45924 matches found
WordPress Transposh WordPress Translation plugin <= 1.0.8.1 - Authorization Bypass vulnerability
Authorization Bypass vulnerability discovered by Julien Ahrens in WordPress Transposh WordPress Translation plugin versions = 1.0.8.1. Solution No patched version is available. This plugin has been closed as of February 7, 2022 and is not available for download. Reason: Security Issue...
WordPress MaxButtons plugin <= 9.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Muhammad Daffa Patchstack Alliance in WordPress MaxButtons plugin versions = 9.2. Solution Update the WordPress MaxButtons plugin to the latest available version at least 9.3...
WordPress weForms plugin <= 1.6.13 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Tri Wanda Septian in WordPress weForms plugin versions = 1.6.13. Solution Update the WordPress weForms plugin to the latest available version at least 1.6.14...
WordPress ClickerVolt – Affiliate Links & Click Tracking for Performance Marketers plugin <= 1.169 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress ClickerVolt – Affiliate Links & Click Tracking for Performance Marketers plugin versions = 1.169. Solution No patched version available...
WordPress Float menu plugin <= 4.3 - Arbitrary Menu Deletion via Cross-Site Request Forgery (CSRF) vulnerability
Arbitrary Menu Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof ZajÄ…c in WordPress Float menu plugin versions = 4.3. Solution Update the WordPress Float menu plugin to the latest available version at least 4.3.1...
WordPress Ad Inserter Pro premium plugin <= 2.7.8 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof ZajÄ…c in WordPress Ad Inserter Pro premium plugin versions = 2.7.8. Solution Update the WordPress Ad Inserter Pro premium plugin to the latest available version at least 2.7.10...
WordPress Check & Log Email plugin <= 1.0.2 - Multiple SQL Injection (SQLi) vulnerabilities
Multiple SQL Injection SQLi vulnerabilities were discovered by bl4derunner in WordPress Check & Log Email plugin versions = 1.0.2. Solution Update the WordPress Check & Log Email plugin to the latest available version at least 1.0.3...
WordPress <= 5.5.1 - Unauthenticated Denial-of-Service (DoS) Attack to Remote Code Execution (RCE) vulnerability
Unauthenticated Denial-of-Service DoS Attack to Remote Code Execution RCE vulnerability found by Omar Ganiev in WordPress versions = 5.5.1. Solution Update the WordPress to the latest available version at least 5.5.2...
WordPress Bridge theme <=11.1 - DOM Cross-Site Scripting (XSS) vulnerability
WordPress Bridge theme 11.1 and earlier versions are vulnerable to DOM Cross-Site Scripting XSS vulnerability Solution Update the WordPress Bridge theme to the latest available version at least 11.2...
WordPress Photo Gallery plugin <= 1.2.100 - SQL Injection
Because of this vulnerability, authenticated users can execute arbitrary SQL commands via "the ascordesc" parameter in the galleriesbwg page to wp-admin/admin.php. Solution Upgrade the plugin...
WordPress WP Flipclock plugin <= 1.9.1 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by theviper17 in WordPress Plugin WP Flipclock versions = 1.9.1...
WordPress Widget Options Plugin <= 4.0.7 is vulnerable to Remote Code Execution (RCE)
Software Widget Options Type Plugin Vulnerable versions = 4.0.7 Fixed in 4.0.8 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2024-8672 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 44c40aa090ca Credits Webbernaut Required privilege...
WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability
Broken Access Control vulnerability leading to the plugin specific for this theme settings change discovered by Dave Jong Patchstack in the WordPress Betheme premium theme versions = 26.6.1. Solution Update the WordPress Betheme theme to the latest available version at least 26.6.3...
WordPress Comments – wpDiscuz plugin 7.4.2 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by Dhakal Ananda in WordPress Comments – wpDiscuz plugin versions 7.4.2. Solution Update the WordPress wpDiscuz plugin to the latest available version at least 7.5...
WordPress core <= 6.0.2 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability via SQL Injection SQLi in Media Library discovered by Ben Bidner WordPress security team and Marc Montpas Automattic in WordPress core versions = 6.0.2. Solution Update the WordPress to the latest available version at least 6.0.3...
WordPress Backup Buddy plugin 8.5.8.0 - 8.7.4.1 - Unauthenticated Path Traversal / Arbitrary File Download vulnerability
Unauthenticated Path Traversal / Arbitrary File Download vulnerability discovered by Lew Ayotte & Timothy Jacobs in WordPress Backup Buddy plugin versions 8.5.8.0 - 8.7.4.1. Solution Update the WordPress BackupBuddy plugin to the latest available version at least 8.7.5.0...
WordPress AS – Create Pinterest Pinboard Pages plugin <= 1.0 - Authenticated plugin settings change leading to Stored Cross-Site Scripting (XSS) vulnerability
Authenticated plugin settings change leading to Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence in WordPress AS – Create Pinterest Pinboard Pages plugin versions = 1.0. Solution No fix is available...
WordPress WP-UserOnline plugin <= 2.87.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Steffin Stanly in WordPress WP-UserOnline plugin versions = 2.87.6. Solution Update the WordPress User Online plugin to the latest available version at least 2.88.0...
WordPress Ninja Forms plugin <= 3.6.10 - Unauthenticated PHP Object Injection vulnerability
Unauthenticated PHP Object Injection vulnerability discovered in WordPress Ninja Forms plugin versions = 3.6.10. Solution Update the WordPress Ninja Forms plugin to the latest available version at least 3.6.11...
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 - Arbitrary File Upload leading to RCE
Arbitrary File Upload leading to RCE discovered by Huli Cymetrics in WordPress VikBooking Hotel Booking Engine & PMS plugin versions = 1.5.3. Solution Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version at least 1.5.4...
WordPress Amelia plugin <= 1.0.48 - Arbitrary Appointments Status Update vulnerability
Arbitrary Appointments Status Update vulnerability discovered by Huli from Cymetrics in WordPress Amelia plugin versions = 1.0.48. Solution Update the WordPress Amelia plugin to the latest available version at least 1.0.49...
WordPress Infographic Maker – iList plugin <= 4.3.7 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Infographic Maker – iList plugin versions = 4.3.7. Solution Update the WordPress Infographic Maker – iList plugin to the latest available version at least 4.3.8...
WordPress BulletProof Security plugin <= 5.1 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered by Vincent Rakotomanga in WordPress BulletProof Security plugin versions = 5.1. Solution Update the WordPress BulletProof Security plugin to the latest available version at least 5.2...
WordPress <=4.7.4 - Host Header Injection in Password Reset
The issue with the SERVERNAME and PHP mail function allow an attacker to trick the WordPress send the password reset crafted wp-login.php?action=lostpassword request mail to the attackers SMTP server. Solution Update WordPress to the latest possible version at least 4.7.5...
WordPress WP ViperGB Plugin <= 1.3.10 - Multiple CSRF and XSS
Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution Update the plugin...
WordPress <= 3.5.0 - SSRF
Because of The XMLRPC API, the attackers can send HTTP requests to intranet servers. Also, they can conduct port-scanning attacks by specifying a crafted source URL for a pingback. Solution Update WordPress...
WordPress <= 3.3.1 - Multiple Vulnerabilities
WordPress version 3.3.1 is prone to PHP code execution and persistent cross-site scripting vulnerabilities via "setup-config.php" page. The attackers can host their own MySQL database server and then successfully complete the WordPress installation without having any valid credentials on the targ...
WordPress Magical Addons For Elementor plugin <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Custom Attributes vulnerability discovered by zer0gh0st in WordPress Plugin Magical Addons For Elementor versions = 1.3.8...
WordPress Everest Forms (Pro) plugin <= 1.9.4 - Unauthenticated Path Traversal to Arbitrary File Deletion vulnerability
Unauthenticated Path Traversal to Arbitrary File Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Everest Forms Pro versions = 1.9.4...
WordPress SearchWP premium plugin <= 4.2.5 - Broken Authentication vulnerability
Broken Authentication vulnerability via Nonce Token Leakage Leading to Plugin Settings Change discovered by Dave Jong Patchstack in the WordPress SearchWP premium plugin versions = 4.2.5. Solution Update the WordPress SearchWP plugin to the latest available version at least 4.2.6...
WordPress Page View Count plugin <= 2.5.5 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to plugin settings reset was discovered by Mika Patchstack Alliance in the WordPress Page View Count plugin versions = 2.5.5. Solution Update the WordPress Page View Count plugin to the latest available version at least 2.5.6...
WordPress All-in-One WP Migration plugin <= 7.62 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability
Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Team ISH Tecnologia in WordPress All-in-One WP Migration plugin versions = 7.62. Solution Update the WordPress All-in-One WP Migration plugin to the latest available version at least 7.63...
WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability via malicious SVG file upload discovered by Universe Patchstack Alliance in WordPress Uploading SVG, WEBP and ICO files plugin versions = 1.0.1. Solution No patched version available...
WordPress String Locator plugin <= 2.5.0 - Authenticated PHAR Deserialization vulnerability
Authenticated PHAR Deserialization vulnerability discovered by Rasoul Jahanshahi in WordPress String Locator plugin versions = 2.5.0. Solution Update the WordPress String locator plugin to the latest available version at least 2.6.0...
WordPress WP Meta SEO plugin <= 4.4.8 - Social Settings Update via Cross-Site Request Forgery (CSRF) vulnerability
Social Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in WordPress WP Meta SEO plugin versions = 4.4.8. Solution Update the WordPress WP Meta SEO plugin to the latest available version at least 4.4.9...
WordPress Opal Hotel Room Booking plugin <= 1.2.7 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Opal Hotel Room Booking plugin versions = 1.2.7. Solution Deactivate and delete. No reply from the vendor...
WordPress EXMAGE plugin <= 1.0.6 - Blind Server-Side Request Forgery (SSRF) vulnerability
Blind Server-Side Request Forgery SSRF vulnerability discovered by Luan Pedersini in WordPress EXMAGE plugin versions = 1.0.6. Solution Update the WordPress EXMAGE plugin to the latest available version at least 1.0.7...
WordPress Pricing Table Plugin plugin <= 3.6 - Authenticated SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability discovered by cydave in WordPress Pricing Table Plugin plugin versions = 3.6. Solution Update the WordPress Pricing Table Plugin plugin to the latest available version at least 3.6.1...
WordPress OSMapper plugin <= 2.1.5 - Unauthenticated Arbitrary Post Deletion vulnerability
Unauthenticated Arbitrary Post Deletion vulnerability discovered by dc11 in WordPress OSMapper plugin versions = 2.1.5. Solution Deactivate and delete. This plugin has been closed as of February 15, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability
Unauthenticated Blind SQL Injection SQLi vulnerability via currentpagetype discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress WP Statistics plugin versions = 13.1.5. Solution Update the WordPress WP Statistics plugin to the latest available version at least 13.1.6...
WordPress WP Time Slots Booking Form plugin <= 1.1.62 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Rubina Shaikh in WordPress WP Time Slots Booking Form plugin versions = 1.1.62. Solution Update the WordPress WP Time Slots Booking Form plugin to the latest available version at least 1.1.63...
WordPress All in One SEO plugin <= 4.1.5.2 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Marc Montpas in WordPress All in One SEO plugin versions = 4.1.5.2. Solution Update the WordPress All in One SEO plugin to the latest available version at least 4.1.5.3...
WordPress Survey Maker plugin <= 2.0.6 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien in WordPress Survey Maker plugin versions = 2.0.6. Solution Update the WordPress Survey Maker plugin to the latest available version at least 2.0.7...
WordPress Astra Pro premium plugin <= 3.5.1 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by Ngoc Nguyen in WordPress Astra Pro premium plugin versions = 3.5.1. Solution Update the WordPress Astra Pro premium plugin to the latest available version at least 3.5.2...
WordPress Jetpack plugin <= 9.7.1 - Attached Image Comment Leak For Non-Published Post And Pages in Carousel Feature
Page/Post Attachment Comment Leak Of Not Published Post And Pages in Carousel Feature discovered by nguyenhgvcs in WordPress Jetpack plugin versions = 9.7.1. Solution Update the WordPress Jetpack plugin to the latest available version at least 9.8...
WordPress Visual Composer Plugin <= 4.7.3 - Cross Site Scripting
This WordPress plugin is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the plugin...
WordPress WooCommerce Plugin <= 2.3.5 - SQL Injection
Because of this vulnerability, remote authenticated users can execute arbitrary SQL commands. Solution Update the plugin...
WordPress <=4.0.1 - Denial of Service Attacks
WordPress 4.0.1 is prone to a denial of service vulnerability that allows an attacker to send specially crafted requests. These requests resulting in CPU and memory exhaustion and in that way the site becomes unavailable. Solution Update WordPress...
WordPress Booking Calendar Plugin - SQL Injection
This WordPress Booking Calendar plugin's "bookingformid" parameter is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...
WordPress CommentLuv Plugin - Cross Site Scripting
WordPress CommentLuv plugin is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based...