Lucene search
K
WpvulndbMost viewed

14602 matches found

WPVulnDB
WPVulnDB
added 2018/01/11 12:0 a.m.28 views

WPGlobus <= 1.9.6 - Stored XSS & CSRF

The WPGlobus – Multilingual Everything! WordPress plugin was affected by a Stored XSS & CSRF security vulnerability...

6.8CVSS2.4AI score0.01024EPSS
Exploits7References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/11/16 12:0 a.m.28 views

WooCommerce <= 3.2.3 - Authenticated PHP Object Injection

Versions 3.2.3 and earlier are affected by an issue where cached queries within shortcodes could lead to object injection. This is related to the recent WordPress 4.8.3 security release. This issue can only be exploited by users who can edit content and add shortcodes, but we still recommend all...

6.5CVSS3AI score0.01961EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/06/30 12:0 a.m.28 views

WP Statistics <= 12.0.7 - Authenticated SQL Injection

The WP Statistics WordPress plugin was affected by an Authenticated SQL Injection security vulnerability...

7.5CVSS2.7AI score0.02529EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/02/18 12:0 a.m.28 views

Mail Masta 1.0 - Multiple SQL Injection

Multiple SQL Injection vulnerabilities in Mail Masta Plugin version 1.0 for WordPress. The plugin is still affected and has been closed. PoC Please refer to: https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin...

7.5CVSS2AI score0.05643EPSS
Exploits19References2Affected Software1
WPVulnDB
WPVulnDB
added 2016/10/13 12:0 a.m.28 views

Headway Theme < 3.8.9 - Authenticated Cross-Site Scripting (XSS)

The headway WordPress theme was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...

4.3CVSS1.3AI score0.00756EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2016/09/07 12:0 a.m.28 views

WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader

...

6.5CVSS3.5AI score0.03237EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2016/06/21 12:0 a.m.28 views

WordPress 4.5.2 - oEmbed Denial of Service (DoS)

...

5CVSS2.4AI score0.04084EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2015/12/02 12:0 a.m.28 views

Role Scoper <= 1.3.66 - Unauthenticated Reflected Cross-Site Scripting (XSS)

The Role Scoper Obsolete – Please install PublishPress Permissions WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability...

4.3CVSS5.8AI score0.021EPSS
Exploits3References2Affected Software1
WPVulnDB
WPVulnDB
added 2015/08/05 12:0 a.m.28 views

WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)

...

4.3CVSS1AI score0.0564EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2015/07/04 12:0 a.m.28 views

Broken Link Manager <= 0.4.5 - Unauthenticated SQL Injection & XSS

The Broken Link Manager WordPress plugin was affected by an Unauthenticated SQL Injection & XSS security vulnerability...

7.5CVSS2.9AI score0.0239EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2015/05/19 12:0 a.m.28 views

FeedWordPress <= 2015.0426 - XSS & SQL-Injection

The FeedWordPress WordPress plugin was affected by a XSS & SQL-Injection security vulnerability...

6.5CVSS1.9AI score0.03748EPSS
Exploits6References3Affected Software1
WPVulnDB
WPVulnDB
added 2015/04/27 12:0 a.m.28 views

WPS Hide Login 1.0 - CSRF

CSRF security issue when saving option value in single site and multisite mode...

6.8CVSS1.7AI score0.00718EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2015/04/20 12:0 a.m.28 views

Shoppette < 1.0.5 - Unspecified XSS

The shoppette WordPress theme was affected by an Unspecified XSS security vulnerability...

4.3CVSS1.8AI score0.00923EPSS
Exploits0References3Affected Software1
WPVulnDB
WPVulnDB
added 2015/02/19 12:0 a.m.28 views

WonderPlugin Audio Player 2.0 - Blind SQL Injection & XSS

The wonderplugin-audio WordPress plugin was affected by a Blind SQL Injection & XSS security vulnerability...

6.5CVSS2.2AI score0.04186EPSS
Exploits2References2Affected Software1
WPVulnDB
WPVulnDB
added 2015/01/29 12:0 a.m.28 views

PowerPress Podcasting < 6.0.1 - Cross-Site Scripting (XSS)

The PowerPress Podcasting plugin by Blubrry WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. PoC /wp-admin/admin.php?page=powerpress/powerpressadmincategoryfeeds.php=powerpress-editcategoryfeed=1';"--...

4.3CVSS1.7AI score0.02237EPSS
Exploits3References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/12/12 9:20 a.m.28 views

W3 Total Cache <= 0.9.4 - Debug Mode XSS

If debug mode is enabled an XSS vector exists in the HTML comments...

4.3CVSS1AI score0.02055EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:59 a.m.28 views

Cart66 Lite 1.5.1.14 - admin.php cart66-products Page Product Manipulation CSRF

The cart66-lite WordPress plugin was affected by an admin.php cart66-products Page Product Manipulation CSRF security vulnerability...

6.8CVSS2.2AI score0.03154EPSS
Exploits6References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:59 a.m.28 views

Complete Gallery Manager 3.3.3 - Arbitrary File Upload

The complete-gallery-manager WordPress plugin was affected by an Arbitrary File Upload security vulnerability...

5.1CVSS2.7AI score0.14771EPSS
Exploits1References3Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:59 a.m.28 views

All in One SEO Pack <= 2.0.3 - XSS

The All in One SEO Pack WordPress plugin was affected by a XSS security vulnerability...

4.3CVSS2.4AI score0.01094EPSS
Exploits1References3Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:59 a.m.28 views

uk-cookie - Cross-Site Request Forgery (CSRF)

The uk-cookie WordPress plugin was affected by a Cross-Site Request Forgery CSRF security vulnerability...

3.7AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.28 views

timelineoptinpro - XSS

The timelineoptinpro WordPress plugin was affected by a XSS security vulnerability...

2.1AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.28 views

vkontakte-api - vkontakte-api/swf/tagcloud.swf tagcloud Parameter XSS

The VKontakte API – crossposting, comments, social buttons, login WordPress plugin was affected by a vkontakte-api/swf/tagcloud.swf tagcloud Parameter XSS security vulnerability...

4.3CVSS2.5AI score0.05494EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.28 views

Social Discussions - Multiple Path Disclosure

The Social Discussions WordPress plugin was affected by a Multiple Path Disclosure security vulnerability...

2AI score
Exploits0References3Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.28 views

WordPress 2.1.1 - Command Execution Backdoor

PoC http://www.example.com/wp-includes/feed.php?ix=phpinfo; http://www.example.com/wp-includes/theme.php?iz=cat /etc/passwd...

7.5CVSS0.5AI score0.27006EPSS
Exploits2References3Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.28 views

portable-phpMyAdmin < 1.3.1 - Authentication Bypass

The portable-phpmyadmin WordPress plugin was affected by an Authentication Bypass security vulnerability...

7.5CVSS2.9AI score0.23745EPSS
Exploits6References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.28 views

WP Ultimate Email Marketer - Multiple Vulnerabilities

The wp-ultimate-email-marketer WordPress plugin was affected by a Multiple Vulnerabilities security vulnerability...

6.4CVSS2.1AI score0.02083EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.28 views

WordPress 3.6 - HTML File Upload Cross-Site Scripting (XSS)

...

4.3CVSS0.4AI score0.02361EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2013/06/21 12:0 a.m.28 views

WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE)

...

4.3CVSS2.1AI score0.0225EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.27 views

Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.8.24 - Authenticated (Contributor+) Path Traversal via esc_dir Function

Description The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the escdir function. This makes it possible for authenticated attackers to cut and paste copy the contents of arbitrary file...

8.8CVSS6.6AI score0.00727EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/23 12:0 a.m.27 views

Hash Form – Drag & Drop Form Builder < 1.1.1 - Unauthenticated Arbitrary File Upload to Remote Code Execution

Description The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fileuploadaction' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload...

9.8CVSS8AI score0.50934EPSS
Exploits8References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.27 views

Media Cleaner: Clean your WordPress! < 6.7.3 - Unauthenticated Information Exposure

Description The Media Cleaner: Clean your WordPress! plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.2 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information...

5.3CVSS6.4AI score0.00447EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.27 views

RegistrationMagic < 5.3.2.1 - Reflected Cross-Site Scripting

Description The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 5.3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for...

7.1CVSS6.5AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.27 views

Blocksy < 2.0.34 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.5CVSS6.1AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/02 12:0 a.m.27 views

Button contact VR <= 4.7 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Click on the "Button contact" and...

5.4AI score0.0033EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.27 views

ClickCease Click Fraud Protection <= 3.2.6 - Cross-Site Request Forgery

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an...

4.3CVSS4.4AI score0.00203EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.27 views

WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Unauthenticated SQL Injection

Description The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 16.26.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

9.3CVSS7.8AI score0.05851EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.27 views

Popup Box – Best WordPress Popup Plugin < 4.3.7 - Missing Authorization to Information Exposure

Description The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ayspbcreateauthor AJAX action in all versions up to, and including, 4.3.6. This makes it possible for unauthenticated attackers to...

5.3CVSS6.9AI score0.00623EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/11 12:0 a.m.27 views

WPBakery Visual Composer < 7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Author

Description The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor...

6.4CVSS6AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/08 12:0 a.m.27 views

Revslider < 6.7.0 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Revslider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg upload in all versions up to, and including, 6.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in...

6.4CVSS5.8AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/28 12:0 a.m.27 views

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.12.9 - Unauthenticated Stored Cross-Site Scripting

Description The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apikey' parameter in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output...

7.2CVSS6.2AI score0.00542EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/27 12:0 a.m.27 views

Salon booking system < 9.6.3 - Unauthenticated Stored XSS

Description The plugin does not properly sanitize and escape the 'Mobile Phone' field and 'smsprefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious...

5.6AI score0.00464EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/26 12:0 a.m.27 views

My Sticky Bar < 2.6.8 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC You should click on "My Sticky Bar...

5.4AI score0.00315EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.27 views

Quiz And Survey Master < 8.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.2 due to insufficient input sanitization and output escaping. This makes it...

5.9CVSS5.7AI score0.00338EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.27 views

YITH WooCommerce Product Add-Ons < 4.6.0 - Unuathenticated Cross-Site Scripting

Description The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

7.1CVSS6.5AI score0.00398EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.27 views

OxyExtras < 1.4.5 - Unauthenticated Cross-Site Scripting

Description The OxyExtras plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute...

7.1CVSS6.3AI score0.00372EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/18 12:0 a.m.27 views

HUSKY – Products Filter for WooCommerce Professional < 1.3.5.3 - Contributor+ SQL Injection

Description The HUSKY – Products Filter for WooCommerce Professional plugin is vulnerable to SQL Injection via the 'name' parameter in the woof shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already...

8.8CVSS7.3AI score0.00565EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.27 views

LiteSpeed Cache < 5.7.0.1 - Unauthenticated CDN Status Update

Description The plugin is vulnerable to unauthorized modification of data due to a missing authorization check on the 'updatecdnstatus' function, allowing unauthenticated attackers to modify the plugin's CDN status...

8.2CVSS6.7AI score0.00413EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/28 12:0 a.m.27 views

SoundCloud Shortcode < 4.0.2 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.8AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/09 12:0 a.m.27 views

RSS Aggregator by Feedzy < 4.4.3 - Authenticated(Contributor+) SQL Injection

Description The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to SQL Injection via the ‘searchkey’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter an...

8.8CVSS6.9AI score0.00714EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/02 12:0 a.m.27 views

Beds24 Online Booking < 2.0.24 - Authenticated(Administrator+) Stored Cross-Site Scripting

Description The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.3CVSS5.9AI score0.00316EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities5000