46578 matches found
WordPress Social Photo Gallery plugin <= 1.0 - Remote Code Execution (RCE) vulnerability
Remote Code Execution RCE vulnerability found by Prestigia Seguridad in WordPress Social Photo Gallery plugin versions = 1.0. Solution 19.11.2019 - we were unable to find a patched version of this plugin...
WordPress Blog2Social plugin <=5.8.1 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability found in WordPress Blog2Social plugin versions =5.8.1. Solution Update the WordPress Blog2Social plugin to the latest available version at least 5.9.0...
WordPress Additional Variation Images for WooCommerce plugin <= 1.1.28 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability found in WordPress Additional Variation Images for WooCommerce plugin versions = 1.1.28. Solution Update the WordPress Additional Variation Images for WooCommerce plugin to the latest available version at least 1.1.29...
WordPress WP Social Feed Gallery plugin <= 2.4.7 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found in WordPress WP Social Feed Gallery plugin versions = 2.4.7. Solution Update the WordPress WP Social Feed Gallery plugin to the latest available version at least 2.4.8...
WordPress Personalized WooCommerce Cart Page plugin <= 2.4 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found by Cryptography Laboratory in WordPress Personalized WooCommerce Cart Page plugin versions = 2.4. Solution Update the WordPress Personalized WooCommerce Cart Page plugin to the latest available version at least 2.5...
WordPress Attendance Manager plugin <= 0.5.6 - Cross-Site Request Forgery CSRF and Cross-Site Scripting (XSS) vulnerabilities
Cross-Site Request Forgery CSRF and Cross-Site Scripting XSS vulnerabilities found in WordPress Attendance Manager plugin versions = 0.5.6. Solution Update the WordPress Attendance Manager plugin to the latest available version at least 0.5.7...
WordPress Widget Logic plugin <= 5.9.0 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability that leads to Remote Code Execution RCE found by Paul Dannewitz in WordPress Widget Logic plugin versions = 5.9.0. Solution Update the WordPress Widget Logic plugin to the latest available version at least 5.10.2...
WordPress Two Factor Authentication plugin <= 1.3.12 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found by Martijn Korse in WordPress Two Factor Authentication plugin versions = 1.3.12. Solution Update the WordPress Two Factor Authentication plugin to the latest available version at least 1.3.13...
WordPress Import users from CSV with meta plugin <= 1.12 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability discovered by Slawek Zytko in WordPress Import users from CSV with meta plugin versions = 1.12. Solution Update the WordPress Import users from CSV with meta plugin to the latest available version at least 1.12.1...
WordPress RSVPMaker plugin <= 5.6.3 - SQL Injection (SQLi) vulnerabilities
SQL Injection SQLi vulnerabilities found in WordPress RSVPMaker plugin versions = 5.6.3. Solution Update the WordPress RSVPMaker plugin to the latest available version at least 5.6.4...
WordPress UserPro premium plugin <= 4.9.23 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability found by Yonatan Correa in WordPress UserPro premium plugin versions = 4.9.23. Solution Update the WordPress UserPro premium plugin to the latest available version at least 4.9.24...
WordPress wpForo Forum plugin <= 1.4.11 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability
Unauthenticated Reflected Cross-Site Scripting XSS vulnerability found by Ryan Dewhurst Security in WordPress wpForo Forum plugin versions = 1.4.11. Solution Update the WordPress wpForo Forum plugin to the latest available version at least 1.4.12...
WordPress WooCommerce Category Banner Management plugin <= 1.1.0 - Unauthenticated Settings Change Vulnerability
Unauthenticated Settings Change Vulnerability found by ThreatPress Research Team in WordPress WooCommerce Category Banner Management plugin versions = 1.1.0. Solution Update the WordPress WooCommerce Category Banner Management plugin to the latest available version at least 1.1.1...
WordPress Advance Search for WooCommerce plugin <= 1.0.9 - Stored Cross-site scripting (XSS) vulnerability
Stored Cross-site scripting XSS vulnerability found by ThreatPress Research Team in WordPress Advance Search for WooCommerce plugin versions = 1.0.9. Solution 3 June 2018 - plugin still closed by WordPress Security team, no patched version available...
WordPress WP Support Plus Responsive Ticket System plugin <=9.0.2 - Multiple Authenticated SQL Injection (SQLi) vulnerabilities
Multiple Authenticated SQL Injection SQLi vulnerabilities found by 00theway in WordPress WP Support Plus Responsive Ticket System plugin versions =9.0.2. Solution Update the WordPress WP Support Plus Responsive Ticket System plugin to the latest available version at least 9.0.3...
WordPress AccessPress Anonymous Post Pro plugin <=3.1.8 - Unauthenticated Arbitrary File Upload vulnerability
Unauthenticated Arbitrary File Upload vulnerability found by Colette Chamberland in WordPress AccessPress Anonymous Post Pro plugin versions =3.1.8. Improper sanitization leads make it possible to upload any file with any extension. Solution Update the WordPress AccessPress Anonymous Post Pro...
WordPress amtyThumb posts plugin 8.1.3 - Unauthenticated Cross-Site Scripting (XSS) vulnerability
Unauthenticated Cross-Site Scripting XSS vulnerability found in WordPress amtyThumb posts plugin version 8.1.3. Solution 02.12.2017 - no information about the patched version. The last version released one year ago. Looks like abandoned plugin, use with caution, or uninstall...
WordPress WP Simple Booking Calendar Premium <= 5.8–5.16 - Unauthenticated Data leak
When the tooltip function is disabled, the booking notes are still posted to the source code. Solution Update the plugin to 5.17...
WordPress VaultPress plugin <=1.9 - Unauthenticated RCE vulnerability
Unauthenticated Remote Code Execution RCE vulnerability found by Slavco in WordPress VaultPress plugin version 1.89-1.9. Solution Update the VaultPress plugin to the latest available version at least 1.9.1...
WordPress Bad Behavior Plugin <= 2.2.18 - Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerabilities
Cross-Site Request Forgery CSRF/Cross-Site Scripting XSS vulnerabilities were found in WordPress Bad Behavior Plugin in 2.2.18 version. In the file /bad-behavior-wordpress-admin.php, settings are saved without any sanitization. When they are outputted on front-end, there's no escaping done...
WordPress PressForward plugin <= 5.2.3 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by DefenseCode in WordPress PressForward plugin versions = 5.2.3. Solution Update the WordPress PressForward plugin to the latest available version at least 5.2.4...
WordPress IBPS Online Exam plugin <=1.0 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability found in WordPress IBPS Online Exam plugin =1.0 versions. Blind SQL Injection possible when logged in as a student. Solution 2017.07.29 - We were unable to find information about patched release of WordPress IBPS Online Exam plugin. Also, we were...
WordPress Plugin WP Jobs <=1.4 - SQL Injection
WordPress Plugin WP Job version 1.4 and earlier releases vulnerable to SQL injection. This vulnerability allows authenticated users to execute arbitrary SQL commands via the "jobid" parameter to wp-admin/edit.php. Issue fixed in WP Jobs plugin version 1.5, please update as soon as possible...
WordPress Post Indexer Plugin <= 3.0.6.1 - PHP Object Injection
Because of this vulnerability, the blog makes an automated encrypted HTTP request to premium.wpmudev.org and then the returned value passes to unserialize. It is possible to premium.wpmudev.org or any one to return a string which contains a bad encoded object that executes arbitrary code. Solutio...
WordPress WP Editor plugin <= 1.2.6.2 - Multiple Cross-Site Scripting (XSS) vulnerabilities
Multiple Cross-Site Scripting XSS vulnerabilities found in WordPress WP Editor plugin versions = 1.2.6.2. Solution Update the WordPress WP Editor plugin to the latest available version at least 1.2.6.3...
WordPress Photoxhibit Plugin <= 2.1.8 - Reflected XSS
This plugin is prone to a cross site scripting vulnerability. Solution Update the plugin...
WordPress SEO by Yoast Plugin <= 3.2.5 - Cross Site Scripting
This plugin is prone to an unspecified cross site scripting vulnerability. Solution Update the plugin...
WordPress Anti Plagiarism Plugin <= 3.60 - Cross-Site Scripting (XSS)
This plugin is prone to a cross site scripting vulnerability, because the variable "m" appears to send unsanitized data back to the users browser. Solution Update the plugin...
WordPress WP Advanced Comment Plugin 0.10 - Persistent XSS
Because of this persistent XSS vulnerability, an attacker can change the value of "name="commentmetavalue" " parameter. Solution Upgrade the plugin...
WordPress Bloom Plugin <= 1.1.0 - Privilege Escalation
This plugin is prone to a privilege escalation vulnerability. Solution Update the plugin...
WordPress WP User Frontend Plugin 2.3.10 - Unrestricted File Upload
Because of this vulnerability, anyone can upload files to the web server by performing certain "wpuffileupload" or "wpufinsertimage" actions. Solution Upgrade the plugin...
WordPress User Meta Manager Plugin 3.4.6 - Blind SQL Injection
Because of this vulnerability, arbitrary MySQL commands can be passed to "ummuser" GET parameter by a registered user. Solution Update the plugin...
WordPress Cool Video Gallery Plugin <= 1.9 - Command Injection
This vulnerability in lib/core.php allows an attacker to execute arbitrary code via shell metacharacters in the "Width of preview image". Solution Update the plugin...
WordPress Simple Fields Plugin <= 1.4.10 - Cross Site Scripting
Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...
WordPress Quiz And Survey Master Plugin <= 4.4.2 - Blind SQL Injection
Because of this vulnerability, authenticated users can execute arbitrary SQL commands. Solution Update the plugin...
WordPress GD bbPress Attachments Plugin <= 2.2 - XSS
This vulnerability is in forms/panels.php. It allows an attacker to inject arbitrary web script or HTML via the "tab" parameter that is in the gdbbpressattachments page to wp-admin/edit.php. Solution Update the plugin...
WordPress Swim Team Plugin <= 1.44.10777 - Absolute Path Traversal
This vulnerability is in include/user/download.php. It allows an attacker to read arbitrary files via a full pathname in the "file" parameter. Solution Update the plugin...
WordPress S3Bubble Cloud Video With Adverts & Analytics 0.7 - Arbitrary File Download
S3Bubble Cloud Video With Adverts & Analytics plugin is prone to an arbitrary file download vulnerability. It allows an attacker to download arbitrary files from the web server and get potentially sensitive information. Solution Update the plugin...
WordPress Download Manager Plugin <= 2.2.2 - XSS
This plugin is prone to admin.php cid parameter cross site scripting vulnerability. Solution Update the plugin...
WordPress Annonces Plugin <= 1.2.0.1 - Shell Upload
This plugin is prone to a shell upload vulnerability. Solution Update plugin...
WordPress Banners Lite Plugin <= 1.4.0 - Cross Site Scripting
Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...
WordPress eShop Magic Plugin <= 0.1 - Local File Inclusion
This plugin is prone to eshop-magic/download.php file parameter traversal arbitrary file access vulnerability. It allows attackers to disclose sensitive information. Solution Update the plugin...
WordPress SP Project & Document Manager Plugin 2.5.3 - Blind SQL Injection
SP Project & Document Manager plugin is prone to a blind SQL injection that is in the thumbnails function location: /wp-content/plugins/sp-client-document-manager/ajax.php. Solution Upgrade the plugin...
WordPress SEO by Yoast Plugin <= 1.7.3 - Multiple Vulnerabilities
Multiple cross-site request forgery vulnerabilities exist in admin/class-bulk-editor-list-table.php. Because of these vulnerabilities, the attackers can hijack the authentication of certain users for requests that conduct SQL injection attacks. Solution Update the plugin...
WordPress Another WordPress Classifieds Plugin - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the query string to the default URI. Solution Update the plugin...
WordPress Flashy Theme <= 1.3 - XSS
This vulnerability allows the attackers to inject arbitrary web script or HTML via unspecified vectors. Solution This theme is no longer being developed or maintained. It is recommended to stop using it...
WordPress Banner Effect Header Plugin <= 1.2.6 - Multiple Vulnerabilities
A cross site request forgery and cross site scripting are in this plugin. Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests that conduct cross-site scripting attacks via the "bannereffectemail" parameter, that is in the BannerEffectOption...
WordPress Frontend Uploader Plugin <= 0.9.2 - XSS
This vulnerability allows the attackers to inject arbitrary web script or HTML. Solution Update the plugin...
WordPress TwitterDash Plugin <= 2.1 - CSRF and XSS
Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution This plugin is closed...
WordPress Bird Feeder Plugin <= 1.2.3 - Multiple CSRF and XSS
Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution This plugin is closed...