WordPress Simple Download Monitor plugin <= 3.8.8 - Unauthenticated Cross-Site Scripting (XSS) vulnerability

Unauthenticated Cross-Site Scripting XSS vulnerability found by Gen Sato Mitsui Bussan Secure Directions in WordPress Simple Download Monitor plugin versions = 3.8.8 . Solution Update the WordPress Simple Download Monitor plugin to the latest available version at least 3.8.9...

WordPress Discount Rules for WooCommerce plugin <= 2.2.0 - Multiple Authorization Bypass vulnerabilities

Multiple Authorization Bypass vulnerabilities found by WordFence in WordPress Discount Rules for WooCommerce plugin versions = 2.2.0. Solution Update the WordPress Discount Rules for WooCommerce plugin to the latest available version at least 2.2.1...

WordPress WP Hotel Booking plugin <= 1.10.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Jerome Bruandet NinTechNet in WordPress WP Hotel Booking plugin versions = 1.10.1. Solution Update the WordPress WP Hotel Booking plugin to the latest available version at least 1.10.2...

WordPress Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin <= 5.1.0 - Persistent Cross-Site Scripting (XSS) vulnerability

Persistent Cross-Site Scripting XSS vulnerability found by Jinson Varghese Behanan in WordPress Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin versions = 5.1.0. Solution Update the WordPress Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin to...

WordPress Wp-Pro-Quiz plugin <= 0.37 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by HoanHP in WordPress Wp-Pro-Quiz plugin versions = 0.37. Solution This plugin has been closed as of June 17, 2020 and is not available for download. Reason: Security Issue...

WordPress Accordion plugin <= 2.2.8 - Unprotected AJAX Action leading to Stored/Reflected Cross-Site Scripting (XSS) vulnerability

Unprotected AJAX Action leading to Stored/Reflected Cross-Site Scripting XSS vulnerability discovered by WordFence in WordPress Accordion plugin versions = 2.2.8. Solution Update the WordPress Accordion plugin to the latest available version at least 2.2.9...

WordPress Media Library Assistant plugin <= 2.81 - Unauthenticated Limited Local File Inclusion (LFI) vulnerability

Unauthenticated Limited Local File Inclusion LFI vulnerability discovered by Daniel Monzón stark0de in WordPress Media Library Assistant plugin versions = 2.81. Solution Update the WordPress Media Library Assistant plugin to the latest available version at least 2.82...

WordPress Appointment Booking Calendar <= 1.3.34 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Daniel Monzon in WordPress Appointment Booking Calendar plugin versions = 1.3.34. Solution Update the WordPress Appointment Booking Calendar to the latest available version at least 1.3.35...

WordPress Hero Maps Premium plugin <= 2.2.1 - Unauthenticated Cross-Site Scripting (XSS) vulnerability

Unauthenticated Cross-Site Scripting XSS vulnerability discovered by Hooper Labs in WordPress Hero Maps Premium plugin versions = 2.2.1. Solution Update the WordPress Hero Maps Premium plugin to the latest available version at least 2.2.3...

WordPress Form Maker by 10Web plugin <= 1.13.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability found by Daniele Scanu in WordPress Form Maker by 10Web plugin versions = 1.13.20. Solution Update the WordPress Form Maker by 10Web plugin to the latest available version at least 1.13.3...

WordPress iThemes Security plugin <= 7.0.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability found by Çlirim Emini in WordPress iThemes Security plugin versions = 7.0.2. Solution Update the WordPress iThemes Security plugin to the latest available version at least 7.0.3...

WordPress Woo Checkout for Digital Goods plugin <= 2.1 - Cross-site request forgery (CSRF) vulnerability

Cross-site request forgery CSRF vulnerability found by ThreatPress Research Team in WordPress Woo Checkout for Digital Goods plugin versions = 2.1. Solution Update the WordPress Woo Checkout for Digital Goods plugin to the latest available version at least 2.2...

WordPress Import any XML or CSV File to WordPress plugin <=3.4.6 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Yuji Tounai in WordPress Import any XML or CSV File to WordPress plugin versions =3.4.6. Solution Update the WordPress Import any XML or CSV File to WordPress plugin to the latest available version at least 3.4.7...

WordPress Participants Database plugin <=1.7.5.9 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Benjamin Lim in WordPress Participants Database plugin version 1.7.5.9 and earlier versions. Data of the text input field of the plugin passed without escaping HTML special characters thus allows an attacker to insert javascript. Solution Update the...

WordPress Popup Maker plugin <=1.6.4 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability in WordPress Popup Maker plugin 1.6.4 and earlier versions allows an attacker to inject arbitrary web script or HTML. Solution Update WordPress Popup Maker plugin to the latest available version at least 1.6.5...

WordPress <= 4.5.2 - XSS #2

WordPress 4.5.2 and previous versions are prone to a cross-site scripting vulnerability in the columntitle function in wp-admin/includes/class-wp-media-list-table.php. It allows an attacker to inject arbitrary web script or HTML via a crafted attachment name. Related:...

WordPress Double Opt-In for Download Plugin 2.0.9 - SQL Injection

This WordPress Double Opt-In for Download plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress Pondol Form to Mail Plugin <= 1.1 - Cross Site Scripting (XSS)

Because of this vulnerability, the variable itemid appears to send unsanitized data back to the users browser. Vulnerable file is pondol-formmail/pages/admin-mail-info.php. Solution Update the plugin...

WordPress WHIZZ Plugin <= 1.0.7 - Cross Site Scripting

An unauthenticated reflected cross site scripting vulnerability is in the php code ./whizz/plugins/delete-plugin.php: 7: Solution Update the plugin...

WordPress Pondol Form to Mail Plugin <= 1.1 - Cross Site Scripting (XSS)

Because of this vulnerability, the variable itemid appears to send unsanitized data back to the users browser. Vulnerable file is pondol-formmail/pages/admin-mail-info.php. Solution Update the plugin...

WordPress Admin Font Editor Plugin <= 1.8 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

WordPress <= 4.4.1 - XSS

WordPress before 4.4.1 is prone to a cross-site scripting XSS vulnerability. This vulnerability allows remote attackers to inject arbitrary script or HTML in the network settings page. Solution Update WordPress to 4.5...

WordPress Ajax Random Post Plugin <= 2.00 - Cross Site Scripting (XSS)

Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress <= 4.3.0 - XSS

This vulnerability is in the user list table in WordPress. It allows an authenticated user to inject HTML or arbitrary web script via a crafted e-mail address. Solution Update the plugin...

WordPress YouTube Embed Plugin <= 3.3.2 - XSS

The vulnerability exists in includes/options-profiles.php. It allows remote administrator to inject arbitrary web script or HTML via the Profile name field. Solution Update the plugin...

WordPress StageShow Plugin <= 5.0.8 - Open redirect

This vulnerability is in stageshowredirect.php in the "Redirect" function. It allows an attacker to redirect users to arbitrary web sites and conduct phishing attacks in the "url" parameter. Solution Update the plugin...

WordPress Users Ultra Plugin <= 1.5.15 - Multiple SQL Injection

Multiple SQL injection vulnerabilities allow the attackers to execute arbitrary SQL commands via 2 parameters: "datatarget" or "datavote" in a ratingvote wpajaxnoprivratingvote action to wp-admin/admin-ajax.php. Solution Update the plugin...

WordPress RevSlider - File Upload and Execute

This vulnerability allows an attacker to upload arbitrary PHP code and execute remote code. Solution Update the plugin...

WordPress Simple Ads Manager Plugin - Information Disclosure

Simple Ads Manager plugin is prone to an information disclosure vulnerability via "simple-ads-manager/sam-ajax-admin.php". This vulnerability allows an attacker to obtain sensitive information and in this way lead to further attacks. Solution Upgrade the plugin...

WordPress Simple Ads Manager Plugin <= 2.5.95 - Unrestricted File Upload

This vulnerability exists in sam-ajax-admin.php and allows an attacker to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the "path" parameter. Solution Update the plugin...

WordPress WPML Plugin <= 3.1.8 - XSS

This vulnerability allows an attacker to inject arbitrary web script or HTML via the "target" parameter in a reminderpopup action to the default URI. Solution Update the plugin...

WordPress Ninja Forms Plugin <= 2.8.8 - Multiple XSS

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the "ninjaformsfield1" parameter in a ninjaformsajaxsubmit action to wp-admin/admin-ajax.php. Also, multiple cross site scripting vulnerabilities allow the administrators to inject arbitrary web script or...

WordPress DesignFolio Plus Theme 1.2 - Arbitrary File Upload

WordPress DesignFolio Plus theme is prone to an arbitrary file upload vulnerability. It allows an attacker to upload arbitrary files to the affected computer. Solution Update the theme...

WordPress FancyBox Plugin 3.0.2 - Stored XSS

FancyBox plugin is prone to a stored XSS vulnerability that allows to steal cookies or gain privileged access to the affected site. Solution Upgrade the plugin...

WordPress Survey and Poll Plugin 1.1 - Blind SQL Injection

Survey and Poll plugin is prone to a Blind SQL injection. This vulnerability allows an attacker to modify data, alter queries to the application SQL database, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...

WordPress Photo Gallery Plugin <= 1.2.7 - SQL Injection

Because of this vulnerability, attackers to execute arbitrary SQL commands via the "orderby parameter" in a GalleryBox action to wp-admin/admin-ajax.php. Solution Update the plugin...

WordPress SimpleFlickr Plugin <= 3.0.3 - Multiple CSRF and XSS

Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution This plugin is closed...

WordPress Shareaholic Plugin <= 7.6.0 - XSS

This vulnerability is in admin.php. It allows authenticated users to inject arbitrary web script or HTML via the "locationid" parameter that is in a shareaholicaddlocation action to wp-admin/admin-ajax.php. Solution Update the plugin...

WordPress CM Download Manager Plugin 2.0.0 - Code Injection

Code injection vulnerability was found in the software and confirmed as an anonymous user. It allows an attacker to gain full control of the application and use all operating system functions. Solution Update to version 2.0.4...

WordPress <= 4.0.0 - XSS #2

Because of this vulnerability in the "Press This" function, the attackers can inject arbitrary web script or HTML via unspecified vectors. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-0-0-xss http://db.threatpress.com/vulnerability/wordpress/wordpress-4-0-0-xss-3...

WordPress Symposium Plugin <= 14.10 - Multiple XSS

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the 4 parameters: "composetext" in a sendMail action to ajax/mailfunctions.php, "text" in an addComment action to ajax/profilefunctions.php, "comment" in an addcomment action to ajax/loungefunctions.php, o...

WordPress All Video Gallery Plugin <= 1.2 - SQL Injection

Because of this vulnerability, authenticated administrators can execute arbitrary SQL commands via the "id" parameter. Solution Update the plugin...

WordPress Bib2html Plugin <= 0.9.3 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress MailPoet Newsletters Plugin <= 2.6.10 - CSRF

Because of this vulnerability, the attackers can hijack the authentication of arbitrary users. Solution Update the plugin...

WordPress Twitget Plugin 3.3.1 - Multiple Vulnerabilities

WordPress Twitget plugin is prone to multiple vulnerabilities, such as CSRF and XSS. It works when a logged-in administrator visits a specially crafted page. Then options can be updated without their consent and some of those options are output unescaped into the form cross-site scripting. Soluti...

WordPress WP Forum Server Plugin <= 1.7.3 - SQL Injection

Because of this vulnerability in fs-admin/fs-admin.php, the attackers can execute arbitrary SQL commands via the "groupid" parameter in an editgroup action. Solution Update the plugin...

WordPress Newsletter Manager Plugin <= 1.0.2 - Multiple CSRF and XSS

Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests that conduct script insertion attacks or change an email address. Solution Update the plugin...

WordPress Lazy SEO Plugin 1.1.9 - Shell Upload

This Lazy SEO plugin is prone to a shell upload vulnerability, in which the administrator or author could upload shell script, in the other words, default settings. Solution Update the plugin...

WordPress <= 3.6.0 - Arbitrary Code Execution

Unsafe PHP unserialization in wp-includes/functions.php could cause arbitrary code execution. Solution Update the plugin...

WordPress <= 3.5.1 - Full Path Disclosure

Because of this vulnerability, the attackers can obtain sensitive information via an invalid upload request. Solution Update the plugin...