46571 matches found
WordPress JetBlog Plugin <= 2.3.5 is vulnerable to Broken Access Control
Software JetBlog Type Plugin Vulnerable versions = 2.3.5 Fixed in 2.3.5.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-48760 Patch priority Medium CVSS severity Medium 8.2 Developer Crocoblock PSID 41e8fbc9018f Credits Rafie Muhammad Patchstack Required...
WordPress Transposh WordPress Translation plugin <= 1.0.8.1 - Authorization Bypass vulnerability
Authorization Bypass vulnerability discovered by Julien Ahrens in WordPress Transposh WordPress Translation plugin versions = 1.0.8.1. Solution No patched version is available. This plugin has been closed as of February 7, 2022 and is not available for download. Reason: Security Issue...
WordPress WC Marketplace Plugin <= 3.8.11.8 - Unauthorized AJAX Calls Vulnerability
Unauthorized AJAX Calls vulnerability discovered by ptsfence in WordPress WC Marketplace plugin versions = 3.8.11.8. Solution Update the WordPress WC Marketplace plugin to the latest available version at least 3.8.12...
WordPress Request a Quote plugin <= 2.3.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Benachi in WordPress Request a Quote plugin versions = 2.3.7. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary, pending a full revi...
WordPress PowerPack Lite for Beaver Builder plugin <= 1.2.9.2 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress PowerPack Lite for Beaver Builder plugin versions = 1.2.9.2. Solution Update the WordPress PowerPack Lite for Beaver Builder plugin to the latest available version at least 1.2.9.3...
WordPress RegistrationMagic plugin <= 5.0.1.5 - SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability discovered by JrXnm in WordPress RegistrationMagic plugin versions = 5.0.1.5. Solution Update the WordPress RegistrationMagic plugin to the latest available version at least 5.0.1.6...
WordPress Age Gate plugin <= 2.16.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Martin Vierula Trustwave in WordPress Age Gate plugin versions = 2.16.3. Solution Update the WordPress Age Gate plugin to the latest available version at least 2.16.4...
WordPress Ignition premium theme <= 1.59 - Unauthenticated Arbitrary File Upload and Option Deletion
Unauthenticated Arbitrary File Upload and Option Deletion discovered by WordFence in WordPress Ignition premium theme versions = 1.59. Solution Update the WordPress Ignition premium theme to the latest available version at least 2.0.0...
WordPress All In One WP Security Plugin 3.8.2 - SQL Injection
This WordPress All In One WP Security plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...
WordPress Portable phpMyAdmin Plugin - Authentication Bypass
Portable phpMyAdmin plugins is prone to authentication bypass vulnerability. It allows an attacker to gain sensitive information. Solution Upgrade to version 1.3.1...
WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin <= 2.0.8 - SQL Injection vulnerability
SQL Injection vulnerability discovered by daroo in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 2.0.8...
WordPress Category Ajax Filter Plugin <= 2.8.2 is vulnerable to Local File Inclusion
Software Category Ajax Filter Type Plugin Vulnerable versions = 2.8.2 Fixed in 2.8.3 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2024-10871 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 41b4026eef43 Credits Le Ngoc Anh Required privilege...
WordPress Fast Flow Plugin <= 1.2.12 - Authenticated Stored Cross-Site Scripting
Authenticated Stored Cross-Site Scripting vulnerability discovered by Hardik Rathod in Fast Flow plugin versions = 1.2.12 Solution Update the WordPress Fast Flow plugin to the latest available version at least 1.2.13...
WordPress WPCargo Track & Trace plugin <= 6.9.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Raul in WordPress WPCargo Track & Trace plugin versions = 6.9.4. Solution Update the WordPress WPCargo Track & Trace plugin to the latest available version at least 6.9.5...
WordPress wpDataTables plugin <= 2.1.27 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress wpDataTables plugin versions = 2.1.27. Solution Update the WordPress wpDataTables plugin to the latest available version at least 2.1.28...
WordPress Float menu plugin <= 4.3 - Arbitrary Menu Deletion via Cross-Site Request Forgery (CSRF) vulnerability
Arbitrary Menu Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress Float menu plugin versions = 4.3. Solution Update the WordPress Float menu plugin to the latest available version at least 4.3.1...
WordPress Contact Form 7 plugin <= 5.3.1 - Unrestricted File Upload vulnerability
Unrestricted File Upload vulnerability found by Jinson Varghese Behanan in WordPress Contact Form 7 plugin versions = 5.3.1. Solution Update the WordPress Contact Form 7 plugin to the latest available version at least 5.3.2...
WordPress WP e-Commerce Shop Styling plugin <= 2.9.1 - Unauthenticated Local File Inclusion (LFI) vulnerability
Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress WP e-Commerce Shop Styling plugin versions = 2.9.1. Solution Plugin closed. Deactivate and delete...
WordPress 3.9-5.1 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability found by Simon Scannell in WordPress versions 3.9-5.1. Solution Update WordPress to the latest available version at least 5.1.1...
WordPress Bridge theme <=11.1 - DOM Cross-Site Scripting (XSS) vulnerability
WordPress Bridge theme 11.1 and earlier versions are vulnerable to DOM Cross-Site Scripting XSS vulnerability Solution Update the WordPress Bridge theme to the latest available version at least 11.2...
WordPress Photo Gallery plugin <= 1.2.100 - SQL Injection
Because of this vulnerability, authenticated users can execute arbitrary SQL commands via "the ascordesc" parameter in the galleriesbwg page to wp-admin/admin.php. Solution Upgrade the plugin...
WordPress Everest Forms (Pro) plugin <= 1.9.4 - Unauthenticated Path Traversal to Arbitrary File Deletion vulnerability
Unauthenticated Path Traversal to Arbitrary File Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Everest Forms Pro versions = 1.9.4...
WordPress WP Flipclock plugin <= 1.9.1 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by theviper17 in WordPress Plugin WP Flipclock versions = 1.9.1...
WordPress Widget Options Plugin <= 4.0.7 is vulnerable to Remote Code Execution (RCE)
Software Widget Options Type Plugin Vulnerable versions = 4.0.7 Fixed in 4.0.8 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2024-8672 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 44c40aa090ca Credits Webbernaut Required privilege...
WordPress W3 Total Cache Plugin <= 2.7.5 is vulnerable to Sensitive Data Exposure
Software W3 Total Cache Type Plugin Vulnerable versions = 2.7.5 Fixed in 2.7.6 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2023-5359 Patch priority Low CVSS severity Low 3.7 Developer Claim ownership PSID 553a33ae4238 Credits Ivan Kuzymchak Required...
WordPress WP Pocket URLs Plugin <= 1.0.2 is vulnerable to Cross Site Scripting (XSS)
Software WP Pocket URLs Type Plugin Vulnerable versions = 1.0.2 Fixed in 1.0.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-49176 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 380f014ea38f Credits SeungYongLee Required privilege...
WordPress core <= 6.0.2 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability via SQL Injection SQLi in Media Library discovered by Ben Bidner WordPress security team and Marc Montpas Automattic in WordPress core versions = 6.0.2. Solution Update the WordPress to the latest available version at least 6.0.3...
WordPress Backup Buddy plugin 8.5.8.0 - 8.7.4.1 - Unauthenticated Path Traversal / Arbitrary File Download vulnerability
Unauthenticated Path Traversal / Arbitrary File Download vulnerability discovered by Lew Ayotte & Timothy Jacobs in WordPress Backup Buddy plugin versions 8.5.8.0 - 8.7.4.1. Solution Update the WordPress BackupBuddy plugin to the latest available version at least 8.7.5.0...
WordPress Download Manager Plugin <= 3.2.49 - Authenticated PHAR Deserialization vulnerability
Authenticated PHAR Deserialization vulnerability discovered by Rasoul Jahanshahi in Download Manager plugin versions = 3.2.49 Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.50...
WordPress weForms plugin <= 1.6.13 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Tri Wanda Septian in WordPress weForms plugin versions = 1.6.13. Solution Update the WordPress weForms plugin to the latest available version at least 1.6.14...
WordPress Ninja Forms plugin <= 3.6.10 - Unauthenticated PHP Object Injection vulnerability
Unauthenticated PHP Object Injection vulnerability discovered in WordPress Ninja Forms plugin versions = 3.6.10. Solution Update the WordPress Ninja Forms plugin to the latest available version at least 3.6.11...
WordPress WPQA - Builder forms Addon plugin < 5.2 - Arbitrary Profile Picture Deletion via IDOR vulnerability
Arbitrary Profile Picture Deletion via IDOR vulnerability discovered by Binit Ghimire in WordPress WPQA - Builder forms Addon plugin versions 5.2. Solution Update the WordPress WPQA - Builder forms Addon plugin to the latest available version at least 5.2...
WordPress Pricing Table Plugin plugin <= 3.6 - Authenticated SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability discovered by cydave in WordPress Pricing Table Plugin plugin versions = 3.6. Solution Update the WordPress Pricing Table Plugin plugin to the latest available version at least 3.6.1...
WordPress ClickerVolt – Affiliate Links & Click Tracking for Performance Marketers plugin <= 1.169 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress ClickerVolt – Affiliate Links & Click Tracking for Performance Marketers plugin versions = 1.169. Solution No patched version available...
WordPress Check & Log Email plugin <= 1.0.2 - Multiple SQL Injection (SQLi) vulnerabilities
Multiple SQL Injection SQLi vulnerabilities were discovered by bl4derunner in WordPress Check & Log Email plugin versions = 1.0.2. Solution Update the WordPress Check & Log Email plugin to the latest available version at least 1.0.3...
WordPress <= 5.5.1 - Unauthenticated Denial-of-Service (DoS) Attack to Remote Code Execution (RCE) vulnerability
Unauthenticated Denial-of-Service DoS Attack to Remote Code Execution RCE vulnerability found by Omar Ganiev in WordPress versions = 5.5.1. Solution Update the WordPress to the latest available version at least 5.5.2...
WordPress <=4.7.4 - Host Header Injection in Password Reset
The issue with the SERVERNAME and PHP mail function allow an attacker to trick the WordPress send the password reset crafted wp-login.php?action=lostpassword request mail to the attackers SMTP server. Solution Update WordPress to the latest possible version at least 4.7.5...
WordPress Visual Composer Plugin <= 4.7.3 - Cross Site Scripting
This WordPress plugin is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the plugin...
WordPress WooCommerce Plugin <= 2.3.5 - SQL Injection
Because of this vulnerability, remote authenticated users can execute arbitrary SQL commands. Solution Update the plugin...
WordPress <= 3.3.1 - Multiple Vulnerabilities
WordPress version 3.3.1 is prone to PHP code execution and persistent cross-site scripting vulnerabilities via "setup-config.php" page. The attackers can host their own MySQL database server and then successfully complete the WordPress installation without having any valid credentials on the targ...
WordPress WP responsive FAQ with category Plugin <= 3.8 is vulnerable to Broken Access Control
Software WP responsive FAQ with category Type Plugin Vulnerable versions = 3.8 Fixed in 3.9 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-40200 Patch priority Medium CVSS severity Medium 5.3 Developer Claim ownership PSID 32b8b1fbabbe Credits Abdi Pranat...
WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability
Broken Access Control vulnerability leading to the plugin specific for this theme settings change discovered by Dave Jong Patchstack in the WordPress Betheme premium theme versions = 26.6.1. Solution Update the WordPress Betheme theme to the latest available version at least 26.6.3...
WordPress Comments – wpDiscuz plugin 7.4.2 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by Dhakal Ananda in WordPress Comments – wpDiscuz plugin versions 7.4.2. Solution Update the WordPress wpDiscuz plugin to the latest available version at least 7.5...
WordPress Page View Count plugin <= 2.5.5 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to plugin settings reset was discovered by Mika Patchstack Alliance in the WordPress Page View Count plugin versions = 2.5.5. Solution Update the WordPress Page View Count plugin to the latest available version at least 2.5.6...
WordPress All-in-One WP Migration plugin <= 7.62 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability
Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Team ISH Tecnologia in WordPress All-in-One WP Migration plugin versions = 7.62. Solution Update the WordPress All-in-One WP Migration plugin to the latest available version at least 7.63...
WordPress AS – Create Pinterest Pinboard Pages plugin <= 1.0 - Authenticated plugin settings change leading to Stored Cross-Site Scripting (XSS) vulnerability
Authenticated plugin settings change leading to Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence in WordPress AS – Create Pinterest Pinboard Pages plugin versions = 1.0. Solution No fix is available...
WordPress MaxButtons plugin <= 9.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Muhammad Daffa Patchstack Alliance in WordPress MaxButtons plugin versions = 9.2. Solution Update the WordPress MaxButtons plugin to the latest available version at least 9.3...
WordPress WP-UserOnline plugin <= 2.87.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Steffin Stanly in WordPress WP-UserOnline plugin versions = 2.87.6. Solution Update the WordPress User Online plugin to the latest available version at least 2.88.0...
WordPress All in One WP Migration plugin <= 7.58 - Directory Traversal to File Deletion on Windows Hosts vulnerability
Directory Traversal to File Deletion on Windows Hosts vulnerability discovered by haidv35 Viettel Cyber Security in WordPress All-in-One WP Migration plugin versions = 7.58. Solution Update the WordPress All-in-One WP Migration plugin to the latest available version at least 7.59...
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 - Arbitrary File Upload leading to RCE
Arbitrary File Upload leading to RCE discovered by Huli Cymetrics in WordPress VikBooking Hotel Booking Engine & PMS plugin versions = 1.5.3. Solution Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version at least 1.5.4...