46571 matches found
WordPress Popup Builder plugin <= 4.1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Popup Status Change
Cross-Site Request Forgery CSRF vulnerability leading to Popup Status Change discovered by BEE-K Patchstack in WordPress Popup Builder plugin versions = 4.1.0. Solution Update the WordPress Popup Builder plugin to the latest available version at least 4.1.1...
WordPress Database Backup for WordPress plugin <= 2.5.1 - Arbitrary Schedule Settings Update via Cross-Site Request Forgery (CSRF) vulnerability
Arbitrary Schedule Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress Database Backup for WordPress plugin versions = 2.5.1. Solution Update the WordPress Database Backup for WordPress plugin to the latest available version at least 2.5.2...
WordPress KingComposer plugin <= 2.9.6 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress KingComposer plugin versions = 2.9.6. Solution No patched version is available. This plugin has been closed as of February 2, 2022 and is not available for download. This closure is temporary, pending a full...
WordPress Premmerce Pinterest for WooCommerce plugin <= 1.2.3 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress Premmerce Pinterest for WooCommerce plugin versions = 1.2.3. Solution No patched version available...
WordPress All-in-One WP Migration plugin <= 7.14 - Arbitrary Backup Download vulnerability
Arbitrary Backup Download vulnerability found by Kamil Vavra in WordPress All-in-One WP Migration plugin versions = 7.14. Solution Update the WordPress All-in-One WP Migration plugin to the latest available version at least 7.15...
WordPress Duplicator plugin <=1.2.32 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability found in WordPress Duplicator plugin versions =1.2.32 Solution Update the WordPress Duplicator plugin to the latest available version at least 1.2.33...
WordPress VR Calendar plugin < 2.3.1 - Unauthenticated Arbitrary Function Call vulnerability
Unauthenticated Arbitrary Function Call vulnerability discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in WordPress VR Calendar plugin versions 2.3.1. Solution Update the WordPress VR Calendar plugin to the latest available version at least 2.3.1...
WordPress GTM4WP plugin <= 1.15.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress GTM4WP plugin versions = 1.15.1. Solution Update the WordPress GTM4WP plugin to the latest available version at least 1.15.2...
WordPress WPQA premium plugin <= 5.4 - Unauthenticated Private Message Disclosure vulnerability
Unauthenticated Private Message Disclosure vulnerability discovered by Veshraj Ghimire in WordPress WPQA premium plugin versions = 5.4. Solution Update the WordPress WPQA premium plugin to the latest available version at least 5.5...
WordPress Ad Injection plugin <= 1.2.0.19 - Stored Cross-Site Scripting (XSS) & RCE vulnerabilities
Stored Cross-Site Scripting XSS & RCE vulnerabilities discovered by Asif Nawaz Minhas in WordPress Ad Injection plugin versions = 1.2.0.19. Solution Deactivate and delete. This plugin has been closed as of March 18, 2022 and is not available for download. This closure is temporary, pending a full...
WordPress Greenshift – animation and page builder blocks plugin < 1.1.4 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress Greenshift – animation and page builder blocks plugin versions 1.1.4. Solution Update the WordPress Greenshift – animation and page builder blocks plugin to the latest available version at least 1.1.4...
WordPress WooCommerce plugin <= 6.2.0 - Path Traversal via Importers vulnerability
Path Traversal via Importers vulnerability discovered in WordPress WooCommerce plugin versions = 6.2.0. Solution Update the WordPress WooCommerce plugin to the latest available version at least 6.2.1...
WordPress JSmol2WP plugin <= 1.07 - Unauthenticated Cross-Site Scripting (XSS) vulnerability
Unauthenticated Cross-Site Scripting XSS vulnerability in WordPress JSmol2WP plugin versions = 1.07. Solution 08.01.2019 - we were unable to find a patched version of this plugin. According to WordPess.org plugin repository, this plugin was closed on January 7, 2019 and is no longer available for...
WordPress Symposium Plugin <= 15.7- SQL Injection
This vulnerability allows an attacker to execute arbitrary SQL commands via the "size" parameter to getalbumitem.php. Solution Update the plugin...
WordPress All-in-One Event Calendar Plugin 1.4 - "msg" Parameter XSS
WordPress All-in-One Event Calendar plugin's /wp-content/plugins/all-in-one-event-calendar/app/view/savesuccessful.php "msg" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser ...
WordPress Relocate Upload Plugin 0.14 - Remote File Inclusion
This Relocate Upload plugin is prone to remote file include vulnerability. It allows an attacker to include a remote file and get access to the server. Solution Upgrade the plugin...
NPM: n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint
NPM: n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint vulnerability discovered by ? in WordPress Npm n8n versions 1.123.55...
WordPress is vulnerable to Path Traversal
Software WordPress Type WordPress Core Vulnerable versions 6.5.5 Fixed in 6.5.5 OWASP Top 10 A1: Broken Access Control Classification Path Traversal CVE CVE-2024-32111 Patch priority Low CVSS severity Low 5 Developer Claim ownership PSID f2c038f99720 Credits Rafie Muhammad Patchstack Required...
WordPress Enable SVG, WebP & ICO Upload plugin <= 1.0.3 - Authenticated Arbitrary File Upload vulnerability
Authenticated Arbitrary File Upload vulnerability discovered by Kim Jong Min aka Universe Patchstack Alliance in WordPress Enable SVG, WebP & ICO Upload plugin versions = 1.0.3. Solution No patched version available...
WordPress Yoo Slider plugin <= 2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Slider Creation / Modification
Cross-Site Request Forgery CSRF vulnerability leading to Slider Creation / Modification discovered by Ex.Mi Patchstack in WordPress Yoo Slider plugin versions = 2.0.0. Solution Update the WordPress Yoo Slider plugin to the latest available version at least 2.1.0...
WordPress Salon booking system plugin <= 7.6.1 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered by Huli Cymetrics in WordPress Salon booking system plugin versions = 7.6.1. Solution Update the WordPress Salon booking system plugin to the latest available version at least 7.6.3...
WordPress Divi premium theme <= 4.5.2 - Authenticated Arbitrary File Upload vulnerability
Authenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Divi premium theme versions = 4.5.2. Solution Update the WordPress Divi premium theme to the latest available version at least 4.5.3...
WordPress Euclid Theme 1.x.x - CSRF
WordPress Euclid theme is prone to a cross-site request forgery vulnerability. It allows an attacker to gain unauthorized access to the affected application by performing certain actions in the context of an authorized user's session. Solution Upgrade the theme...
WordPress Image and Video Lightbox, Image PopUp Plugin <= 2.1.5 is vulnerable to Cross Site Scripting (XSS)
Software Image and Video Lightbox, Image PopUp Type Plugin Vulnerable versions = 2.1.5 Fixed in 2.1.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-24004 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 4d9c16d4d9c1 Credits...
WordPress WP Contact Slider plugin <= 2.4.7 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress WP Contact Slider plugin versions = 2.4.7. Solution Update the WordPress WP Contact Slider plugin to the latest available version at least 2.4.8...
WordPress Shortcodes Ultimate plugin <= 5.12.0 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to Preset Settings Change discovered by Dave Jong Patchstack in WordPress Shortcodes Ultimate plugin versions = 5.12.0. Solution Update the WordPress Shortcodes Ultimate plugin to the latest available version at least 5.12.1...
WordPress Gallery PhotoBlocks plugin <= 1.2.7 - Cross-Site Request Forgery (CSRF) vulnerabilities
Cross-Site Request Forgery CSRF vulnerabilities leading to Gallery Delete / Copy discovered by Ngo Van Thien Patchstack Alliance in WordPress Gallery PhotoBlocks plugin versions = 1.2.7. Solution Deactivate and delete. This plugin has been closed as of August 10, 2022 and is not available for...
WordPress Advanced Custom Fields plugin <= 5.12.2 - Unauthenticated File Upload vulnerability
Unauthenticated File Upload vulnerability discovered by James Golovich in WordPress Advanced Custom Fields plugin versions = 5.12.2. Solution Update the WordPress Advanced Custom Fields plugin to the latest available version at least 5.12.3...
WordPress Vision Interactive plugin < 1.5.2 - Reflected Cross-Site Scripting vulnerability
Reflected Cross-Site Scripting vulnerability discovered by WPScanTeam in WordPress Vision Interactive plugin versions 1.5.2. Solution Update the WordPress Vision Interactive plugin to the latest available version at least 1.5.2...
WordPress <= 4.4.1 - CSRF
WordPress before 4.5 is prone to a cross-site request forgery CSRF vulnerability. In the wpajaxwpcompressiontest function in wp-admin/includes/ajax-actions.php file attackers can hijack the authentication of administrators when they change the script compression option. Solution Update WordPress ...
WordPress <= 4.2.2 - XSS
WordPress 4.2.2 is prone to a cross site scripting vulnerability that allows an authenticated user to bypass intended access restrictions and create drafts by leveraging the Subscriber role. Also, it allows to inject web script or HTML by leveraging the Author role to place a crafted shortcode...
WordPress White Label CMS Plugin <= 1.5.0 - CSRF
Because of this vulnerability in wlcms-plugin.php, the attackers can hijack the authentication of administrators for requests that modify the developer name via the wlcmsodevelopername parameter in a save action to wp-admin/admin.php. Solution Update the plugin...
WordPress JetEngine <= 3.7.0 - Remote Code Execution (RCE) Vulnerability
Remote Code Execution RCE Vulnerability discovered by stealthcopter in WordPress Plugin JetEngine versions = 3.7.0...
WordPress Really Simple SSL Plugin 9.0.0-9.1.1.1 is vulnerable to Broken Authentication
Software Really Simple SSL Type Plugin Vulnerable versions 9.0.0-9.1.1.1 Fixed in 9.1.2 OWASP Top 10 A1: Broken Access Control Classification Broken Authentication CVE CVE-2024-10924 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 8effdc8642db Credits István Márton...
WordPress Slider Revolution Plugin <= 6.7.18 is vulnerable to Cross Site Scripting (XSS)
Software Slider Revolution Type Plugin Vulnerable versions = 6.7.18 Fixed in 6.7.19 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8107 Patch priority Low CVSS severity Low 5.9 Developer ThemePunch PSID 36b1d1650d8f Credits wesley wcraft Required...
WordPress Brozzme Scroll Top Plugin <= 1.8.5 is vulnerable to Cross Site Scripting (XSS)
Software Brozzme Scroll Top Type Plugin Vulnerable versions = 1.8.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-34426 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 40ba77316890 Credits Cronus Required privilege Administrat...
WordPress Transposh WordPress Translation plugin <= 1.0.8.1 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered by Julien Ahrens in WordPress Transposh WordPress Translation plugin versions = 1.0.8.1. Solution Deactivate and delete. This plugin has been closed as of February 7, 2022 and is not available for download. Reason: Security Issue...
WordPress ToolBar to Share plugin <= 2.0 - Cross-Site Request Forgery (CSRF) vulnerability to Cross-Site Scripting (XSS)
Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by Sho Sakata Cryptography Laboratory at Tokyo Denki University in WordPress ToolBar to Share plugin versions = 2.0. Solution Deactivate and delete. This plugin has been closed as of May 31, 2022 and is n...
WordPress <= 5.9.1 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Ben Bidner in WordPress versions = 5.9.1. Solution Update the WordPress to the latest available version at least 5.9.2...
WordPress File Upload plugin <= 4.16.2 - Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE)
Contributor+ Path Traversal vulnerability leading to Remote Code Execution RCE discovered by apple502j in WordPress File Upload plugin versions = 4.16.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.16.3...
WordPress Paid Memberships Pro <= 2.6.6 - Unauthenticated Blind SQL Injection (SQLi) vulnerability
Unauthenticated Blind SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress Paid Memberships Pro versions = 2.6.6. Solution Update the WordPress Paid Memberships Pro to the latest available version at least 2.6.7...
WordPress NEX-Forms – Ultimate Form Builder plugin <= 8.1 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities
Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Shivam Rai in WordPress NEX-Forms – Ultimate Form Builder plugin versions = 8.1. Solution Deactivate and delete. This plugin has been closed as of October 4, 2021 and is not available for download. This closure is...
WordPress Perfect Survey plugin <= 1.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by apple502j in WordPress Perfect Survey plugin versions = 1.5.0. Solution Vulnerability fixed in 1.5.2 version, but plugin closed due to other security issues. This plugin has been closed as of October 5, 2021 and is not available for...
WordPress WOOCS – WooCommerce Currency Switcher plugin <= 1.3.6.2 - Local File Inclusion (LFI) leading vulnerability to Remote Code Execution (RCE)
Local File Inclusion LFI leading vulnerability to Remote Code Execution RCE discovered by Marc Montpas Automattic in WordPress WOOCS – WooCommerce Currency Switcher plugin versions = 1.3.6.2. Solution Update the WordPress WOOCS – WooCommerce Currency Switcher plugin to the latest available versio...
WordPress <= 5.5.1 - Cross-Site Scripting (XSS) via Global Variables vulnerability
Cross-Site Scripting XSS via Global Variables vulnerability found by Marc Montas in WordPress versions = 5.5.1. Solution Update the WordPress to the latest available version at least 5.5.2...
WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities
Simple Backup plugin is prone to multiple vulnerabilities, such as arbitrary file deletion and file download vulnerabilities. Because of these issues, an attacker can download remote files from the webserver delete arbitrary files without any authentication and permission. Solution Update the...
WordPress WPML Plugin <= 3.1.9.1 - Multiple Vulnerabilities
WPML is prone to SQL injection, page or post menu deletion and reflected cross-site scripting vulnerabilities. Solution Update the plugin...
WordPress GutenKit Plugin <= 2.1.0 is vulnerable to Arbitrary File Upload
Software GutenKit Type Plugin Vulnerable versions = 2.1.0 Fixed in 2.1.1 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-9234 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 084e0f3075d0 Credits Sean Murphy Required privilege Unauthenticated...
WordPress Contact Form to Any API Plugin <= 1.2.2 is vulnerable to Cross Site Scripting (XSS)
Software Contact Form to Any API Type Plugin Vulnerable versions = 1.2.2 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-7617 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 8a05dbbe144d Credits Jorgson...
WordPress BuddyForms Plugin <= 2.8.8 is vulnerable to Arbitrary File Download
Software BuddyForms Type Plugin Vulnerable versions = 2.8.8 Fixed in 2.8.9 OWASP Top 10 A4: Insecure Design Classification Arbitrary File Download CVE CVE-2024-32830 Patch priority High CVSS severity High 8.6 Developer Claim ownership PSID df4ae0005bef Credits Yudistira Arya Required privilege...