46681 matches found
WordPress Simple Ads Manager Plugin - Information Disclosure
Simple Ads Manager plugin is prone to an information disclosure vulnerability via "simple-ads-manager/sam-ajax-admin.php". This vulnerability allows an attacker to obtain sensitive information and in this way lead to further attacks. Solution Upgrade the plugin...
WordPress <= 4.2.3 - SQL Injection
Because of this vulnerability, an attacker can execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash. Solution Update WordPress...
WordPress Survey and Poll Plugin 1.1 - Blind SQL Injection
Survey and Poll plugin is prone to a Blind SQL injection. This vulnerability allows an attacker to modify data, alter queries to the application SQL database, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...
WordPress Welcart e-Commerce Plugin <= 1.3.12 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML in an adddeliverymethod action to wp-admin/admin-ajax.php via 4 parameters: "name", "intl", "nocod", or "time parameter". Solution Update the plugin...
WordPress Shareaholic Plugin <= 7.6.0 - XSS
This vulnerability is in admin.php. It allows authenticated users to inject arbitrary web script or HTML via the "locationid" parameter that is in a shareaholicaddlocation action to wp-admin/admin-ajax.php. Solution Update the plugin...
WordPress Symposium Plugin <= 14.10 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the 4 parameters: "composetext" in a sendMail action to ajax/mailfunctions.php, "text" in an addComment action to ajax/profilefunctions.php, "comment" in an addcomment action to ajax/loungefunctions.php, o...
WordPress Creative Contact Form Plugin - Shell Upload
This Creative Contact Form plugin is prone to a shell upload vulnerability, in which the administrator or author could upload shell script, in the other words, default settings. Solution Upgrade the plugin...
WordPress Pods Plugin <= 2.4 - Multiple CSRF
Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests that conduct cross-site scripting attacks via the "toggled" parameter in the pods-components page to wp-admin/admin.php, reset pod settings and data via the "podsreset" parameter in the...
WordPress Email Marketing and Newsletters Plugin <= 1.97 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the "FormID" or "AdministratorID" parameters. Solution Update the plugin...
WordPress MailPoet Newsletters Plugin <= 2.6.10 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of arbitrary users. Solution Update the plugin...
WordPress GD Star Rating Plugin <= 19.22 - SQL Injection
Because of this vulnerability,administrators to execute arbitrary SQL commands via the "s" parameter in the gd-star-rating-stats page to wp-admin/admin.php. Solution Update the plugin...
WordPress <= 3.3.2 - Information Disclosure
Because of this vulnerability, the authenticated users can obtain sensitive information by visiting a draft. Solution Update the plugin...
WordPress Newsletter Manager Plugin <= 1.0.2 - Multiple CSRF and XSS
Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests that conduct script insertion attacks or change an email address. Solution Update the plugin...
WordPress Firefox Adsense Plugin <= 3.0 - CSRF and XSS
Because of this vulnerability in askapache-firefox-adsense.php, the attackers can hijack the authentication of administrators for requests that conduct cross-site scripting attacks. Solution Update the plugin...
WordPress <= 3.6.0 - Cross Site Scripting #1
Because of this vulnerability, remote authenticated users can conduct cross-site scripting attacks. Solution Update WordPress...
WordPress NextGEN Gallery - Arbitrary File Upload
NextGEN Gallery plugin is prone to an arbitrary file upload vulnerability. It allows an attacker to upload arbitrary files to the affected computer. Solution Update the plugin...
WordPress <= 3.6.0 - Arbitrary Code Execution
Unsafe PHP unserialization in wp-includes/functions.php could cause arbitrary code execution. Solution Update the plugin...
WordPress Related Posts Plugin <= 2.6.1 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of users for requests that change settings via unspecified vectors. Solution Update the plugin...
WordPress qTranslate Plugin <= 2.5.34 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. Solution Update the plugin...
WordPress BackupBuddy Plugin <= 2.2.4 - Sensitive Data Exposure #3
This vulnerability is in the importbuddy.php. It allows the attackers to obtain sensitive information, or overwrite or delete files. Solution Update the plugin...
WordPress BackupBuddy Plugin <= 2.2.4 - Sensitive Data Exposure #1
This vulnerability is in the importbuddy.php. It allows the attackers to bypass authentication via a crafted integer in the "step" parameter. Solution Update the plugin...
WordPress <= 3.5.1 - Privilege Escalation
Because of this vulnerability, the authenticated users can bypass intended restrictions on publishing and authorship reassignment via unspecified vectors. Solution Update the plugin...
WordPress <= 1.5.4 - Cross Site Scripting
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "id" parameter. Solution Update the plugin...
WordPress Count Per Day Plugin <= 3.1 - Multiple XSS
Because of these vulnerabilities in userperspan.php, the attackers can inject arbitrary web script or HTML via 3 parameters: "page", "datemax" or "datemin". Solution Update the plugin...
WordPress Pixiv Custom Theme 2.1.5 - Cross Site Scripting
WordPress Pixiv Custom theme's "cpage" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress Processing Embed Plugin 0.5 - Cross-Site Scripting Vulnerability
This Processing Embed plugin's "pluginurl" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress Lytebox Plugin 1.3 - Local File Inclusion
WP-Lytebox fails to properly sanitize user-supplied input, therefore it allows an attacker to include a file. An attacker can view files and execute scripts. Solution Upgrade to version 1.3.1 or later...
WordPress Spreadsheet Plugin <= 0.6 - SQL Injection
Because of this vulnerability in ssload.php, the attackers can execute arbitrary SQL commands via the "ssid"parameter. Solution Update the plugin...
WordPress Sniplets Plugin <= 1.2.2 - Eval Injection
Because of this vulnerability in modules/execute.php, the attackers can execute arbitrary PHP code via the "text" parameter. Solution Update the plugin...
WordPress Pool Theme <= 1.0.7 - XSS
Because of this vulnerability in index.php, the attackers can inject arbitrary web script or HTML via the PATHINFO. Solution Update the theme...
WordPress <= 2.0.5 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Solution Update WordPress...
WordPress <= 2.0.1 - Multiple XSS
Because of these vulnerabilities, attackers can inject arbitrary web script or HTML via the name, website, and comment parameters. Solution Update the WordPress to the latest available version at least 2.0.2...
WordPress Gravity Forms plugin <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting vulnerability
Unauthenticated Stored Cross-Site Scripting vulnerability discovered by tadokun in WordPress Plugin Gravity Forms versions = 2.10.0...
WordPress WP FOFT Loader plugin <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload vulnerability
Authenticated Author+ Arbitrary File Upload vulnerability discovered by Williwollo CybrX in WordPress Plugin WP FOFT Loader versions = 2.1.39...
WordPress Blocksy Companion plugin <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via blocksy_newsletter_subscribe Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via blocksynewslettersubscribe Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Blocksy Companion versions = 2.1.10...
WordPress Videopack plugin <= 4.10.3 - Cross Site Scripting (XSS) Vulnerability
Cross Site Scripting XSS Vulnerability discovered by 63n0 in WordPress Plugin Videopack versions = 4.10.3...
WordPress MagOne Theme <= 8.5 is vulnerable to Cross Site Scripting (XSS)
Software MagOne Type Theme Vulnerable versions = 8.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-39488 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 150089f804cf Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunit...
WordPress User Registration & Membership Pro plugin < 5.1.3 - Authentication Bypass vulnerability
Authentication Bypass vulnerability discovered by wesley wcraft in WordPress Plugin User Registration & Membership Pro versions 5.1.3...
WordPress WP Mailster Plugin <= 1.8.16.0 is vulnerable to Cross Site Scripting (XSS)
Software WP Mailster Type Plugin Vulnerable versions = 1.8.16.0 Fixed in 1.8.17.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-53737 Patch priority Low CVSS severity Low 6.5 Developer WP Mailster PSID 83aa8c3ff329 Credits Lam Que Chi Required privilege Contribut...
WordPress WordPress Announcement & Notification Banner Plugin – Bulletin Plugin <= 3.11.7 is vulnerable to Cross Site Scripting (XSS)
Software WordPress Announcement & Notification Banner Plugin – Bulletin Type Plugin Vulnerable versions = 3.11.7 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10682 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownersh...
WordPress Charitable Plugin <= 1.8.3 is vulnerable to Cross Site Scripting (XSS)
Software Charitable Type Plugin Vulnerable versions = 1.8.3 Fixed in 1.8.3.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10876 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 2a28f1e125bc Credits Peter Thaleikis...
WordPress Postify: Post Layout For Elementor Plugin <= 1.0.1 is vulnerable to Cross Site Scripting (XSS)
Software Postify: Post Layout For Elementor Type Plugin Vulnerable versions = 1.0.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-51893 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 9a15834c2f21 Credits Gab Required privileg...
WordPress Safe SVG Plugin < 2.2.6 is vulnerable to Cross Site Scripting (XSS)
Software Safe SVG Type Plugin Vulnerable versions 2.2.6 Fixed in 2.2.6 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-8378 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 6a85e49dfeba Credits Alexander Concha Required privilege Author...
WordPress MapPress Maps for WordPress Plugin <= 2.94.1 is vulnerable to Cross Site Scripting (XSS)
Software MapPress Maps for WordPress Type Plugin Vulnerable versions = 2.94.1 Fixed in 2.94.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10715 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID e896b2089ac1 Credits Akbar...
WordPress Wp Social Plugin <= 3.0.7 is vulnerable to Broken Authentication
Software Wp Social Type Plugin Vulnerable versions = 3.0.7 Fixed in 3.0.8 OWASP Top 10 A2: Broken Authentication Classification Broken Authentication CVE CVE-2024-9501 Patch priority High CVSS severity High 9.8 Developer Wpmet PSID 239b8bacd5e7 Credits wesley wcraft Required privilege...
WordPress Advanced Sermons Plugin <= 3.4 is vulnerable to Cross Site Scripting (XSS)
Software Advanced Sermons Type Plugin Vulnerable versions = 3.4 Fixed in 3.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50458 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 0e069038bb43 Credits SOPROBRO Required privilege Contributor...
WordPress Button contact VR Plugin <= 4.7.9.1 is vulnerable to Cross Site Scripting (XSS)
Software Button contact VR Type Plugin Vulnerable versions = 4.7.9.1 Fixed in 4.7.10 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50414 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 8a3582798f30 Credits UKO Required privilege...
WordPress WordPress File Upload Plugin <= 4.24.11 is vulnerable to Path Traversal
Software WordPress File Upload Type Plugin Vulnerable versions = 4.24.11 Fixed in 4.24.12 OWASP Top 10 A1: Broken Access Control Classification Path Traversal CVE CVE-2024-9047 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 5fa6436aa19c Credits Arkadiusz Hydzik Required...
WordPress WP-Advanced-Search Plugin < 3.3.9.2 is vulnerable to SQL Injection
Software WP-Advanced-Search Type Plugin Vulnerable versions 3.3.9.2 Fixed in 3.3.9.2 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-9796 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 872f69a2765a Credits Wojciech Jezowski Required privilege...
WordPress Survey Maker Plugin <= 4.9.5 is vulnerable to Cross Site Scripting (XSS)
Software Survey Maker Type Plugin Vulnerable versions = 4.9.5 Fixed in 4.9.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8488 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 7656cef316d3 Credits Jonas Benjamin Friedli...