0.95. Solution Update the WordPress WordPress SEO Plugin – Rank Math plugin to the latest available version at least 1.0.95.1...
WordPress HC Custom WP-Admin URL plugin <= 1.4 - Unauthenticated Secret URL Disclosure vulnerability
Unauthenticated Secret URL Disclosure vulnerability discovered by Daniel Ruf in WordPress HC Custom WP-Admin URL plugin versions = 1.4. Solution Deactivate and delete. This plugin has been closed as of May 5, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Xorbin Digital Flash Clock Plugin - Cross Site Scripting
WordPress Xorbin Digital Flash Clock plugin's "widgetUrl" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the...
WordPress Stop Spam Comments plugin <= 0.2.1.2 - Access Token Bypass vulnerability
Access Token Bypass vulnerability discovered by Daniel Ruf in WordPress Stop Spam Comments plugin versions = 0.2.1.2. Solution Deactivate and delete. This plugin has been closed as of August 3, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Team Members plugin <= 5.1.0 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability was discovered by lucy in the WordPress Team Members plugin versions = 5.1.0. Solution Update the WordPress Team Members plugin to the latest available version at least 5.1.1...
WordPress Advanced Contact form 7 DB plugin <= 1.8.7 - Persistent Cross-Site Scripting (XSS) vulnerability
Persistent Cross-Site Scripting XSS vulnerability discovered in Advanced Contact form 7 DB plugin versions = 1.8.7 by BEE-K. Solution Update the WordPress Advanced Contact form 7 DB plugin to the latest available version at least 1.8.8...
WordPress Formcraft3 premium plugin <= 3.8.27 - Unauthenticated Server-Side Request Forgery (SSRF) vulnerability
Unauthenticated Server-Side Request Forgery SSRF vulnerability discovered by Brandon James Roldan in WordPress Formcraft3 premium plugin versions = 3.8.27. Solution Update the WordPress Formcraft3 premium plugin to the latest available version at least 3.8.28...
WordPress plugin Mail Masta 1.0 - Multiple SQL Injection vulnerabilities
Multiple SQL Injection vulnerabilities found in WordPress plugin Mail Masta version 1.0 CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098. Solution No information available. We were unable to find this plugin on WordPress.org plugin repository at the moment of creation of this database...
WordPress Parallax Theme - File Upload Arbitrary Code Execution
A "themify-ajax.php" file upload arbitrary PHP code execution vulnerability was found in WordPress Parallax theme. Solution Update the theme...
WordPress Add Comments plugin <= 1.0.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by roguethread in WordPress Add Comments plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed as of November 9, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress WP Statistics plugin <= 13.2.1 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress WP Statistics plugin versions = 13.2.1. Solution Update the WordPress WP Statistics plugin to the latest available version at least 13.2.2...
WordPress <= 5.8.2 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Karim El Ouerghemmi and Simon Scannell SonarSource in WordPress versions = 5.8.2. Solution Update WordPress to the latest available version at least 5.8.3...
WordPress AI Contact Us Form Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)
Software AI Contact Us Form Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-24386 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 673ba1e565e3 Credits Aswin Balaji Required...
WordPress Kadence WooCommerce Email Designer plugin <= 1.5.6 - Authenticated PHP Objection Injection vulnerability
Authenticated PHP Objection Injection vulnerability discovered by Nguyen Duy Quoc Khanh in WordPress Kadence WooCommerce Email Designer plugin versions = 1.5.6. Solution Update the WordPress Kadence WooCommerce Email Designer plugin to the latest available version at least 1.5.7...
WordPress YITH WooCommerce Compare plugin <=2.3.14 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability
Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Compare plugin versions =2.3.14. Solution Update the WordPress YITH WooCommerce Compare plugin to the latest available version at least 2.3.15...
WordPress Blue Memories Plugin <= 1.5 - XSS
Because of this vulnerability in index.php, the attackers can inject arbitrary web script or HTML via the "s" parameter. Solution Update the theme...