46684 matches found
WordPress WooCommerce Blocks plugin <= 3.7.0 - Guest Account Creation vulnerability
Guest Account Creation vulnerability found in WordPress WooCommerce Blocks plugin versions = 3.7.0. Solution Update the WordPress WooCommerce Blocks plugin to the latest available version at least 3.7.1...
WordPress <= 5.5.1 - Bypass Protected Meta That Could Lead To Arbitrary File Deletion vulnerability
Bypass Protected Meta That Could Lead To Arbitrary File Deletion vulnerability found by Slavco Mihajloski mslavco in WordPress versions = 5.5.1. Solution Update the WordPress to the latest available version at least 5.5.2...
WordPress Autoptimize plugin <= 2.7.7 - Race Condition leading to Remote Code Execution (RCE) vulnerability
Race Condition leading to Remote Code Execution RCE vulnerability discovered by Marcin Węgłowski in WordPress Autoptimize plugin versions = 2.7.7. Solution Update the WordPress Autoptimize plugin to the latest available version at least 2.7.8...
WordPress Advanced Woo Search plugin <= 1.99 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability found in WordPress Advanced Woo Search plugin versions = 1.99. Solution Update the WordPress Advanced Woo Search plugin to the latest available version at least 2.00...
WordPress LifterLMS plugin <= 3.37.14 - Arbitrary File Writing vulnerability
Arbitrary File Writing vulnerability discovered by Omri Herscovici and Sagi Tzadik in WordPress LifterLMS plugin versions = 3.37.14. Solution Update the WordPress LifterLMS plugin to the latest available version at least 3.37.15...
WordPress WP-Client Lite plugin <= 1.1.1 - Unauthenticated Local File Inclusion (LFI) vulnerability
Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress WP-Client Lite plugin versions = 1.1.1. Solution Plugin closed. Deactivate and delete...
WordPress Envira Photo Gallery plugin <= 1.7.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fortinet in WordPress Envira Photo Gallery plugin versions = 1.7.6. Solution Update the WordPress Envira Photo Gallery plugin to the latest available version at least 1.7.7...
WordPress YITH WooCommerce Bulk Product Editing plugin <=1.2.14 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability
Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Bulk Product Editing plugin versions =1.2.14. Solution Update the WordPress YITH WooCommerce Bulk Product Editing plugin to the latest available version at least 1.2.15...
WordPress SlickQuiz plugin <= 1.3.7.1 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability found by Julien Ahrens in WordPress SlickQuiz plugin versions = 1.3.7.1 Solution 11 September 2019 - we were unable to find a patched version of this plugin...
WordPress LifterLMS plugin <= 3.34.5 - Unauthenticated Options Import vulnerability
Unauthenticated Options Import vulnerability found by Jerome Bruandet Nintechnet in WordPress LifterLMS plugin versions = 3.34.5. Solution Update the WordPress LifterLMS plugin to the latest available version at least 3.35.1...
WordPress Search Exclude plugin <= 1.2.2 - Arbitrary Settings Change vulnerability
Arbitrary Settings Change vulnerability found by Jerome Bruandet in WordPress Search Exclude plugin versions = 1.2.2. Solution Update the WordPress Search Exclude plugin to the latest available version at least 1.2.4...
WordPress Social LikeBox & Feed plugin <= 2.8.4 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability found in WordPress Social LikeBox & Feed plugin versions = 2.8.4. Solution Update the WordPress Social LikeBox & Feed plugin to the latest available version at least 2.8.5...
WordPress Adaptive Images for WordPress plugin <= 0.6.66 - Arbitrary File Deletion vulnerability
Arbitrary File Deletion vulnerability found by Mark Gruffer in WordPress Adaptive Images for WordPress plugin versions = 0.6.66. Solution Update the WordPress Adaptive Images for WordPress plugin to the latest available version at least 0.6.67...
WordPress Custom CSS Pro plugin <= 1.0.3 - Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities
Cross-Site Request Forgery CSRF and Cross-Site Scripting XSS vulnerabilities found by Cryptography Laboratory in WordPress Custom CSS Pro plugin versions = 1.0.3. Solution Update the WordPress Custom CSS Pro plugin to the latest available version at least 1.0.4...
WordPress Smart Forms plugin <= 2.5.15 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found by Toshiharu Sugiyama in WordPress Smart Forms plugin versions = 2.5.15. Solution Update the WordPress Smart Forms plugin to the latest available version at least 2.6.16...
WordPress Ninja Forms plugin <= 3.3.19 - Authenticated Open Redirect vulnerability
Authenticated Open Redirect vulnerability found by Muhammad Talha Khan in WordPress Ninja Forms plugin versions = 3.3.19. Solution Update the WordPress Ninja Forms plugin to the latest available version at least 3.3.19.1...
WordPress Ajax BootModal Login plugin <= 1.4.3 - CAPTCHA reuse vulnerability
CAPTCHA reuse required only once per user session vulnerability found by Lydéric Lefebvre and Fabien Haureils in WordPress Ajax BootModal Login plugin versions = 1.4.3. Solution 2018.09.01 - we were unable to find a patched version of this plugin...
WordPress Responsive Cookie Consent plugin <=1.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability found in WordPress Responsive Cookie Consent plugin versions =1.7. Solution Update the WordPress Responsive Cookie Consent plugin to the latest available version at least 1.8...
WordPress Import any XML or CSV File to WordPress plugin <=3.4.6 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability found by Yuji Tounai in WordPress Import any XML or CSV File to WordPress plugin versions =3.4.6. Solution Update the WordPress Import any XML or CSV File to WordPress plugin to the latest available version at least 3.4.7...
WordPress flickrRSS plugin <=5.3.1 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found by AntsKnows in WordPress flickrRSS plugin versions = 5.3.1. Solution 2/7/2018 - Last time updated four years ago. No patched version is available at the moment...
WordPress Simple Download Monitor plugin <=3.5.3 - Authenticated Cross-Site Scripting (XSS) vulnerability
Authenticated Cross-Site Scripting XSS vulnerability found by wpl0v3r in WordPress Simple Download Monitor plugin versions =3.5.3. Vulnerable to Cross-Site Scripting via the "sdmuploadthumbnail" parameter in an edit action to wp-admin/post.php. Solution Update the WordPress Simple Download Monito...
WordPress GD Rating System plugin 2.3 - Directory Traversal vulnerability (2)
A second Directory Traversal vulnerability found by d4wner in WordPress GD Rating System plugin version 2.3. Directory Traversal in the wp-admin/admin.php panel parameter for the gd-rating-system-information page. Solution 1/9/2018 - we were unable to find a patched version of this plugin...
WordPress Smart Google Code Inserter plugin <= 3.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability
Unauthenticated Cross-Site Scripting XSS vulnerability found by Benjamin Lim in WordPress Smart Google Code Inserter plugin versions = 3.4. Solution Update the WordPress Smart Google Code Inserter plugin to the latest available version at least 3.5...
WordPress Affiliate Ads for Clickbank Products plugin <= 1.6 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability found by Neorichi in WordPress Affiliate Ads for Clickbank Products plugin versions = 1.6. It is vulnerable to a Cross-Site Scripting XSS vulnerability via the textadsajax.php bordercolor parameter. Solution Update the WordPress Affiliate Ads for...
WordPress Ads Pro plugin <= 3.4 - Cross-Site Scripting / SQL Injection
bsaproid $GET parameter is vulnerable to SQL injection. Payload example: bsaprostats=1&[email protected]&bsaproid=xx AND 1707=1707 The payload works when the ad is displayed. Solution Update the plugin to the latest version...
WordPress Event List plugin <=0.7.8 - SQL Injection vulnerability
WordPress Event List plugin =0.7.8 vulnerable to SQL injection. Vulnerability allows an authenticated user to execute arbitrary SQL commands via the "id" parameter to "wp-admin/admin.php" Solution WordPress Event List plugin removed from WordPress.org plugin repository, please deactivate the plug...
WordPress Gravity Forms Plugin <= 2.0.6.5 - XSS
This plugin is prone to a cross site scripting vulnerability. It allows attackers to inject arbitrary JavaScript or HTML code. Solution Update the plugin...
WordPress <= 4.5.2 - BYPASS #3
This vulnerability in WordPress 4.5.2 and previous versions allows an attacker to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-5-2-bypass...
WordPress Double Opt-In for Download Plugin 2.0.9 - SQL Injection
This WordPress Double Opt-In for Download plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...
WordPress Collne Welcart e-Commerce Plugin <= 1.8.2 - Session Hijacking
The Collne Welcart e-Commerce plugin allows an attacker to obtain access by leveraging knowledge of the e-mail address associated with an account. Solution Update the plugin...
WordPress <= 2.20.9 - XSS
This vulnerability in flash/FlashMediaElement.as in MediaElement.js allows an attacker to inject arbitrary web script or HTML via the query string. Solution Update WordPress...
WordPress Ajax Random Post Plugin <= 2.00 - Cross Site Scripting (XSS)
Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress New Year Firework Plugin <= 1.1.9 - Cross Site Scripting (XSS)
Because of this vulnerability, the variable text appears to send unsanitized data back to the users browser. The vulnerable file is /new-year-firework/firework/index.php. Solution Update the plugin...
WordPress Support Ticket System Plugin <= 1.2 - SQL Injection
This plugin is prone to an SQL injection vulnerability. It allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...
WordPress Jetpack Plugin <= 3.7.0 - Information Disclosure
This plugin is prone to an information disclosure vulnerability in certain hosting configurations. Solution Update the plugin...
WordPress YouTube Embed Plugin <= 3.3.2 - XSS
The vulnerability exists in includes/options-profiles.php. It allows remote administrator to inject arbitrary web script or HTML via the Profile name field. Solution Update the plugin...
WordPress Recent Backups Plugin 0.7 - Arbitrary File Download
Recent Backups plugin is prone to an arbitrary file download vulnerability because "download-file.php" does not verify the user is logged. It allows an attacker to download arbitrary files from the web server and get potentially sensitive information. Solution Update the plugin...
WordPress WooCommerce Plugin <= 1.3 - Absolute Path Traversal
This vulnerability is in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin. It allows an attacker to read arbitrary files in the "requrl" parameter via a full pathname. Solution Update the plugin...
WordPress NextGEN Gallery Plugin <= 2.0.0 - Directory Traversal
An unauthenticated POST request to a particular URI with a particular parameter lists the contents of arbitrary directories. Solution Update the plugin...
WordPress WP Photo Album Plus Plugin <= 6.1.2 - Multiple XSS
Because of these vulnerabilities in wppa-ajax-front.php, the attackers can inject arbitrary web script or HTML via the "comemail" or "comname" parameters. Solution Update the plugin...
WordPress Navis DocumentCloud Plugin <= 0.1.0 - XSS
This vulnerability is in js/window.php. It allows an attacker to inject arbitrary web script or HTML via the "wpbase" parameter. Solution Update the plugin...
WordPress Marketplace Plugin 2.4.0 - Arbitrary File Download
Marketplace plugin is prone to an arbitrary file download vulnerability. It allows an attacker to download arbitrary files from the web server and get potentially sensitive information. Solution Update the plugin...
WordPress CrossSlide jQuery Plugin <= 2.0.5 - Multiple CSRF
Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests that change plugin settings or conduct cross-site scripting XSS attacks via the several parameters "csjfade", "csjsleep", "csjwidth", "uploadimage", "csjheight" in in the thisismyurlcsj.ph...
WordPress Google Document Embedder Plugin <= 2.5.18 - XSS
This vulnerability allows an attacker to inject arbitrary web script or HTML via the "profile" parameter in the gde-settings page to wp-admin/options-general.php. Solution Upgrade the plugin...
WordPress FancyBox Plugin 3.0.2 - Stored XSS
FancyBox plugin is prone to a stored XSS vulnerability that allows to steal cookies or gain privileged access to the affected site. Solution Upgrade the plugin...
WordPress Slimstat Plugin <= 3.9.1 - XSS
This vulnerability is in the Save Filters functionality. It allows the attackers to inject arbitrary web script or HTML via the "fsresource" parameter. Solution Update the plugin...
WordPress mTouch Quiz Plugin <= 3.0.6 - SQL Injection
Because of this vulnerability in question.php, the attackers can execute arbitrary SQL commands via the "quiz" parameter to wp-admin/edit.php. Solution Update the plugin...
WordPress All Video Gallery Plugin <= 1.2 - SQL Injection
Because of this vulnerability, authenticated administrators can execute arbitrary SQL commands via the "id" parameter. Solution Update the plugin...
WordPress Tom M8te Plugin <= 1.5.3 - Local File Inclusion
Because of this vulnerability, the attackers can read arbitrary files via the "file" parameter to tom-download-file.php. Solution Upgrade the plugin...
WordPress Cross References Plugin <= 1.7 - Local File Inclusion
Because of this vulnerability, the attackers can read arbitrary files via a full pathname in the "rss" parameter to proxy.php. Solution Update the plugin...