WordPress <= 2.0.4 - Multiple Directory Traversal

Because of these vulnerabilities in plugins/wp-db-backup.php, authenticated users can read or overwrite arbitrary files via directory traversal sequences. Solution Update the plugin...

WordPress <= 1.5.1.2 - Multiple Vulnerabilities #1

Because of these vulnerabilities in wp-login.php, the attackers can change the content of the forgotten password e-mail message via the message variable, that is not initialized before use. Solution Update the WordPress to the latest available version at least 1.5.1.3...

WordPress <= 1.5.1.2 - Multiple XSS vulnerabilities

Because of these vulnerabilities in post.php, attackers can inject arbitrary web script or HTML via the "p" or "comment" parameter. Solution Update the WordPress to the latest available version at least 1.5.1.3...

WordPress <=1.5.1 - SQL injection

Because of this vulnerability, attackers can execute arbitrary SQL commands via the $catID variable. Solution Update the WordPress to the latest available version at least 1.5.2...

WordPress WP CarDealer plugin <= 1.2.16 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Foxyyy in WordPress Plugin WP CarDealer versions = 1.2.16...

WordPress All-in-One Video Gallery plugin <= 4.5.7 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin All-in-One Video Gallery versions = 4.5.7...

WordPress Time Sheets plugin <= 2.1.3 - Use of Known Vulnerable Component vulnerability

Use of Known Vulnerable Component vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Time Sheets versions = 2.1.3...

WordPress Appy Pie Connect for WooCommerce plugin <= 1.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password vulnerability

Missing Authorization to Unauthenticated Privilege Escalation via resetuserpassword vulnerability discovered by johska in WordPress Plugin Appy Pie Connect for WooCommerce versions = 1.1.2...

WordPress Nasa Core plugin < 6.4.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Nasa Core versions 6.4.1...

WordPress SureTriggers <= 1.0.82 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by Denver Jackson Patchstack Alliance in WordPress Plugin OttoKit versions = 1.0.82...

WordPress Contest Gallery Plugin <= 24.0.7 is vulnerable to Privilege Escalation

Software Contest Gallery Type Plugin Vulnerable versions = 24.0.7 Fixed in 24.0.8 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-11103 Patch priority High CVSS severity High 9.8 Developer Wasiliy Strecker PSID 917060960355 Credits...

WordPress Paid Member Subscriptions Plugin <= 2.13.0 is vulnerable to Arbitrary Code Execution

Software Paid Member Subscriptions Type Plugin Vulnerable versions = 2.13.0 Fixed in 2.13.1 OWASP Top 10 A3: Injection Classification Arbitrary Code Execution CVE CVE-2024-10261 Patch priority High CVSS severity High 7.3 Developer Claim ownership PSID da8c77c26afb Credits Arkadiusz Hydzik Require...

WordPress Otter - Gutenberg Block Plugin <= 3.0.6 is vulnerable to Path Traversal

Software Otter - Gutenberg Block Type Plugin Vulnerable versions = 3.0.6 Fixed in 3.0.7 OWASP Top 10 A4: Insecure Design Classification Path Traversal CVE CVE-2024-11219 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 16f94f193561 Credits mikemyers Required privilege...

WordPress InPost Gallery Plugin <= 2.1.4.2 is vulnerable to Arbitrary Code Execution

Software InPost Gallery Type Plugin Vulnerable versions = 2.1.4.2 Fixed in 2.1.4.3 OWASP Top 10 A3: Injection Classification Arbitrary Code Execution CVE CVE-2024-11002 Patch priority High CVSS severity High 6.3 Developer Claim ownership PSID 33afec67c5eb Credits Arkadiusz Hydzik Required privile...

WordPress Activity Log Plugin <= 2.11.1 is vulnerable to Cross Site Scripting (XSS)

Software Activity Log Type Plugin Vulnerable versions = 2.11.1 Fixed in 2.11.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10788 Patch priority Medium CVSS severity Medium 7.1 Developer Elementor PSID 657fbb862f42 Credits mikemyers Required...

WordPress F4 Improvements Plugin <= 1.9.0 is vulnerable to Cross Site Scripting (XSS)

Software F4 Improvements Type Plugin Vulnerable versions = 1.9.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9442 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 375a420bcdeb Credits Francesco Carlucci Require...

WordPress Sirv plugin <= 7.3.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Option Deletion vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Option Deletion vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin Sirv versions = 7.3.0...

WordPress Geolocator Plugin <= 1.1 is vulnerable to PHP Object Injection

Software Geolocator Type Plugin Vulnerable versions = 1.1 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-52443 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 70b8a65b2fb3 Credits LVT-tholv2k Required privilege Unauthenticated...

WordPress Opal Woo Custom Product Variation Plugin <= 1.1.3 is vulnerable to Arbitrary File Deletion

Software Opal Woo Custom Product Variation Type Plugin Vulnerable versions = 1.1.3 Fixed in 1.1.4 OWASP Top 10 A5: Security Misconfiguration Classification Arbitrary File Deletion CVE CVE-2024-52444 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID aa758dfd0ef1 Credits...

WordPress Lis Video Gallery Plugin <= 0.2.1 is vulnerable to PHP Object Injection

Software Lis Video Gallery Type Plugin Vulnerable versions = 0.2.1 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-52430 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID a078bb126c5a Credits LVT-tholv2k Required privilege...

WordPress Simple Local Avatars Plugin <= 2.7.11 is vulnerable to Broken Access Control

Software Simple Local Avatars Type Plugin Vulnerable versions = 2.7.11 Fixed in 2.8.0 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-10786 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 717b24faeea4 Credits Trương Hữu Phúc...

WordPress Push Notifications for WordPress by PushAssist Plugin <= 3.0.8 is vulnerable to Arbitrary File Upload

Software Push Notifications for WordPress by PushAssist Type Plugin Vulnerable versions = 3.0.8 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-52408 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 1a2483f66c15 Credits...

WordPress CF7 Reply Manager Plugin <= 1.2.3 is vulnerable to Arbitrary File Upload

Software CF7 Reply Manager Type Plugin Vulnerable versions = 1.2.3 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-52404 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID ea9af17f6366 Credits stealthcopter Required privilege...

WordPress JetWidgets For Elementor Plugin <= 1.0.18 is vulnerable to Cross Site Scripting (XSS)

Software JetWidgets For Elementor Type Plugin Vulnerable versions = 1.0.18 Fixed in 1.0.19 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10323 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 8136ec91932f Credits Francesco...

WordPress Devexhub Gallery Plugin <= 2.0.1 is vulnerable to Arbitrary File Upload

Software Devexhub Gallery Type Plugin Vulnerable versions = 2.0.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-52373 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 41326b5950fa Credits stealthcopter Required privilege...

WordPress CYAN Backup Plugin <= 2.5.3 is vulnerable to Arbitrary File Download

Software CYAN Backup Type Plugin Vulnerable versions = 2.5.3 Fixed in 2.5.4 OWASP Top 10 A1: Broken Access Control Classification Arbitrary File Download CVE CVE-2024-52390 Patch priority Low CVSS severity Low 4.9 Developer Claim ownership PSID b0f12165e19f Credits Junsu Yeo Required privilege...

WordPress SKT Addons for Elementor Plugin <= 3.3 is vulnerable to Sensitive Data Exposure

Software SKT Addons for Elementor Type Plugin Vulnerable versions = 3.3 Fixed in 3.4 OWASP Top 10 A3: Injection Classification Sensitive Data Exposure CVE CVE-2024-10693 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 3577352f604c Credits Francesco Carlucci Required...

WordPress Computer Repair Shop Plugin <= 3.8115 is vulnerable to Arbitrary File Upload

Software Computer Repair Shop Type Plugin Vulnerable versions = 3.8115 Fixed in 3.8116 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-51793 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 4e734860df66 Credits stealthcopter Required privilege...

WordPress BBP Core - Expand bbPress powered forums with useful features Plugin <= 1.2.5 is vulnerable to Cross Site Scripting (XSS)

Software BBP Core - Expand bbPress powered forums with useful features Type Plugin Vulnerable versions = 1.2.5 Fixed in 1.2.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9896 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownershi...

WordPress WP Course Manager Plugin <= 1.3 is vulnerable to Cross Site Request Forgery (CSRF)

Software WP Course Manager Type Plugin Vulnerable versions = 1.3 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-51658 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID fb5da93f1648 Credits SOPROBRO Required...

WordPress LH QR Codes Plugin <= 1.06 is vulnerable to Cross Site Scripting (XSS)

Software LH QR Codes Type Plugin Vulnerable versions = 1.06 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-51572 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8fc226cfb24a Credits SOPROBRO Required privilege Contributor...

WordPress Plug your WooCommerce into the largest catalog of customized print products from Helloprint Plugin <= 2.0.2 is vulnerable to Arbitrary File Upload

Software Plug your WooCommerce into the largest catalog of customized print products from Helloprint Type Plugin Vulnerable versions = 2.0.2 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-50525 Patch priority High CVSS severity High 10 Developer Claim...

WordPress BuddyPress Plugin <= 14.1.0 is vulnerable to Directory Traversal

Software BuddyPress Type Plugin Vulnerable versions = 14.1.0 Fixed in 14.2.1 OWASP Top 10 A3: Injection Classification Directory Traversal CVE CVE-2024-10011 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 06408034e9a6 Credits Domons Required privilege Subscriber Publish...

WordPress 3D Work In Progress Plugin <= 1.0.3 is vulnerable to Arbitrary File Deletion

Software 3D Work In Progress Type Plugin Vulnerable versions = 1.0.3 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2024-49657 Patch priority High CVSS severity High 7.7 Developer Claim ownership PSID 209728d5f5a9 Credits stealthcopter Required privilege...

WordPress Easy Post Types Plugin <= 1.4.4 is vulnerable to PHP Object Injection

Software Easy Post Types Type Plugin Vulnerable versions = 1.4.4 Fixed in N/A OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-10079 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID da4c9b968b4a Credits István Márton Required privilege Subscribe...

WordPress Htaccess File Editor Plugin <= 1.0.18 is vulnerable to Broken Access Control

Software Htaccess File Editor Type Plugin Vulnerable versions = 1.0.18 Fixed in 1.0.19 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-49256 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID d6dd94150ebc Credits savphill Require...

WordPress Wsify Widget Plugin <= 1.0 is vulnerable to Cross Site Request Forgery (CSRF)

Software Wsify Widget Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Request Forgery CSRF CVE CVE-2024-48048 Patch priority Low CVSS severity Low 7.1 Developer Claim ownership PSID 8cbe83f02c6b Credits Joshua Chan Required privilege...

WordPress LatePoint Plugin <= 5.0.11 is vulnerable to SQL Injection

Software LatePoint Type Plugin Vulnerable versions = 5.0.11 Fixed in 5.0.12 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-8911 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 26726ee6dc78 Credits István Márton Required privilege Unauthenticated...

WordPress Advanced Custom Fields PRO Plugin < 5.11 is vulnerable to Broken Access Control

Software Advanced Custom Fields PRO Type Plugin Vulnerable versions 5.11 Fixed in 5.11 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2021-20865 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 148c8b46d288 Credits Keitaro Yamazaki...

WordPress GiveWP Plugin <= 3.16.2 is vulnerable to PHP Object Injection

Software GiveWP Type Plugin Vulnerable versions = 3.16.2 Fixed in 3.16.3 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-8353 Patch priority High CVSS severity High 10 Developer Liquid Web / StellarWP PSID ab27727ec281 Credits cuokon Required privilege Unauthenticated...

WordPress JobSearch Plugin <= 2.5.9 is vulnerable to Cross Site Scripting (XSS)

Software JobSearch Type Plugin Vulnerable versions = 2.5.9 Fixed in 2.6.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-47394 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 2995ae22faae Credits Bonds Required privilege Unauthenticat...

WordPress WordPress Meta Data and Taxonomies Filter (MDTF) Plugin <= 1.3.3.3 is vulnerable to SQL Injection

Software WordPress Meta Data and Taxonomies Filter MDTF Type Plugin Vulnerable versions = 1.3.3.3 Fixed in 1.3.3.4 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-8624 Patch priority Low CVSS severity Low 8.5 Developer Claim ownership PSID 72c934040045 Credits Krzysztof Zając...

WordPress Fusion Builder Plugin <= 3.11.9 is vulnerable to Cross Site Scripting (XSS)

Software Fusion Builder Type Plugin Vulnerable versions = 3.11.9 Fixed in 3.11.10 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-5628 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 3ab369f1b5cb Credits wesley wcraft Required...

WordPress Triton Lite Theme <= 1.3 is vulnerable to Cross Site Scripting (XSS)

Software Triton Lite Type Theme Vulnerable versions = 1.3 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-5789 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 97a12617cc1a Credits Francesco Carlucci Required...

WordPress RD Station Plugin <= 5.3.2 is vulnerable to Cross Site Scripting (XSS)

Software RD Station Type Plugin Vulnerable versions = 5.3.2 Fixed in 5.4.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-6894 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 32a1d7bae015 Credits Webbernaut Required privilege...

WordPress WP Accessibility Helper (WAH) Plugin <= 0.6.2.8 is vulnerable to Broken Access Control

Software WP Accessibility Helper WAH Type Plugin Vulnerable versions = 0.6.2.8 Fixed in 0.6.2.9 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-5987 Patch priority Low CVSS severity Low 5.4 Developer Alexander Volkov PSID d7cc8b0ae32e Credits Lucio Sá...

WordPress Custom Query Blocks Plugin <= 5.3.1 is vulnerable to Cross Site Scripting (XSS)

Software Custom Query Blocks Type Plugin Vulnerable versions = 5.3.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-44059 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 3fa2441e978e Credits 4rCanJ0x! Required privilege...

WordPress Phlox PRO Theme <= 5.16.4 is vulnerable to Cross Site Scripting (XSS)

Software Phlox PRO Type Theme Vulnerable versions = 5.16.4 Fixed in 5.16.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-6339 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 1d783a1b1dee Credits kauenavarro Required...

WordPress LiteSpeed Cache Plugin <= 6.3.0.1 is vulnerable to Privilege Escalation

Software LiteSpeed Cache Type Plugin Vulnerable versions = 6.3.0.1 Fixed in 6.4 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-28000 Patch priority High CVSS severity High 9.8 Developer Hai Zheng / Lite Speed Cache PSID b9efa0ab6b82...

WordPress EmbedPress Plugin <= 4.0.9 is vulnerable to Local File Inclusion

Software EmbedPress Type Plugin Vulnerable versions = 4.0.9 Fixed in 4.0.10 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2024-43328 Patch priority High CVSS severity High 8.3 Developer Claim ownership PSID 8a6dffdf0163 Credits Rafie Muhammad Patchstack Required privilege...