WordPress Page Flip Image Gallery Plugin <= 0.2.2 - Directory Traversal

Because of this vulnerability, the attackers can read arbitrary files via "bookid" parameter. Solution Update the plugin...

WordPress WP Comment Remix Plugin <= 1.4.3 - XSS

Because of this vulnerability in wpcommentremix.php, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress <= 2.5 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via unspecified vectors. Solution Update WordPress...

WordPress Footnotes Plugin <= 2.2 - Multiple XSS vulnerabilities

Because of these vulnerabilities in adminpanel.php, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress WassUp Plugin <= 1.4.3 - Multiple SQL Injection

Because of these vulnerabilities in main.php, the attackers can execute arbitrary SQL commands. Solution Update the plugin...

WordPress WP Call Plugin <= 0.3 - SQL Injection

Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "id" parameter. Solution Update the plugin...

WordPress Contact Form Plugin <= 1.5 - Multiple CSRF

Because of these vulnerabilities, the attackers can perform actions as administrators. Solution Update the plugin...

WordPress Vistered Little Theme - XSS

Because of this vulnerability in 404.php, the attackers can inject arbitrary web script or HTML via the URI REQUESTURI that accesses index.php. Solution Update the theme...

WordPress <= 2.1.2 - Cross Site Scripting

Because of this vulnerability in an mt import in wp-admin/admin.php, the authenticated administrators can inject arbitrary web script or HTML via the "demo" parameter Solution Update the WordPress to the latest available version at least 2.1.3...

WordPress Enigma2 Plugin - Remote File Inclusion

Because of this vulnerability, the attackers can execute arbitrary PHP code via a URL in the "boarddir" parameter. Solution Update the plugin...

WordPress <= 2.0.5 - Cross Site Scripting

Because of this vulnerability in wp-admin/templates.php, the attackers can inject arbitrary web script or HTML via the "file" parameter. Solution Update WordPress...

WordPress <= 2.0.4 - Multiple Directory Traversal

Because of these vulnerabilities in plugins/wp-db-backup.php, authenticated users can read or overwrite arbitrary files via directory traversal sequences. Solution Update the plugin...

WordPress <= 2.0.5 - Multiple vulnerabilities #1

Because of these vulnerabilities, the attackers can obtain sensitive information via a direct request for wp-content/themes/default/index.php, links.php, sidebar.php, livejournal.php, hello.php, mt.php, page.php, rss.php, search.php, searchform.php, 404.php, wp-db-backup.php, akismet.php,...

WordPress <=1.5.1 - SQL injection

Because of this vulnerability, attackers can execute arbitrary SQL commands via the $catID variable. Solution Update the WordPress to the latest available version at least 1.5.2...

WordPress MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure And Plugin Integration Reset vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Google Analytics by Monster Insights versions = 10.1.2...

WordPress AIWU plugin <= 1.4.21 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin AIWU versions = 1.4.21...

WordPress Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin FluentForm versions = 6.2.1...

WordPress Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel plugin <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Carousel, Slider, Gallery by WP Carousel versions = 2.7.10...

WordPress Flex Store Users plugin <= 1.1.0 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by シルAsuna in WordPress Plugin Flex Store Users versions = 1.1.0...

WordPress Elated Membership plugin <= 1.2 - Authentication Bypass via Social Login vulnerability

Authentication Bypass via Social Login vulnerability discovered by Foxyyy in WordPress Plugin Elated Membership versions = 1.2...

WordPress Flex QR Code Generator plugin <= 1.2.7 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Ryan Kozak in WordPress Plugin Flex QR Code Generator versions = 1.2.7...

WordPress Slider Revolution plugin <= 6.7.37 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Read vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary File Read vulnerability discovered by stealthcopter in WordPress Plugin Slider Revolution versions = 6.7.37...

WordPress Site Chat on Telegram plugin <= 1.0.4 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Drew / mcdruid in WordPress Plugin Site Chat on Telegram versions = 1.0.4...

WordPress Digits plugin < 8.4.6.1 - Auth Bypass via OTP Bruteforcing vulnerability

Auth Bypass via OTP Bruteforcing vulnerability discovered by Saleh Tarawneh in WordPress Plugin Digits versions 8.4.6.1...

WordPress All in One SEO Pack plugin <= 4.8.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Description and Canonical URL vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Meta Description and Canonical URL vulnerability discovered by Ivan Kuzymchak in WordPress Plugin All In One SEO Pack versions = 4.8.1.1...

WordPress Travelfic Toolkit plugin <= 1.2.1 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Travelfic Toolkit versions = 1.2.1...

WordPress Sugar Calendar (Lite) Plugin <= 3.3.0 is vulnerable to Cross Site Scripting (XSS)

Software Sugar Calendar Lite Type Plugin Vulnerable versions = 3.3.0 Fixed in 3.4.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10878 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 8ef7ef64f31f Credits Peter Thaleik...

WordPress Ultimate Member Plugin <= 2.8.9 is vulnerable to Broken Access Control

Software Ultimate Member Type Plugin Vulnerable versions = 2.8.9 Fixed in 2.9.0 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-10528 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 65aa5e86b9d5 Credits tiborisaak Required privilege...

WordPress Pathomation Plugin <= 2.5.1 is vulnerable to Arbitrary File Upload

Software Pathomation Type Plugin Vulnerable versions = 2.5.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-52490 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 9e87ceb4d934 Credits ghsinfosec Required privilege Unauthenticated...

WordPress HUSKY Plugin <= 1.3.6.3 is vulnerable to Cross Site Scripting (XSS)

Software HUSKY Type Plugin Vulnerable versions = 1.3.6.3 Fixed in 1.3.6.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-11400 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID db9ff0ff3180 Credits Daniel Scheidt Required...

WordPress Exclusive Content Password Protect Plugin <= 1.1.0 is vulnerable to Cross Site Request Forgery (CSRF)

Software Exclusive Content Password Protect Type Plugin Vulnerable versions = 1.1.0 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-52402 Patch priority Low CVSS severity Low 9.6 Developer Claim ownership PSID b722ce5d7201 Credits...

WordPress User Extra Fields Plugin <= 16.6 is vulnerable to Privilege Escalation

Software User Extra Fields Type Plugin Vulnerable versions = 16.6 Fixed in 16.7 OWASP Top 10 A5: Broken Access Control Classification Privilege Escalation CVE CVE-2024-10800 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 90d7101cbd67 Credits Tonn Required privilege...

WordPress Relais 2FA Plugin <= 1.0 is vulnerable to Broken Authentication

Software Relais 2FA Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-10245 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 461a7cd31084 Credits István Márton...

WordPress WooCommerce Support Ticket System Plugin <= 17.6 is vulnerable to Arbitrary File Deletion

Software WooCommerce Support Ticket System Type Plugin Vulnerable versions = 17.6 Fixed in 17.8 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2024-10625 Patch priority High CVSS severity High 8.6 Developer Claim ownership PSID b5c39d8368a0 Credits Tonn Required privile...

WordPress Algori PDF Viewer Plugin <= 1.0.7 is vulnerable to Cross Site Scripting (XSS)

Software Algori PDF Viewer Type Plugin Vulnerable versions = 1.0.7 Fixed in 1.0.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2018-5158 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID f9da283093fc Credits Colin Xu Required...

WordPress Everest Backup Plugin <= 2.2.13 is vulnerable to Sensitive Data Exposure

Software Everest Backup Type Plugin Vulnerable versions = 2.2.13 Fixed in 2.2.14 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-10028 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID a89321fb2bfd Credits floerer Required privile...

WordPress Multi Purpose Mail Form Plugin <= 1.0.2 is vulnerable to Arbitrary File Upload

Software Multi Purpose Mail Form Type Plugin Vulnerable versions = 1.0.2 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-50526 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 077c15d9e1a1 Credits stealthcopter Required privilege...

WordPress FileOrganizer Plugin <= 1.0.9 is vulnerable to Arbitrary File Upload

Software FileOrganizer Type Plugin Vulnerable versions = 1.0.9 Fixed in 1.1.0 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-7985 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 9a28a4363098 Credits TANG Cheuk Hei siunam Required privilege...

WordPress All-in-One WP Migration Plugin <= 7.86 is vulnerable to PHP Object Injection

Software All-in-One WP Migration Type Plugin Vulnerable versions = 7.86 Fixed in 7.87 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-9162 Patch priority Low CVSS severity Low 7.2 Developer ServMask, Inc PSID 44c4c1ddd033 Credits Ryan Kozak Required privilege...

WordPress Meetup Plugin <= 0.1 is vulnerable to Broken Authentication

Software Meetup Type Plugin Vulnerable versions = 0.1 Fixed in N/A OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-50483 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 6432286e77c7 Credits Bonds Required...

WordPress Uix Shortcodes Plugin <= 1.9.9 is vulnerable to Arbitrary Code Execution

Software Uix Shortcodes Type Plugin Vulnerable versions = 1.9.9 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary Code Execution CVE CVE-2024-9772 Patch priority High CVSS severity High 7.3 Developer Claim ownership PSID a42f828d9a99 Credits Francesco Carlucci Required privilege...

WordPress WordPress Meta Data and Taxonomies Filter (MDTF) Plugin <= 1.3.3.4 is vulnerable to Cross Site Scripting (XSS)

Software WordPress Meta Data and Taxonomies Filter MDTF Type Plugin Vulnerable versions = 1.3.3.4 Fixed in 1.3.3.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50451 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 0f23dd4816a6 Credits...

WordPress WP Booking System Plugin <= 2.0.19.10 is vulnerable to Broken Access Control

Software WP Booking System Type Plugin Vulnerable versions = 2.0.19.10 Fixed in 2.0.19.11 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-50425 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID ad36b04a505d Credits Trương Hữu Phúc...

WordPress TI WooCommerce Wishlist Plugin <= 2.9.0 is vulnerable to SQL Injection

Software TI WooCommerce Wishlist Type Plugin Vulnerable versions = 2.9.0 Fixed in N/A OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-9156 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 2b353481dee7 Credits John Castro Required privilege...

WordPress News Kit Elementor Addons Plugin <= 1.2.1 is vulnerable to Sensitive Data Exposure

Software News Kit Elementor Addons Type Plugin Vulnerable versions = 1.2.1 Fixed in 1.2.2 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-9541 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 1aff69c2a359 Credits Nishiv Required...

WordPress Mega Elements Plugin <= 1.2.6 is vulnerable to Cross Site Scripting (XSS)

Software Mega Elements Type Plugin Vulnerable versions = 1.2.6 Fixed in 1.2.7 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-49693 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID d1a9c6f9c436 Credits João Pedro S Alcântara Kinorth Required...

WordPress WP Dropbox Dropins Plugin <= 1.0 is vulnerable to Arbitrary File Upload

Software WP Dropbox Dropins Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-49607 Patch priority High CVSS severity High 10 Developer Claim ownership PSID bc49371a8bf9 Credits stealthcopter Required privilege...

WordPress Photo Gallery Slideshow & Masonry Tiled Gallery Plugin <= 1.0.3 is vulnerable to SQL Injection

Software Photo Gallery Slideshow & Masonry Tiled Gallery Type Plugin Vulnerable versions = 1.0.3 Fixed in 1.0.4 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2019-25218 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 6b8bcb14a865 Credits Ala Arfaoui...

WordPress Author Discussion Plugin <= 0.2.2 is vulnerable to SQL Injection

Software Author Discussion Type Plugin Vulnerable versions = 0.2.2 Fixed in N/A OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-49609 Patch priority High CVSS severity High 8.5 Developer Claim ownership PSID 126e44ab20dc Credits João Pedro S Alcântara Kinorth Required privile...

WordPress Click to Chat – WP Support All-in-One Floating Widget Plugin <= 2.3.3 is vulnerable to Cross Site Scripting (XSS)

Software Click to Chat – WP Support All-in-One Floating Widget Type Plugin Vulnerable versions = 2.3.3 Fixed in 2.3.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10055 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID...