46702 matches found
WordPress Akismet Plugin - Multiple Cross Site Scripting Vulnerabilities
WordPress Akismet plugin is prone to multiple cross-site scripting vulnerabilities. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based...
WordPress Zingiri Plugin <= 1.4.3 - Directory Traversal
Because of this vulnerability in forum.php, attackers can read arbitrary files in the "url" parameter to index.php. Solution Update the plugin...
WordPress All-in-One Event Calendar Plugin 1.4 - Multiple Parameter XSS
WordPress All-in-One Event Calendar plugin's /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php multiple parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browse...
WordPress <= 0.70 - PHP remote file inclusion
Because of this vulnerability in wp-links/links.all.php, attackers can execute arbitrary PHP code via a URL in the $abspath variable. Solution Update the plugin...
WordPress Users Plugin <= 1.3 - SQL Injection
Because of this vulnerability in wp-users.php, the attackers can execute arbitrary SQL commands via the "uid" parameter to index.php. Solution Update the plugin...
WordPress Cover WP Theme 1.6.5 - Cross Site Scripting
WordPress Cover WP theme's "s" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-base...
WordPress Custom Pages Plugin 0.5.0.1 - Local File Inclusion
This vulnerability can be exploited to include arbitrary files. Solution Update the plugin...
WordPress Register Plus Plugin <= 3.5.1 - Multiple Vulnerabilities
Because of these vulnerabilities, the attackers can obtain sensitive information via a direct request to dashwidget.php and register-plus.php. Solution Update the plugin...
WordPress Embedded Video Plugin <= 4.1 - XSS
Because of this vulnerability in lembedded-video.php, the attackers can inject arbitrary web script or HTML via the "content" parameter to wp-admin/post.php. Solution Update the plugin...
WordPress NextGEN Gallery Plugin <= 1.5.1 - XSS Vulnerability
This NextGEN Gallery plugin is prone to a cross-site scripting vulnerability. It is really popular plugin for the WordPress content management system, usually found as a blogging platform. The vulnerability manipulates the mode parameter of the xml/media-rss.php script and it results that...
WordPress MU <= 2.7 - 'HOST' HTTP Header XSS Vulnerability
WordPress MU prior to version 2.7 fails to sanitize the Host header correctly in chooseprimaryblog function and can be hacked. Sites running in based virtual hosting setup are not affected while they are not the default virtual host. Solution Upgrade WordPress...
WordPress DMSGuestbook Plugin <= 1.8.0 - Multiple XSS vulnerabilities
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress FeedBurner Plugin <= 2.2 - CSRF
Because of this vulnerability, the attackers can change settings and hijack blog feeds via a request to wp-admin/options-general.php. Solution Update the plugin...
WordPress <= 2.2.1 - XSS
Because of this vulnerability in the wp-admin/includes/upload.php, the attackers can inject arbitrary web script or HTML via the "style" parameter. Solution Update WordPress...
WordPress Cordobo Green Park Theme - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the PHPSELF portion of a URI. Solution Update the theme...
WordPress <= 2.1 - SQL Injection
Because of this vulnerability in wp-admin/admin-ajax.php,the attackers can execute arbitrary SQL commands via the "cookie" parameter. Solution Update WordPress...
WordPress <= 2.1.2 - Security BYPASS
The authenticated users with the contributor role can bypass intended access restrictions and invoke the publishposts functionality. Solution Update the WordPress to the latest available version at least 2.1.3...
WordPress Article Management Plugin <= 3.40 - SQL Injection
Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "wcHeadlines" parameter. Solution Update the WordPress Article Management plugin to the latest available version at least 3.41...
WordPress <= 2.0.2 - Direct Static Code Injection
Because of this vulnerability, the attackers can execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, when it is appended after a special comment sequence into files. Solution Update the WordPress to the latest available version at least 2.0.3...
WordPress <= 1.5.1.2 - Multiple XSS vulnerabilities
Because of these vulnerabilities in post.php, attackers can inject arbitrary web script or HTML via the "p" or "comment" parameter. Solution Update the WordPress to the latest available version at least 1.5.1.3...
NPM: Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message
NPM: Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message vulnerability discovered by ? in WordPress Npm nodemailer versions = 9.0.0...
WordPress Montonio for WooCommerce plugin <= 10.1.2 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Niv Kochan in WordPress Plugin Montonio for WooCommerce versions = 10.1.2...
WordPress MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset vulnerability
Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure And Plugin Integration Reset vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Google Analytics by Monster Insights versions = 10.1.2...
WordPress ilGhera Support System for WooCommerce plugin <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability
Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Woocommerce Support System versions = 1.3.0...
WordPress Royal MCP plugin <= 1.4.2 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Alexis Lafontaine in WordPress Plugin Royal MCP versions = 1.4.2...
WordPress WP JobHunt plugin <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference vulnerability
Authenticated Candidate+ Insecure Direct Object Reference vulnerability discovered by meghnine islem - CYBEARS in WordPress Plugin WP JobHunt versions = 7.7...
WordPress Rich Shortcodes for Google Reviews plugin <= 6.8 - Unauthenticated Stored Cross-Site Scripting via Google Review vulnerability
Unauthenticated Stored Cross-Site Scripting via Google Review vulnerability discovered by Kishan Vyas in WordPress Plugin Rich Showcase for Google Reviews versions = 6.8...
WordPress WP Directory Kit plugin <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover vulnerability
Authentication Bypass to Privilege Escalation via Account Takeover vulnerability discovered by Ryan Kozak in WordPress Plugin WP Directory Kit versions 1.4.0-1.4.4...
WordPress Appy Pie Connect for WooCommerce plugin <= 1.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password vulnerability
Missing Authorization to Unauthenticated Privilege Escalation via resetuserpassword vulnerability discovered by johska in WordPress Plugin Appy Pie Connect for WooCommerce versions = 1.1.2...
WordPress User Notes plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin User Notes versions = 1.0.2...
WordPress Attachment Manager plugin <= 2.1.2 - Unauthenticated Arbitrary File Deletion vulnerability
Unauthenticated Arbitrary File Deletion vulnerability discovered by johska in WordPress Plugin Attachment Manager versions = 2.1.2...
WordPress Content No Cache plugin <= 0.1.4 - Arbitrary Function Call vulnerability
Arbitrary Function Call vulnerability discovered by HLog in WordPress Plugin Content No Cache versions = 0.1.4...
WordPress Popup Maker plugin <= 1.20.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via popupID Parameter vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via popupID Parameter vulnerability discovered by Asaf Mozes in WordPress Plugin Popup Maker versions = 1.20.4...
WordPress Simple Side Tab Plugin <= 2.1.14 is vulnerable to Cross Site Scripting (XSS)
Software Simple Side Tab Type Plugin Vulnerable versions = 2.1.14 Fixed in 2.2.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10551 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 2f20e42d5a25 Credits Krugov Artyom Required...
WordPress Sp*tify Play Button for WordPress Plugin <= 2.11 is vulnerable to Cross Site Scripting (XSS)
Software Sptify Play Button for WordPress Type Plugin Vulnerable versions = 2.11 Fixed in 2.12 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-11192 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID dfa0a0c11673 Credits Peter...
WordPress Activity Log Plugin <= 2.11.1 is vulnerable to Cross Site Scripting (XSS)
Software Activity Log Type Plugin Vulnerable versions = 2.11.1 Fixed in 2.11.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10788 Patch priority Medium CVSS severity Medium 7.1 Developer Elementor PSID 657fbb862f42 Credits mikemyers Required...
WordPress Geolocator Plugin <= 1.1 is vulnerable to PHP Object Injection
Software Geolocator Type Plugin Vulnerable versions = 1.1 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-52443 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 70b8a65b2fb3 Credits LVT-tholv2k Required privilege Unauthenticated...
WordPress Fancy Gallery Plugin <= 1.6.58 is vulnerable to Cross Site Scripting (XSS)
Software Fancy Gallery Type Plugin Vulnerable versions = 1.6.58 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10875 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 3416f5a9cb28 Credits Peter Thaleikis...
WordPress User Extra Fields Plugin <= 16.6 is vulnerable to Arbitrary File Deletion
Software User Extra Fields Type Plugin Vulnerable versions = 16.6 Fixed in 16.7 OWASP Top 10 A2: Broken Authentication Classification Arbitrary File Deletion CVE CVE-2024-11150 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 5b9352f46ad9 Credits Chloe Chamberland Require...
WordPress Aqua SVG Sprite Plugin <= 3.0.14 is vulnerable to Cross Site Scripting (XSS)
Software Aqua SVG Sprite Type Plugin Vulnerable versions = 3.0.14 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9426 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 4ffa1c9bb1a6 Credits Francesco Carlucci Requir...
WordPress CYAN Backup Plugin <= 2.5.3 is vulnerable to Arbitrary File Download
Software CYAN Backup Type Plugin Vulnerable versions = 2.5.3 Fixed in 2.5.4 OWASP Top 10 A1: Broken Access Control Classification Arbitrary File Download CVE CVE-2024-52390 Patch priority Low CVSS severity Low 4.9 Developer Claim ownership PSID b0f12165e19f Credits Junsu Yeo Required privilege...
WordPress Multiple Votes in one page Plugin <= 1.0.4 is vulnerable to Cross Site Scripting (XSS)
Software Multiple Votes in one page Type Plugin Vulnerable versions = 1.0.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-51917 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 4983d4506f9d Credits SOPROBRO Required privilege...
WordPress Table of Contents Plus Plugin <= 2411 is vulnerable to Cross Site Scripting (XSS)
Software Table of Contents Plus Type Plugin Vulnerable versions = 2411 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-5578 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 487fd7341438 Credits Dmitrii Ignatyev...
WordPress WooCommerce Social Login Plugin <= 2.7.7 is vulnerable to Broken Authentication
Software WooCommerce Social Login Type Plugin Vulnerable versions = 2.7.7 Fixed in 2.7.8 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-10114 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 36095483e627 Credi...
WordPress Jigoshop – Store Exporter Plugin <= 1.5.8 is vulnerable to Cross Site Scripting (XSS)
Software Jigoshop – Store Exporter Type Plugin Vulnerable versions = 1.5.8 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50519 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 721f9b13ca88 Credits Zlrqh Required privilege...
WordPress MaanStore API Plugin <= 1.0.1 is vulnerable to Broken Authentication
Software MaanStore API Type Plugin Vulnerable versions = 1.0.1 Fixed in N/A OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-50487 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 80e67caa15fa Credits...
WordPress WP Query Console Plugin <= 1.0 is vulnerable to Remote Code Execution (RCE)
Software WP Query Console Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Remote Code Execution RCE CVE CVE-2024-50498 Patch priority High CVSS severity High 10 Developer Claim ownership PSID af5ddac5f157 Credits stealthcopter Required privilege...
WordPress Time Clock Pro Plugin <= 1.1.4 is vulnerable to Remote Code Execution (RCE)
Software Time Clock Pro Type Plugin Vulnerable versions = 1.1.4 Fixed in 1.1.5 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2024-9593 Patch priority High CVSS severity High 8.3 Developer Claim ownership PSID 9837dd0a77ff Credits István Márton Required privilege...
WordPress GiveWP Plugin <= 3.16.3 is vulnerable to PHP Object Injection
Software GiveWP Type Plugin Vulnerable versions = 3.16.3 Fixed in 3.16.4 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-9634 Patch priority High CVSS severity High 10 Developer Liquid Web / StellarWP PSID a33794a83e6f Credits lefab Required privilege Unauthenticated...
WordPress Movie Database Plugin <= 1.0.11 is vulnerable to Cross Site Scripting (XSS)
Software Movie Database Type Plugin Vulnerable versions = 1.0.11 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-43300 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID d8991f93ba12 Credits FX Required privilege Administrator...