46578 matches found
WordPress About Me plugin <= 1.0.12 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by ptsfence Patchstack Alliance in WordPress About Me plugin versions = 1.0.12. Solution Deactivate and delete. This plugin has been closed as of August 24, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress Advanced Custom Fields PRO premium plugin <= 5.12.2 - Unauthenticated File Upload vulnerability
Unauthenticated File Upload vulnerability discovered by James Golovich in WordPress Advanced Custom Fields PRO premium plugin versions = 5.12.2. Solution Update the WordPress Advanced Custom Fields PRO plugin to the latest available version at least 5.12.3...
WordPress WP Video Lightbox plugin <= 1.9.4 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress WP Video Lightbox plugin versions = 1.9.4. Solution Update the WordPress WP Video Lightbox plugin to the latest available version at least 1.9.5...
WordPress Ninja Forms Contact Form plugin <= 3.6.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Alliance in WordPress Ninja Forms Contact Form plugin versions = 3.6.9. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.6.10...
WordPress ARMember plugin <= 3.4.7 - Unauthenticated Admin Account Takeover vulnerability
Unauthenticated Admin Account Takeover vulnerability discovered by cydave in WordPress ARMember plugin versions = 3.4.7. Solution Update the WordPress ARMember plugin to the latest available version at least 3.4.8...
WordPress One Click Plugin Updater plugin <= 2.4.14 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability
Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress One Click Plugin Updater plugin versions = 2.4.14. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This closure is...
WordPress Booking Calendar plugin <= 9.1 - Insecure Deserialization/PHP Object Injection vulnerability
Insecure Deserialization/PHP Object Injection vulnerability discovered by Ramuel Gall Wordfence in WordPress Booking Calendar plugin versions = 9.1. Solution Update the WordPress Booking Calendar plugin to the latest available version at least 9.1.1...
WordPress RSVPMaker plugin <= 9.2.6 - Unauthenticated SQL Injection (SQLi) vulnerability
Unauthenticated SQL Injection SQLi vulnerability discovered by Tobias Kay Dalå oxnan in WordPress RSVPMaker plugin versions = 9.2.6. Solution Update the WordPress RSVPMaker plugin to the latest available version at least 9.2.7...
WordPress Metform Elementor Contact Form Builder plugin <= 2.1.3 - Unauthenticated API keys and Secrets Disclosure vulnerability
Unauthenticated API keys and Secrets Disclosure vulnerability discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress Metform Elementor Contact Form Builder plugin versions = 2.1.3. Solution Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version at least...
WordPress Adrotate plugin <= 5.8.22 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability discovered by Muhamad Hidayat in WordPress Adrotate plugin versions = 5.8.22. Solution Update the WordPress Adrotate plugin to the latest available version at least 5.8.23...
WordPress SearchIQ plugin <= 3.8 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by cydave in WordPress SearchIQ plugin versions = 3.8. Solution Update the WordPress SearchIQ plugin to the latest available version at least 3.9...
WordPress Narnoo Distributor plugin <= 2.5.1 - Unauthenticated Local File Inclusion (LFI) vulnerability leading to Arbitrary File Read / RCE
Unauthenticated Local File Inclusion LFI vulnerability leading to Arbitrary File Read / RCE discovered by cydave in WordPress Narnoo Distributor plugin versions = 2.5.1. Solution Deactivate and delete. This plugin has been closed as of February 18, 2022 and is not available for download. This...
WordPress Bank Mellat plugin <= 1.3.7 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Bank Mellat plugin versions = 1.3.7. Solution Deactivate and delete. This plugin has been closed as of February 16, 2022 and is not available for download. This closure is temporary, pending a full review...
WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability
Unauthenticated Blind SQL Injection SQLi vulnerability via currentpageid discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress WP Statistics plugin versions = 13.1.5. Solution Update the WordPress WP Statistics plugin to the latest available version at least 13.1.6...
WordPress NotificationX plugin <= 2.3.8 - Unauthenticated Blind SQL Injection (SQLi) vulnerability
Unauthenticated Blind SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress NotificationX plugin versions = 2.3.8. Solution Update the WordPress NotificationX plugin to the latest available version at least 2.3.9...
WordPress SupportCandy plugin <= 2.2.6 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)
Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by apple502j in WordPress SupportCandy plugin versions = 2.2.6. Solution Update the WordPress SupportCandy plugin to the latest available version at least 2.2.7...
WordPress AMP for WP – Accelerated Mobile Pages plugin <= 1.0.77.32 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities
Multiple Authenticated Persistent Cross-Site Scripting XSS vulnerabilities discovered by Ex.Mi Patchstack in WordPress AMP for WP – Accelerated Mobile Pages plugin versions = 1.0.77.32. Solution Update the WordPress AMP for WP – Accelerated Mobile Pages plugin to the latest available version at...
WordPress MOLIE plugin <= 0.5 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Jeremie Amsellem in WordPress MOLIE plugin versions = 0.5. Solution Deactivate and delete. This plugin has been closed as of November 29, 2021 and is not available for download. Reason: Security Issue...
WordPress Accesspress Mag theme <= 2.6.5 - Arbitrary File Upload vulnerability
Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project WordPress Accesspress Mag theme versions = 2.6.5. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignore...
WordPress Catch Breadcrumb plugin <= 1.6 - Unauthorized Plugin Setting Change vulnerability
Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Catch Breadcrumb plugin versions = 1.6. Solution Update the WordPress Catch Breadcrumb plugin to the latest available version at least 1.7...
WordPress Advanced Custom Fields PRO plugin <= 5.9.0 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Juan David Ordoñez Noriega in WordPress Advanced Custom Fields PRO plugin versions = 5.9.0. Solution Update the WordPress Advanced Custom Fields PRO plugin to the latest available version at least 5.9.1...
WordPress Popup Builder plugin <= 2.6.7.6 - SQL injection (SQLi) vulnerability
SQL injection SQLi vulnerability discovered by ZeroAuth in WordPress Popup Builder plugin versions = 2.6.7.6. Solution Update the WordPress Popup Builder plugin to the latest available version at least 3.0.2...
WordPress MaxButtons Plugin <= 1.26.0 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "id" parameter in a button action on the maxbuttons-controller page to wp-admin/admin.php, related to the button creation page. Solution Update the plugin...
WordPress <= 3.9.1 - Denial Of Service Attacks #2
The Incutio XML-RPC IXR Library permits entity declarations without considering recursion during entity expansion. In that way the attackers can cause a denial of service attacks via a crafted XML document containing a large number of nested entity references. Related records:...
WordPress Polylang Plugin <= 1.5.1 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via vectors related to a user description. Solution Update the plugin...
WordPress Leopard - WordPress offload media Plugin <= 3.1.1 is vulnerable to Broken Access Control
Software Leopard - WordPress offload media Type Plugin Vulnerable versions = 3.1.1 Fixed in 3.1.2 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-10589 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 9f2ff23f7d2f Credits Tonn...
WordPress Really Simple Security Pro Plugin 9.0.0-9.1.1.1 is vulnerable to Broken Authentication
Software Really Simple Security Pro Type Plugin Vulnerable versions 9.0.0-9.1.1.1 Fixed in 9.1.2 OWASP Top 10 A1: Broken Access Control Classification Broken Authentication CVE CVE-2024-10924 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID dc394c4ae392 Credits István...
WordPress FluentForm Plugin <= 5.1.19 is vulnerable to Cross Site Scripting (XSS)
Software FluentForm Type Plugin Vulnerable versions = 5.1.19 Fixed in 5.1.20 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9528 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 973bb3afee30 Credits Ivan Kuzymchak Required...
WordPress The Events Calendar Plugin <= 6.6.4 is vulnerable to SQL Injection
Software The Events Calendar Type Plugin Vulnerable versions = 6.6.4 Fixed in 6.6.4.1 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-8275 Patch priority High CVSS severity High 9.3 Developer Liquid Web / StellarWP PSID fcc27b88891b Credits Foxyyy Required privilege...
WordPress Contact Form 7 Plugin < 5.9.5 is vulnerable to Open Redirection
Software Contact Form 7 Type Plugin Vulnerable versions 5.9.5 Fixed in 5.9.5 OWASP Top 10 A1: Injection Classification Open Redirection CVE CVE-2024-4704 Patch priority Low CVSS severity Low 4.7 Developer Claim ownership PSID 0480ce1a1ef4 Credits William Bastos - cHoR4o Required privilege...
WordPress Slider Revolution Plugin < 6.7.11 is vulnerable to Cross Site Scripting (XSS)
Software Slider Revolution Type Plugin Vulnerable versions 6.7.11 Fixed in 6.7.11 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-34443 Patch priority Low CVSS severity Low 5.9 Developer ThemePunch PSID 5d432eb3f5ab Credits Rafie Muhammad Patchstack Required...
WordPress Export any WordPress data to XML/CSV Plugin < 1.4.0 is vulnerable to Remote Code Execution (RCE)
Software Export any WordPress data to XML/CSV Type Plugin Vulnerable versions 1.4.0 Fixed in 1.4.0 OWASP Top 10 A3: Injection Classification Remote Code Execution RCE CVE CVE-2023-4724 Patch priority Low CVSS severity Low 9.1 Developer Claim ownership PSID 6a309d1d1825 Credits Francesco Marano...
WordPress LoginPress plugin <= 1.6.2 - Broken Access Control vulnerability
Broken Access Control vulnerability leading to unauth. changing of Opt-In or Opt-Out tracking settings discovered by Nguyen Anh Tien Patchstack Alliance in the WordPress LoginPress plugin versions = 1.6.2. Solution Update the WordPress LoginPress plugin to the latest available version at least...
WordPress Simple SEO plugin <= 1.8.12 - Broken Access Control vulnerability
Broken Access Control vulnerability leading to Sitemap Deletion/Creation discovered by Mika Patchstack Alliance in WordPress Simple SEO plugin versions = 1.8.12. Solution Update the WordPress Simple SEO plugin to the latest available version at least 1.8.13...
WordPress ImageMagick Engine plugin <= 1.7.4 - Remote Code Execution (RCE) via Cross-Site Request Forgery (CSRF) vulnerability
Remote Code Execution RCE via Cross-Site Request Forgery CSRF vulnerability in WordPress ImageMagick Engine plugin versions = 1.7.4 Solution Update the WordPress ImageMagick Engine plugin to the latest available version at least 1.7.6...
WordPress OSM – OpenStreetMap plugin <= 6.0.1 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to Plugin Settings Update discovered by Rasi Afeef Patchstack Alliance in WordPress OSM – OpenStreetMap plugin versions = 6.0.1. Solution No patched version is available. No reply from the vendor...
WordPress SEO Redirection plugin <= 8.9 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability leading to deletion of 404 errors and redirection history was discovered by Muhammad Daffa Patchstack Alliance in the WordPress SEO Redirection plugin versions = 8.9. Solution Update the WordPress SEO Redirection plugin to the latest available version...
WordPress Export Post Info plugin <= 1.2.0 - Authenticated CSV Injection vulnerability
Authenticated CSV Injection vulnerability discovered by Mika Patchstack Alliance in WordPress Export Post Info plugin versions = 1.2.0. Solution Update the WordPress Export Post Info plugin to the latest available version at least 1.2.1...
WordPress WPGateway premium plugin <= 3.5 - Unauthenticated Privilege Escalation vulnerability
Unauthenticated Privilege Escalation vulnerability that allows unauthenticated attackers to insert a malicious administrator discovered by Chloe Chamberland Wordfence in WordPress WPGateway premium plugin versions = 3.5 Solution Deactivate and delete. No fix is available...
WordPress WP Popup Builder plugin <= 1.2.8 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WP Popup Builder plugin versions = 1.2.8. Solution Update the WordPress WP Popup Builder plugin to the latest available version at least 1.2.9...
WordPress WooCommerce PDF Invoices & Packing Slips plugin <= 3.0.0 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WooCommerce PDF Invoices & Packing Slips plugin versions = 3.0.0. Solution Update the WordPress WooCommerce PDF Invoices & Packing Slips plugin to the latest available version at least 3.0.1...
WordPress WPIDE – File Manager & Code Editor plugin <= 2.6 - Authenticated Local File Inclusion (LFI) vulnerability
Authenticated Local File Inclusion LFI vulnerability discovered by Raad Haddad in WordPress WPIDE – File Manager & Code Editor plugin versions = 2.6. Solution Update the WordPress WPIDE – File Manager & Code Editor plugin to the latest available version at least 3.0...
WordPress WP OAuth Server plugin <= 3.0.4 - Authentication Bypass vulnerability
Authentication Bypass vulnerability discovered by Lana Codes in WordPress WP OAuth Server plugin versions = 3.0.4. Solution Update the WordPress WP OAuth Server plugin to the latest available version at least 4.0.1...
WordPress Simple Job Board plugin <= 2.9.6 - Resume Disclosure via Directory Listing
Resume Disclosure via Directory Listing was discovered by Daniel Ruf in the WordPress Simple Job Board plugin versions = 2.9.6. Solution Update the WordPress Simple Job Board plugin to the latest available version at least 2.10.0...
WordPress Flipbox plugin <= 2.6.0 - Authenticated WordPress Options Change vulnerability
Authenticated WordPress Options Change vulnerability discovered by m0ze Patchstack in WordPress Flipbox plugin versions = 2.6.0. Solution Update the WordPress Flipbox plugin to the latest available version at least 2.6.1...
WordPress Form – Contact Form plugin <= 1.2.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Form – Contact Form plugin versions = 1.2.4. Solution Deactivate and delete. This plugin has been closed as of June 2, 2022 and is not available for download. This closure is temporary, pending a...
WordPress Andrea Pernici News Sitemap for Google plugin <= 1.0.16 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by John Castro aka mirphak Pagely in WordPress Andrea Pernici News Sitemap for Google plugin versions = 1.0.16. Solution No patched version is available...
WordPress Modern Events Calendar Lite plugin <= 6.5.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress Modern Events Calendar Lite plugin versions = 6.5.1. Solution Update the WordPress Modern Events Calendar Lite plugin to the latest available version at least 6.5.2...
WordPress myCred plugin <= 2.4.3 - Import/Export to Email Address Disclosure vulnerability
Import/Export to Email Address Disclosure vulnerability discovered by David Hamann in WordPress myCred plugin versions = 2.4.3. Solution Update the WordPress myCred plugin to the latest available version at least 2.4.4...
WordPress Ninja Forms File Uploads Extension premium plugin <= 3.3.12 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Nuno Correia Blaze Security in WordPress Ninja Forms File Uploads Extension premium plugin versions = 3.3.12. Solution Update the WordPress Ninja Forms File Uploads Extension premium plugin to the latest available version at least...