46684 matches found
WordPress <= 4.0.0 - XSS #2
Because of this vulnerability in the "Press This" function, the attackers can inject arbitrary web script or HTML via unspecified vectors. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-0-0-xss http://db.threatpress.com/vulnerability/wordpress/wordpress-4-0-0-xss-3...
WordPress <= 4.0.0 - SSRF
wp-includes/http.php in WordPress allows the attackers to conduct server-side request forgery attacks by referring to a 127.0.0.0/8 resource. Solution Update WordPress...
WordPress Paid Memberships Pro Plugin 1.7.14 - Directory Traversal
This vulnerability is in the services/getfile.php, It allows the attackers to read arbitrary files in the QUERYSTRING in a getfile action to wp-admin/admin-ajax.php. Solution Update the plugin...
WordPress Spider Video Player Plugin <= 1.5.1 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via unspecified vectors. Solution Update the plugin...
WordPress Bib2html Plugin <= 0.9.3 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress Twitget Plugin 3.3.1 - Multiple Vulnerabilities
WordPress Twitget plugin is prone to multiple vulnerabilities, such as CSRF and XSS. It works when a logged-in administrator visits a specially crafted page. Then options can be updated without their consent and some of those options are output unescaped into the form cross-site scripting. Soluti...
WordPress WP Forum Server Plugin <= 1.7.3 - SQL Injection
Because of this vulnerability in fs-admin/fs-admin.php, the attackers can execute arbitrary SQL commands via the "groupid" parameter in an editgroup action. Solution Update the plugin...
WordPress WP125 Plugin <= 1.4.9 - CSRF
Because of this vulnerability in the adminmenus.php, the attackers can hijack the authentication of administrators for requests that add or edit an ad via unspecified vectors. Solution Update the plugin...
WordPress Smart Flv Plugin - Multiple Cross Site Scripting Vulnerabilities
Smart Flv plugin is prone to multiple cross-site scripting vulnerabilities because of failure to properly clean up user-supplied input. It allows an attacker to execute arbitrary script code in the browser of an user in the context of the affected site. Other attacks are also possible. Solution...
WordPress <= 3.5.1 - Full Path Disclosure
Because of this vulnerability, the attackers can obtain sensitive information via an invalid upload request. Solution Update the plugin...
WordPress ZeroClipboard Plugin <= 1.0.7 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "id" parameter. Solution Update the plugin...
WordPress Responsive Logo Slideshow Plugin - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "URL and Image" field. Solution Update the plugin...
WordPress Kish Guest Posting Plugin <= 1.2 - Unrestricted File Upload
Because of this vulnerability in uploadify/scripts/uploadify.php, the attackers can execute arbitrary code by uploading a file with a double extension. After that they access it via a direct request to the file in the directory specified by the "folder" parameter. Solution Update the plugin...
WordPress Download Monitor Plugin - Cross Site Scripting
WordPress Download Monitor plugin's "dlsearch" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can...
WordPress <= 3.4.1 - Multiple vulnerabilities
Multiple vulnerabilities are in the wp-admin/plugins.php. Because of that, remote authenticated users can make unintended plugin changes by leveraging the Administrator role. Solution Update WordPress...
WordPress BulletProof Security Plugin <= .47.0 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the HTTPACCEPTENCODING header. Solution Update the plugin...
WordPress WassUp Plugin <= 1.8.3.0 - XSS
Because of this vulnerability in wassup.php, the attackers can inject arbitrary web script or HTML via the User-Agent HTTP header. Solution Update the plugin...
WordPress s2Member Pro Plugin
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "s2memberproauthnetcheckoutcoupon" parameter. Solution Update the plugin...
WordPress Adminimize Plugin 1.7.21 - Cross Site Scripting
WordPress Adminimize plugin's "page" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress Lanoba Social Plugin 1.0 - Cross Site Scripting
WordPress Lanoba Social plugin's "action" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress Flexible Custom Post Type Plugin - Cross Site Scripting
Flexible Custom Post Type plugin's "id" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...
WordPress Symposium Plugin <= 11.12.07 - XSS
Because of this vulnerability in uploadify/getprofileavatar.php, the attackers can inject arbitrary web script or HTML via the "uid" parameter. Solution Update the plugin...
WordPress FireStats Plugin <= 1.6.1 - Remote File Inclusion
Because of this vulnerability in firestats-wordpress.php, the attackers can execute arbitrary PHP code via a URL in the "fsjavascript" parameter. Solution Update the plugin...
WordPress WP Forum Server Plugin <= 1.7.4 - SQL Injection
Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "user" parameter in a showprofile action to the default URI. Solution Update the plugin...
WordPress Math Comment Spam Protection Plugin <= 2.1 - XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress <= 2.3.1 - SQL Injection
Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "s" parameter. Solution Update WordPress...
WordPress <= 2.3.1 - Cookie Authentication Vulnerability
Because of this vulnerability, the attackers can bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash. Solution Update WordPress...
WordPress <= 2.3 - XSS
Because of this vulnerability in wp-admin/edit-post-rows.php, the attackers can inject arbitrary web script or HTML via the "postscolumns" array parameter. Solution Update WordPress...
WordPress Blix Theme <= 0.9.1 - XSS
Because of this vulnerability in index.php, the attackers can inject arbitrary web script or HTML via the PATHINFO. Solution Update the theme...
WordPress <= 2.2.1 - Multiple XSS
Because of these vulnerabilities, the authenticated administrators can inject arbitrary web script or HTML. Solution Update WordPress...
WordPress <= 2.0.10 - XSS
Because of this vulnerability in wp-includes/general-template.php, the attackers can inject arbitrary web script or HTML via the "year" parameter in the wptitle function. Solution Update the WordPress to the latest available version at least 2.0.11...
WordPress Admin Panel Plugin <= 2.1.1 - CSRF
Because of this vulnerability, the attackers can perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. Solution Update the WordPress Admin Panel plugin to the latest version at least 2.1.2...
WordPress <=1.5 - SQL injection vulnerability
Because of this vulnerability, attackers can obtain sensitive information. Solution Update WordPress to the latest possible version...
WordPress WP Google Review Slider plugin <= 18.0 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by hhhai in WordPress Plugin WP Google Review Slider versions = 18.0...
NPM: Flowise has an MCP Security Bypass that Enables RCE
NPM: Flowise has an MCP Security Bypass that Enables RCE vulnerability discovered by ? in WordPress Npm flowise-components versions = 3.1.1...
NPM: vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`
NPM: vm2 has access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL vulnerability discovered by ? in WordPress Npm vm2 versions 3.11.2...
WordPress Betheme theme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution vulnerability
Authenticated Author+ Arbitrary File Upload to Remote Code Execution vulnerability discovered by Wordfence in WordPress Theme Betheme versions = 28.4...
WordPress Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel plugin <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Carousel, Slider, Gallery by WP Carousel versions = 2.7.10...
WordPress Brookside theme <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Brookside versions = 1.4...
WordPress Request a Quote plugin <= 2.5.3 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Request a Quote versions = 2.5.3...
WordPress WP Job Portal plugin <= 2.4.0 - Authenticated (Subscriber+) Arbitrary File Read vulnerability
Authenticated Subscriber+ Arbitrary File Read vulnerability discovered by Long Nguyen in WordPress Plugin WP Job Portal versions = 2.4.0...
WordPress Doctreat theme <= 1.6.7 - Content Injection vulnerability
Content Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Doctreat versions = 1.6.7...
WordPress Universal Video Player - Addon for WPBakery Page Builder <= 3.2.1 - Cross Site Scripting (XSS) Vulnerability
WordPress Universal Video Player - Addon for WPBakery Page Builder = 3.2.1 - Cross Site Scripting XSS Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Universal Video Player - Addon for WPBakery Page Builder versions = 3.2.1...
WordPress Motors Theme <= 5.6.67 is vulnerable to Privilege Escalation
Software Motors Type Theme Vulnerable versions = 5.6.67 Fixed in 5.6.68 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2025-4322 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID f2c68f043bd9 Credits Foxyyy Required...
WordPress HTML Forms plugin <= 1.5.2 - Cross Site Scripting (XSS) Vulnerability
Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin HTML Forms versions = 1.5.2...
WordPress Video Lessons Manager Plugin <= 1.8.2 is vulnerable to Cross Site Scripting (XSS)
Software Video Lessons Manager Type Plugin Vulnerable versions = 1.8.2 Fixed in 1.8.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-11202 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID de6edf652333 Credits Peter...
WordPress Jeg Elementor Kit Plugin <= 2.6.9 is vulnerable to Sensitive Data Exposure
Software Jeg Elementor Kit Type Plugin Vulnerable versions = 2.6.9 Fixed in 2.6.10 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-8899 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID a83345ae77b9 Credits Ankit Patel Required...
WordPress Parsi Date Plugin <= 5.1.1 is vulnerable to Cross Site Scripting (XSS)
Software Parsi Date Type Plugin Vulnerable versions = 5.1.1 Fixed in 5.1.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-11032 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID be0cd10da0f9 Credits vgo0 Required privileg...
WordPress Tutor LMS Plugin <= 2.7.6 is vulnerable to SQL Injection
Software Tutor LMS Type Plugin Vulnerable versions = 2.7.6 Fixed in 2.7.7 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-10400 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID d0515de5a39b Credits mikemyers Required privilege Unauthenticated Publishe...
WordPress The Novel Design Store Directory Plugin <= 4.3.0 is vulnerable to Arbitrary File Upload
Software The Novel Design Store Directory Type Plugin Vulnerable versions = 4.3.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-51788 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 7c858add083e Credits stealthcopter Required...