Lucene search
K
WpvulndbMost viewed

14602 matches found

WPVulnDB
WPVulnDB
added 2018/08/21 12:0 a.m.29 views

Ninja Forms <= 3.3.13 - CSV Injection

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin was affected by a CSV Injection security vulnerability...

6.8CVSS2.2AI score0.0179EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2018/05/22 12:0 a.m.29 views

Loginizer 1.3.8-1.3.9 - Unauthenticated Stored Cross-Site Scripting (XSS)

Versions 1.3.8 to 1.3.9 the Loginizer WordPress Plugin were found to be vulnerable to Stored Cross-Site Scripting XSS. The vulnerability was due to the Plugin’s logging functionality using the $SERVER'REQUESTURI' PHP variable to create a URL string that was logged to the database without any inpu...

4.3CVSS0.1AI score0.02191EPSS
Exploits2References2Affected Software1
WPVulnDB
WPVulnDB
added 2018/04/09 12:0 a.m.29 views

Contact Form 7 to Database Extension 2.10.32 - CSV Injection

Note: The plugin has been closed on WP and moved to Github https://github.com/mdsimpson/contact-form-7-to-database-extension/releases...

6.8CVSS0.4AI score0.07743EPSS
Exploits5References1Affected Software1
WPVulnDB
WPVulnDB
added 2018/01/17 12:0 a.m.29 views

WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)

Description An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress...

6.1CVSS5.5AI score0.02552EPSS
Exploits0References3
WPVulnDB
WPVulnDB
added 2017/11/29 12:0 a.m.29 views

WordPress 4.3.0-4.9 - HTML Language Attribute Escaping

...

3.5CVSS0.6AI score0.02376EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/10/26 12:0 a.m.29 views

User Login History <= 1.5 - Cross-Site Scripting (XSS)

The User Login History WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...

4.3CVSS0.9AI score0.01041EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2017/05/16 12:0 a.m.29 views

WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC

...

5CVSS2AI score0.01775EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/03/09 12:0 a.m.29 views

DTracker 1.5 - Multiple Unauthenticated Blind SQL Injections

The dtracker WordPress plugin was affected by a Multiple Unauthenticated Blind SQL Injections security vulnerability...

5CVSS3AI score0.03409EPSS
Exploits2References3Affected Software1
WPVulnDB
WPVulnDB
added 2017/01/26 12:0 a.m.29 views

WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users

...

5CVSS3.1AI score0.05061EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2015/12/18 12:0 a.m.29 views

mTouch Quiz <= 3.1.2 - Multiple Vulnerabilities XSS & CSRF

The mTouch Quiz WordPress plugin was affected by a Multiple Vulnerabilities XSS & CSRF security vulnerability...

4.3CVSS1.7AI score0.0102EPSS
Exploits4References1Affected Software1
WPVulnDB
WPVulnDB
added 2015/12/15 12:0 a.m.29 views

WP Polls < 2.72 - SQL Injection

The WP-Polls WordPress plugin was affected by a SQL Injection security vulnerability...

7.5CVSS2.3AI score0.01795EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2015/02/11 12:0 a.m.29 views

Easing Slider <= 2.2.0.6 - 2 x Cross-Site Scripting (XSS)

The Easing Slider WordPress plugin was affected by a 2 x Cross-Site Scripting XSS security vulnerability...

4.3CVSS1.6AI score0.02599EPSS
Exploits3References3Affected Software1
WPVulnDB
WPVulnDB
added 2015/02/11 12:0 a.m.29 views

Ninja Forms <= 2.8.8 - Stored & Reflected XSS

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin was affected by a Stored & Reflected XSS security vulnerability...

4.3CVSS2.2AI score0.02041EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:59 a.m.29 views

Pie Register - wp-login.php Multiple Parameter XSS

The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin was affected by a wp-login.php Multiple Parameter XSS security vulnerability...

2.6CVSS1.6AI score0.06148EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.29 views

grou-r&om-image-widget - Full Path Disclosure

The grou-random-image-widget WordPress plugin was affected by a Full Path Disclosure security vulnerability...

1.4AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.29 views

WordPress 3.1 - PCRE Library Remote DoS

...

5CVSS2AI score0.03155EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.29 views

Welcart e-Commerce 1.3.12 - purchase_limit Parameter DOM-based XSS

The Welcart e-Commerce WordPress plugin was affected by a purchaselimit Parameter DOM-based XSS security vulnerability...

4.3CVSS2.4AI score0.02041EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2013/06/21 12:0 a.m.29 views

WordPress 3.4-3.5.1 DoS in class-phpass.php

...

4.3CVSS0.9AI score0.03373EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2013/01/21 12:0 a.m.29 views

WordPress Poll <= 34.05 - SQL Injection

The WordPress Poll WordPress plugin was affected by a SQL Injection security vulnerability...

7.5CVSS2AI score0.03177EPSS
Exploits3References2Affected Software1
WPVulnDB
WPVulnDB
added 2012/12/06 12:0 a.m.29 views

Simple Gmail Login < 1.1.4 - FPD

The Simple Gmail Login WordPress plugin was affected by a FPD security vulnerability...

5CVSS2.2AI score0.07182EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/18 12:0 a.m.28 views

Photo Gallery by 10Web <= 1.8.25 - Missing Authorization

Description The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.8.25. This makes it possible for authenticated attackers, with Subscriber-level...

4.3CVSS6.4AI score0.00346EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.28 views

Survey Maker – Best WordPress Survey Plugin < 3.6.4 - Unauthenticated Stored Cross-Site Scripting

Description The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

6AI score0.00356EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.28 views

XML Sitemap & Google News < 5.4.9 - Unauthenticated Local File Inclusion

Description The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

8.1CVSS7.8AI score0.00743EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.28 views

WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Unauthenticated SQL Injection

Description The WZone plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 14.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to...

9.3CVSS7.8AI score0.00629EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.28 views

XStore < 9.3.9 - Unauthenticated Local File Inclusion

Description The theme is vulnerable to Local File Inclusion, allowing unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution...

9CVSS9.9AI score0.00597EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.28 views

XStore Core <= 5.3.5 - Unauthenticated Privilege Escalation

Description The XStore Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.3.5. This makes it possible for unauthenticated attackers to gain higher privileged access to a vulnerable site...

9.8CVSS7.5AI score0.00571EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.28 views

Zynith SEO <= 7.4.9 - Unauthenticated Stored Cross-Site Scripting

Description The Zynith SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

8.6CVSS8AI score0.00463EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.28 views

Forminator < 1.15.4 - Reflected Cross-Site Scripting

Description The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.15.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

6.3AI score0.00632EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.28 views

LearnPress – WordPress LMS Plugin < 4.2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id value in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/17 12:0 a.m.28 views

Ovic Addon Toolkit <= 2.6.1 - Missing Authorization

Description The Ovic Addon Toolkit plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an...

4.3CVSS6.2AI score0.0046EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/11 12:0 a.m.28 views

Multiple Page Generator Plugin – MPG < 3.4.1 - Cross-Site Request Forgery

Description The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.0. This is due to missing or incorrect nonce validation on the deleteproject action. This makes it possible for unauthenticated attackers to...

8.8CVSS6.1AI score0.00221EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/09 12:0 a.m.28 views

Essential Grid < 3.1.2 - Unauthenticated Private Post Disclosure

Description The Essential Grid Gallery WordPress Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.1 via the onfrontajaxaction function. This makes it possible for unauthenticated attackers to view private and password protected...

5.3CVSS6.8AI score0.00688EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.28 views

File Manager < 7.2.6 - Authenticated (Administrator+) Directory Traversal

Description The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fmdownloadbackup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary zip file...

6.8CVSS6.6AI score0.00911EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.28 views

Slider by Supsystic < 1.8.11 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Slider by Supsystic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.8AI score0.00359EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.28 views

Aparat for WordPress < 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Aparat for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, t...

6.5CVSS5.7AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.28 views

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget

Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Separator widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS5.9AI score0.00433EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.28 views

Easy Social Feed < 6.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via fb_appid

Description The Easy Social Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fbappid' parameter in versions up to, and including, 6.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.5CVSS5.8AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/28 12:0 a.m.28 views

WP ERP <= 1.12.9 - Authenticated (AccountingManager+) SQL Injection

Description The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter via the erp/v1/accounting/v1/vendors/1/products/ REST route in all versions up to, and including, 1.12.9...

7.2CVSS7.6AI score0.00547EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/26 12:0 a.m.28 views

The Plus Addons for Elementor < 5.4.2 - Contributor+ LFI

Description The plugin is vulnerable to Local File Inclusion via the Team Member Listing and Clients widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code i...

8.8CVSS7.9AI score0.00594EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.28 views

Paid Memberships Pro < 3.0 - Cross-Site Request Forgery

Description The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing nonce validation on the pmproliftersavestreamlineoption...

4.3CVSS6.2AI score0.00912EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.28 views

Premmerce Permalink Manager for WooCommerce < 2.3.11 - Unauthenticated Local File Inclusion

Description The Premmerce Permalink Manager for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of...

8.3CVSS8.2AI score0.0146EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.28 views

Avada < 7.11.7 - Authenticated (Contributor+) Server-Side Request Forgery via form_to_url_action

Description The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.11.6 via the formtourlaction function. This makes it possible for authenticated attackers, with contributor-level access and...

6.4CVSS6.5AI score0.00517EPSS
Exploits1References1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.28 views

Ultimate Member < 2.8.4 - Unauthenticated Stored Cross-Site Scripting

Description The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input...

7.2CVSS6.2AI score0.26666EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.28 views

Visual Composer Premium < 45.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 45.6.0 due to insufficient input...

6.4CVSS5.9AI score0.00416EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/26 12:0 a.m.28 views

InstaWP Connect < 0.1.0.10 - Missing Authorization to Sensitive Information Dislcosure

Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in all versions up to, and including, 0.1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and...

4CVSS6.4AI score0.00504EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/17 12:0 a.m.28 views

AI Engine: ChatGPT Chatbot < 1.9.99 - Unauthenticated Arbitrary File Upload

Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'restupload' function in all versions up to, and including, 1.9.98. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make...

10CVSS7.9AI score0.65046EPSS
Exploits4References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/15 12:0 a.m.28 views

Beds24 Online Booking < 2.0.25 - Contributor+ Stored XSS

Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...

6.5CVSS8.1AI score0.0032EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/01/15 12:0 a.m.28 views

Seraphinite Accelerator < 2.20.48 - Unauthenticated Sensitive Information Exposure via Log File

Description The plugin is vulnerable to Sensitive Information Exposure, allowing unauthenticated attackers to extract sensitive user or configuration data from log files...

5.3CVSS9.4AI score0.00443EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/15 12:0 a.m.28 views

Barcode Scanner with Inventory & Order Manager < 1.5.2 - Unauthenticated SQL Injection via userToken

Description The Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘userToken’ parameter in all versions up to 1.5.2 exclusive due to insufficient escaping on the user supplied parameter and la...

9.8CVSS7.8AI score0.00553EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/05 12:0 a.m.28 views

BookingPress < 1.0.75 - Unauthenticated Booking Price Manipulation

Description The plugin does not have proper validation in its bookingpressconfirmbooking, allowing unauthenticated user to modify the price of an appointment...

5CVSS7.1AI score0.00655EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities5000