46578 matches found
WordPress Logo Showcase with Slick Slider plugin <= 1.2.4 - Arbitrary Media Title/Description/Alt Text/URL Update vulnerability
Arbitrary Media Title/Description/Alt Text/URL Update vulnerability discovered by apple502j in WordPress Logo Showcase with Slick Slider plugin versions = 1.2.4. Solution Update the WordPress Logo Showcase with Slick Slider plugin to the latest available version at least 1.2.5...
WordPress Jetpack plugin <= 9.7.1 - Attached Image Comment Leak For Non-Published Post And Pages in Carousel Feature
Page/Post Attachment Comment Leak Of Not Published Post And Pages in Carousel Feature discovered by nguyenhgvcs in WordPress Jetpack plugin versions = 9.7.1. Solution Update the WordPress Jetpack plugin to the latest available version at least 9.8...
WordPress SP Project & Document Manager plugin <= 4.21 - Authenticated Shell Upload vulnerability
Authenticated Shell Upload discovered by Viktor Markopoulos vict0ni in WordPress SP Project & Document Manager plugin versions = 4.21. Solution Update the WordPress SP Project & Document Manager plugin to the latest available version at least 4.22...
WordPress Backup Guard plugin <= 1.5.9 - Authenticated Arbitrary File Upload vulnerability
Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh in WordPress Backup Guard plugin versions = 1.5.9. Solution Update the WordPress Backup Guard plugin to the latest available version at least 1.6.0...
WordPress JSmol2WP plugin <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF) vulnerability
Unauthenticated Server Side Request Forgery SSRF vulnerability found in WordPress JSmol2WP plugin versions = 1.07. Solution 08.01.2019 - we were unable to find a patched version of this plugin. According to WordPess.org plugin repository, this plugin was closed on January 7, 2019 and is no longer...
WordPress <= 5.0 - Authenticated Post Type Bypass vulnerability
Authenticated Post Type Bypass vulnerability found by RIPS Technologies in WordPress versions = 5.0. Solution Update WordPress to the latest available version at least 5.0.1...
WordPress Simple Security Plugin <= 1.1.5 - Multiple XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the 1 "datefilter" parameter in the accesslog page to wp-admin/users.php. Solution Update the plugin...
WordPress BulletProof Security Plugin <= .51 - SSRF
Because of this server side request forgery vulnerability in admin/htaccess/bpsunlock.php, the attackers can trigger outbound requests that authenticate to arbitrary databases via the "dbhost" parameter. Solution Update the plugin...
WordPress XCloner Plugin 3.1.0 - CSRF
XCloner plugin is prone to a cross-site request forgery vulnerability that exists because of insufficient verification of HTTP request origin. The attackers can trick a logged-in administrator to visit a specially crafted webpage and create a website backup. Solution Update to XCloner 3.1.1...
WordPress VideoWhisper Plugin 4.27.3 - Multiple Vulnerabilities
VideoWhisper plugin is prone to multiple vulnerabilities, such as arbitrary file upload and cross-site scripting XSS and information exposure through externally-generated error message in VideoWhisper Live Streaming Integration: CVE-2014-1908. Solution Upgrade to VideoWhisper Live Streaming...
WordPress VideoWhisper Live Streaming Integration Plugin <= 4.29.4 - Multiple Directory Traversal
Because of these vulnerabilities, the attackers can delete arbitrary files in the "s" parameter to ls/rtmplogout.php or read arbitrary files in the "s" parameter to ls/rtmplogin.php. Solution Update the plugin...
WordPress Simple Gmail Login Plugin - Stack Trace Information Disclosure
WordPress Simple Gmail Login plugin is prone to an information disclosure vulnerability that allows an attacker to obtain sensitive information and in this way lead to further attacks. Solution Update the plugin...
WordPress Elementor Website Builder plugin <= 3.29.0 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Bonds Patchstack Alliance in WordPress Plugin Elementor Website Builder versions = 3.29.0...
WordPress TNC PDF viewer Plugin <= 3.1.0 is vulnerable to Cross Site Scripting (XSS)
Software TNC PDF viewer Type Plugin Vulnerable versions = 3.1.0 Fixed in 3.2.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-47372 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 9e1d9364ffe7 Credits SOPROBRO Required privilege Editor...
WordPress JobSearch Plugin <= 2.5.9 is vulnerable to PHP Object Injection
Software JobSearch Type Plugin Vulnerable versions = 2.5.9 Fixed in 2.6.1 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-47636 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 5e0aa88de68e Credits Bonds Required privilege Unauthenticated...
WordPress Activello theme <= 1.4.4 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability
Auth. Reflected Cross-Site Scripting XSS vulnerability in the ajax action 'activellodismissrecommendedplugins' discovered by Brandon Roldan Patchstack Alliance in the WordPress Activello theme versions = 1.4.4. Solution No patched version available...
WordPress Gallery Images Ape plugin <= 2.2.8 - Auth. Broken Access Control vulnerability
Auth. Broken Access Control vulnerability leading to Gallery Duplication discovered by thiennv Patchstack Alliance in WordPress Gallery Images Ape plugin versions = 2.2.8. Solution No patched version is available. No reply from the vendor...
WordPress Blog2Social plugin <= 6.9.9 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Sakri Rafael Koskimies in WordPress Blog2Social plugin versions = 6.9.9. Solution Update the WordPress Blog2Social plugin to the latest available version at least 6.9.10...
WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability
Insecure direct object references IDOR vulnerability that allows subscriber+ users to mark any forum post as Private/Public was discovered by Dhakal Ananda Patchstack Alliance in the WordPress wpForo Forum plugin versions = 2.0.5. Solution Update the WordPress wpForo Forum plugin to the latest...
WordPress Backup Scheduler plugin <= 1.5.13 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability discovered by Lana Codes in WordPress Backup Scheduler plugin versions = 1.5.13. Solution Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress All in One SEO plugin <= 4.2.3.1 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in The WordPress All in One SEO plugin versions = 4.2.3.1. Solution Update the WordPress All In One SEO Pack plugin to the latest available version at least 4.2.4...
WordPress WP Database Backup Plugin <= 5.8.3 - Authenticated Stored Cross-Site Scripting vulnerability
Authenticated Stored Cross-Site Scripting vulnerability discovered by Raad Haddad in WP Database Backup plugin versions = 5.8.3 Solution Update the WordPress WP Database Backup plugin to the latest available version at least 5.9...
WordPress Visual Portfolio Plugin <= 2.17.1 - Unauthenticated CSS Injection vulnerability
Unauthenticated CSS Injection vulnerability discovered by Krzysztof Zając in Visual Portfolio plugin versions = 2.17.1 Solution Update the WordPress Visual Portfolio, Photo Gallery & Post Grid plugin to the latest available version at least 1.18.0...
WordPress Button Plugin MaxButtons plugin <= 9.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress Button Plugin MaxButtons plugin versions = 9.2. Solution Update the WordPress MaxButtons plugin to the latest available version at least 9.3...
WordPress WSM Downloader plugin <= 1.4.0 - Unauthenticated Arbitrary File Download vulnerability
Unauthenticated Arbitrary File Download vulnerability discovered by Raad Haddad in WordPress WSM Downloader plugin versions = 1.4.0. Solution Deactivate and delete. This plugin has been closed as of July 8, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress WP Visitor Statistics plugin <= 5.7 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities
Multiple Unauthenticated SQL Injection SQLi vulnerabilities were discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in the WordPress WP Visitor Statistics plugin versions = 5.7. Solution Update the WordPress WP Visitor Statistics plugin to the latest available version at least 5.8...
WordPress Allow SVG Files plugin <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Luan Pedersini in WordPress Allow SVG Files plugin versions = 1.1. Solution Deactivate and delete. This plugin has been closed as of July 1, 2022 and is not available for download. This closure is temporary, pending a full...
WordPress API KEY for Google Maps plugin <= 1.2.1 - CSRF vulnerability leading to Google Maps API key update
CSRF vulnerability leading to Google Maps API key update discovered by Rasi Afeef Patchstack Alliance in WordPress API KEY for Google Maps plugin versions = 1.2.1. Solution Update the WordPress API KEY for Google Maps plugin to the latest available version at least 1.2.2...
WordPress Counter Box plugin <= 1.1.1 - Authenticated Local File Inclusion (LFI) vulnerability
Authenticated Local File Inclusion LFI vulnerability discovered by 0xB9 Patchstack Alliance in WordPress Counter Box plugin versions = 1.1.1. Solution Update the WordPress Counter Box plugin to the latest available version at least 1.2...
WordPress Countdown & Clock plugin <= 2.4.7 - Pro Features Lock Bypass vulnerability
Pro Features Lock Bypass vulnerability discovered by Ex.Mi Patchstack in WordPress Countdown & Clock plugin versions = 2.4.7. Solution No patched version is available...
WordPress 3xSocializer plugin <= 0.98.22 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Lenon Leite Patchstack Alliance in WordPress 3xSocializer plugin versions = 0.98.22. Solution No patched version is available. Deactivate and delete. This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may n...
WordPress Visual Slide Box Builder plugin <= 3.2.9 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by p7e4 in WordPress Visual Slide Box Builder plugin versions = 3.2.9. Solution Deactivate and delete. This plugin has been closed as of March 30, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress WP Video Gallery plugin <= 1.7.1 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress WP Video Gallery plugin versions = 1.7.1. Solution Deactivate and delete. This plugin has been closed as of March 29, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Page Restriction WordPress (WP) plugin <= 1.2.6 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress Page Restriction WordPress WP plugin versions = 1.2.6. Solution Update the WordPress Page Restriction WordPress WP plugin to the latest available version at least 1.2.7...
WordPress DW Question & Answer Pro premium plugin <= 1.3.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Brandon Roldan in WordPress DW Question & Answer Pro premium plugin versions = 1.3.4. Solution No patched version is available...
WordPress myCred plugin <= 2.4.3 - Arbitrary Post Creation vulnerability
Arbitrary Post Creation vulnerability discovered by Krzysztof Zając in WordPress myCred plugin versions = 2.4.3. Solution Update the WordPress myCred plugin to the latest available version at least 2.4.4...
WordPress File Upload Pro premium plugin <= 4.16.2 - Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE)
Contributor+ Path Traversal vulnerability leading to Remote Code Execution RCE discovered by apple502j in WordPress File Upload Pro premium plugin versions = 4.16.2. Solution Update the WordPress File Upload Pro premium plugin to the latest available version at least 4.16.3...
WordPress Advanced Access Manager plugin <= 6.7.9 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Huy Nguyen in WordPress Advanced Access Manager plugin versions = 6.7.9. Solution Update the WordPress Advanced Access Manager plugin to the latest available version at least 6.8.0...
WordPress AddToAny Share Buttons plugin <= 1.7.45 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress AddToAny Share Buttons plugin versions = 1.7.45. Solution Update the WordPress AddToAny Share Buttons plugin to the latest available version at least 1.7.46...
WordPress WP Hotel Booking plugin <= 1.10.2 - Unauthenticated Remote Code Execution (RCE) via Arbitrary Object Deserialisation vulnerability
Unauthenticated Remote Code Execution RCE via Arbitrary Object Deserialisation vulnerability discovered by Nick Blundell AppCheck Ltd in WordPress WP Hotel Booking plugin versions = 1.10.2. Solution Update the WordPress WP Hotel Booking plugin to the latest available version at least 1.10.3...
WordPress Autoptimize plugin <= 2.7.6 - Authenticated Arbitrary File Upload vulnerability
Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh SunCSR in WordPress Autoptimize plugin versions = 2.7.6. Solution Update the WordPress Autoptimize plugin to the latest available version at least = 2.7.7...
WordPress Font Awesome plugin 4.0.0-RC15 - 4.0.0-RC16 - Sensitive Information Disclosure vulnerability
Sensitive Information Disclosure vulnerability discovered in WordPress Font Awesome plugin versions 4.0.0-RC15 - 4.0.0-RC16. Solution Update the WordPress Font Awesome plugin to the latest available version at least 4.0.0-RC17...
WordPress Cart66 Plugin 1.5.1.14 - Multiple Vulnerabilities
There are multiple vulnerabilities in WordPress Cart66 plugin. These vulnerabilities are CSRF and stored XSS. Solution Update the plugin...
WordPress School Management System plugin <= 93.1.0 - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update vulnerability
Authenticated Subscriber+ Local File Inclusion to Privilege Escalation via Password Update vulnerability discovered by Thái An in WordPress Plugin School Management versions = 93.1.0...
WordPress Elementor Website Builder Plugin <= 3.25.7 is vulnerable to Cross Site Scripting (XSS)
Software Elementor Website Builder Type Plugin Vulnerable versions = 3.25.7 Fixed in 3.25.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8236 Patch priority Low CVSS severity Low 6.5 Developer Elementor PSID 7daadbd579b8 Credits wesley wcraft...
WordPress MasterStudy LMS Plugin < 3.0.18 is vulnerable to Privilege Escalation
Software MasterStudy LMS Type Plugin Vulnerable versions 3.0.18 Fixed in 3.0.18 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2023-4278 Patch priority High CVSS severity High 7.3 Developer Claim ownership PSID 7e43b36b9353 Credits Revan...
WordPress AFS Analytics plugin <= 4.17 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
Auth. Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress AFS Analytics plugin versions = 4.17. Solution No patched version is available. No reply from the vendor...
WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin <= 1.1.0 - Sensitive Data Exposure vulnerability
Sensitive Data Exposure vulnerability discovered by Dave Jong Patchstack in WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin versions = 1.1.0. Solution Update the WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce plugin to the latest...
WordPress MailOptin plugin <= 1.2.49.0 - Unauthenticated Optin Campaign Cache Deletion vulnerability
An unauthenticated Optin Campaign Cache Deletion vulnerability was discovered by Muhammad Daffa Patchstack Alliance in the WordPress MailOptin plugin versions = 1.2.49.0. Solution Update the WordPress MailOptin plugin to the latest available version at least 1.2.50.0...
WordPress TaskBuilder plugin <= 1.0.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability via SVG file upload discovered by Rizacan Tufan in WordPress TaskBuilder plugin versions = 1.0.7. Solution Update the WordPress Taskbuilder plugin to the latest available version at least 1.0.8...