WordPress Ripe HD FLV Player Plugin - SQL Injection

WordPress Ripe HD FLV Player plugin is prone to an SQL injection vulnerability. It allows an attacker to get access to the database, get username, password and disclosure the full path. Solution Update the plugin...

WordPress <= 3.5.0 - Multiple Cross Site Scripting

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress Adminimize Plugin <= 1.7.21 - Multiple XSS

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress Featurific For WordPress Plugin 1.6.2 - Cross Site Scripting

WordPress Featurific For WordPress plugin's "snum" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker c...

WordPress Jetpack Plugin - SQL Injection

Jetpack plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, alter queries to the application SQL database, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress Classipress Theme <= 3.1.4 - Stored XSS

Classipress theme is prone to a stored cross-site scripting vulnerability because of input failure through the POST parameters 'facebookid' and 'twitterid' in a registered user's profile page. It allows an attacker to inject Javascript code. Solution Update the theme...

WordPress Crawl Rate Tracker Plugin <= 2.0.2 - SQL Injection

Crawl Rate Tracker plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, alter queries to the application SQL database, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...

WordPress Global Content Blocks Plugin <= 1.2 - SQL Injection

This WordPress Global Content Blocks plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...

WordPress <= 3.1.2 - Clickjacking Attacks

This WordPress version does not prevent rendering for admin or login pages inside a frame in a third-party HTML document. It allows the attackers to conduct clickjacking attacks via a crafted web site. Solution Update WordPress...

WordPress Register Plus Plugin <= 3.5.1 - Multiple Vulnerabilities

Because of these vulnerabilities, the attackers can obtain sensitive information via a direct request to dashwidget.php and register-plus.php. Solution Update the plugin...

WordPress Embedded Video Plugin <= 4.1 - XSS

Because of this vulnerability in lembedded-video.php, the attackers can inject arbitrary web script or HTML via the "content" parameter to wp-admin/post.php. Solution Update the plugin...

WordPress cache_lastpostdate - Arbitrary Code Execution

WordPress version prior to 1.5.1.3 is remotely exploitable if the web server on which it runs has registerglobals enabled in the PHP configuration. Perl code exists to automatically exploit vulnerable WP 1.5.1.3 sites, allowing the attacker to try to execute code. Solution Update WordPress...

WordPress <= 2.3.2 - Unauthorized Access Vulnerability

Because of this vulnerability, the attackers can edit posts of other blog users via unknown vectors. Solution Update WordPress...

WordPress DMSGuestbook Plugin <= 1.8.0 - Directory Traversal

Because of this vulnerability in wp-admin/admin.php, the authenticated users can read arbitrary files. Solution Update the plugin...

WordPress fGallery Plugin <= 2.4.1 - SQL Injection

Because of this vulnerability in fimrss.php, the attackers can execute arbitrary SQL commands via the "album" parameter. Solution Update the plugin...

WordPress <= 2.0.3 - Directory Traversal

Because of this vulnerability in wp-db-backup.php, the attackers can read arbitrary files, delete arbitrary files, and cause a denial of service in the "backup" parameter. Solution Update WordPress...

WordPress <= 2.0.9 - Multiple XSS

Because of these vulnerabilitie, the attackers can inject arbitrary web script or HTML. Solution Update WordPress...

WordPress FeedBurner Plugin <= 2.2 - CSRF

Because of this vulnerability, the attackers can change settings and hijack blog feeds via a request to wp-admin/options-general.php. Solution Update the plugin...

WordPress <= 2.2.1 - XSS

Because of this vulnerability in the wp-admin/includes/upload.php, the attackers can inject arbitrary web script or HTML via the "style" parameter. Solution Update WordPress...

WordPress Default Theme <= 2.2 - XSS

Because of this vulnerability, the authenticated administrators can inject arbitrary web script or HTML. Solution Update the theme...

WordPress Cordobo Green Park Theme - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the PHPSELF portion of a URI. Solution Update the theme...

WordPress <= 2.1.1 - Multiple XSS

Because of these vulnerabilities in wp-includes/functions.php, the attackers can inject arbitrary web script or HTML. Solution Update the WordPress to the latest available version at least 2.1.2...

WordPress <= 2.1.0 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "file" parameter. Solution Update the WordPress to the latest available version at least 2.1.1...

WordPress <= 2.0.0 - Cross Site Scripting

Because of this vulnerability, attackers can inject arbitrary web script or HTML via scriptable attributes such as onfocus and onblur in the "author's website" field. Solution Update the WordPress to the latest available version at least 2.0.1...

WordPress <= 1.5.1.2 - Multiple Vulnerabilities #2

Because of these vulnerabilities, the attackers can obtain sensitive information via a direct request to menu-header.php or a value in the "feed" parameter to wp-atom.php. Solution Update the Wordpress to the latest available version at least 1.5.1.3...

NPM: Flowise has an MCP Security Bypass that Enables RCE

NPM: Flowise has an MCP Security Bypass that Enables RCE vulnerability discovered by ? in WordPress Npm flowise-components versions = 3.1.1...

NPM: vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`

NPM: vm2 has access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL vulnerability discovered by ? in WordPress Npm vm2 versions 3.11.2...

WordPress Betheme theme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution vulnerability

Authenticated Author+ Arbitrary File Upload to Remote Code Execution vulnerability discovered by Wordfence in WordPress Theme Betheme versions = 28.4...

WordPress Rich Shortcodes for Google Reviews plugin <= 6.8 - Unauthenticated Stored Cross-Site Scripting via Google Review vulnerability

Unauthenticated Stored Cross-Site Scripting via Google Review vulnerability discovered by Kishan Vyas in WordPress Plugin Rich Showcase for Google Reviews versions = 6.8...

WordPress Attachment Manager plugin <= 2.1.2 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability discovered by johska in WordPress Plugin Attachment Manager versions = 2.1.2...

WordPress Content No Cache plugin <= 0.1.4 - Arbitrary Function Call vulnerability

Arbitrary Function Call vulnerability discovered by HLog in WordPress Plugin Content No Cache versions = 0.1.4...

WordPress Flozen Theme < 1.5.1 is vulnerable to Arbitrary File Upload

Software Flozen Type Theme Vulnerable versions 1.5.1 Fixed in 1.5.1 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2025-49071 Patch priority High CVSS severity High 10 Developer Claim ownership PSID b0bba867fa7b Credits Phat RiO - BlueRock Required privilege Unauthenticat...

WordPress Theme File Duplicator Plugin <= 1.3 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by LVT-tholv2k in WordPress Plugin Theme File Duplicator versions = 1.3...

WordPress JobSearch Plugin <= 2.6.7 is vulnerable to Privilege Escalation

Software JobSearch Type Plugin Vulnerable versions = 2.6.7 Fixed in 2.6.8 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-11925 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 9f2540380ea8 Credits Tonn Required...

WordPress Video Lessons Manager Plugin <= 1.8.2 is vulnerable to Cross Site Scripting (XSS)

Software Video Lessons Manager Type Plugin Vulnerable versions = 1.8.2 Fixed in 1.8.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-11202 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID de6edf652333 Credits Peter...

WordPress ITERAS Plugin <= 1.7.0 is vulnerable to Cross Site Request Forgery (CSRF)

Software ITERAS Type Plugin Vulnerable versions = 1.7.0 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-53710 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID fe46f5e0e01b Credits SOPROBRO Required privilege...

WordPress Sky Addons for Elementor Plugin <= 2.6.1 is vulnerable to Sensitive Data Exposure

Software Sky Addons for Elementor Type Plugin Vulnerable versions = 2.6.1 Fixed in 2.6.2 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-9542 Patch priority Low CVSS severity Low 4.3 Developer Shahidul Islam PSID d2ce76706206 Credits Nishiv Required...

WordPress Subaccounts for WooCommerce Plugin <= 1.6.0 is vulnerable to Cross Site Scripting (XSS)

Software Subaccounts for WooCommerce Type Plugin Vulnerable versions = 1.6.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-11370 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID e68bad5342df Credits vgo0...

WordPress Fancy Gallery Plugin <= 1.6.58 is vulnerable to Cross Site Scripting (XSS)

Software Fancy Gallery Type Plugin Vulnerable versions = 1.6.58 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10875 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 3416f5a9cb28 Credits Peter Thaleikis...

WordPress WPvivid Backup and Migration Plugin <= 0.9.107 is vulnerable to PHP Object Injection

Software WPvivid Backup and Migration Type Plugin Vulnerable versions = 0.9.107 Fixed in 0.9.108 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-10962 Patch priority Low CVSS severity Low 9.8 Developer Claim ownership PSID b2861821d90b Credits Webbernaut Required...

WordPress WP Activity Log Plugin <= 5.2.1 is vulnerable to Cross Site Scripting (XSS)

Software WP Activity Log Type Plugin Vulnerable versions = 5.2.1 Fixed in 5.2.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10793 Patch priority Medium CVSS severity Medium 7.1 Developer Melapress PSID ad9533377437 Credits mikemyers Required...

WordPress Disable Admin Notices individually Plugin <= 1.3.5 is vulnerable to Cross Site Request Forgery (CSRF)

Software Disable Admin Notices individually Type Plugin Vulnerable versions = 1.3.5 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-52420 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID efd85849f48f Credits...

WordPress User Extra Fields Plugin <= 16.6 is vulnerable to Arbitrary File Deletion

Software User Extra Fields Type Plugin Vulnerable versions = 16.6 Fixed in 16.7 OWASP Top 10 A2: Broken Authentication Classification Arbitrary File Deletion CVE CVE-2024-11150 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 5b9352f46ad9 Credits Chloe Chamberland Require...

WordPress Aqua SVG Sprite Plugin <= 3.0.14 is vulnerable to Cross Site Scripting (XSS)

Software Aqua SVG Sprite Type Plugin Vulnerable versions = 3.0.14 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9426 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 4ffa1c9bb1a6 Credits Francesco Carlucci Requir...

WordPress Razorpay Payment Button Plugin <= 2.4.6 is vulnerable to Cross Site Scripting (XSS)

Software Razorpay Payment Button Type Plugin Vulnerable versions = 2.4.6 Fixed in 2.4.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10851 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 88605e5d5760 Credits Peter...

WordPress WPLMS Theme <= 4.962 is vulnerable to Path Traversal

Software WPLMS Type Theme Vulnerable versions = 4.962 Fixed in 4.963 OWASP Top 10 A3: Injection Classification Path Traversal CVE CVE-2024-10470 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 63557cc0ea32 Credits Foxyyy Required privilege Unauthenticated Published 8...

WordPress Multiple Votes in one page Plugin <= 1.0.4 is vulnerable to Cross Site Scripting (XSS)

Software Multiple Votes in one page Type Plugin Vulnerable versions = 1.0.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-51917 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 4983d4506f9d Credits SOPROBRO Required privilege...

WordPress Computer Repair Shop Plugin <= 3.8115 is vulnerable to Arbitrary File Upload

Software Computer Repair Shop Type Plugin Vulnerable versions = 3.8115 Fixed in 3.8116 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-51793 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 4e734860df66 Credits stealthcopter Required privilege...

WordPress Jigoshop – Store Exporter Plugin <= 1.5.8 is vulnerable to Cross Site Scripting (XSS)

Software Jigoshop – Store Exporter Type Plugin Vulnerable versions = 1.5.8 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50519 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 721f9b13ca88 Credits Zlrqh Required privilege...

WordPress World Prayer Time Plugin <= 2.0 is vulnerable to Cross Site Request Forgery (CSRF)

Software World Prayer Time Type Plugin Vulnerable versions = 2.0 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-50534 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID c482db8f0a37 Credits SOPROBRO Required...