Lucene search
K
WpvulndbMost viewed

14602 matches found

WPVulnDB
WPVulnDB
added 2020/05/28 12:0 a.m.27 views

MapPress Maps < 2.54.6 - Improper Capability Checks in AJAX Calls

Due to incomplete fixes for CVE-2020-12077, an attacker with subscriber privileges may be able to download, delete and upload arbitrary PHP files, which could result in remote command execution...

6.5CVSS4.3AI score0.05606EPSS
Exploits3References1Affected Software1
WPVulnDB
WPVulnDB
added 2020/04/30 12:0 a.m.27 views

WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block

Description An authenticated user could customise the class of the search block, leading to Cross-Site Scripting XSS...

6.4CVSS5.5AI score0.01437EPSS
Exploits0References4
WPVulnDB
WPVulnDB
added 2020/01/06 12:0 a.m.27 views

Awesome Support < 6.0.0 - Stored XSS via Ticket Title

The lack of sanitisation in the posttitle of a ticket could allow users with the Support Supervisor capability to create tickets containing XSS payloads. The risk is relatively low, as CSRF checks are in place and the affected role is close to an admin one. Using the DISALLOWUNFILTEREDHTML consta...

3.5CVSS3.6AI score0.00717EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/10/31 12:0 a.m.27 views

YIT Plugin Framework <= 3.3.8 - Authenticated Plugin's Settings Change

...

4CVSS2.1AI score0.00948EPSS
Exploits0References1Affected Software38
WPVulnDB
WPVulnDB
added 2019/09/05 12:0 a.m.28 views

WordPress 5.2.2 - Potential Open Redirect

Description According to the WordPress release notes: "Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect. "...

6.1CVSS6.3AI score0.0255EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2019/07/23 12:0 a.m.27 views

WPS Limit Login <= 1.4.5 - Multiple Issues

Protection Bypass, Stored XSS...

1.8AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/06/26 12:0 a.m.27 views

LiveChat <= 3.7.2 - Unauthenticated Option Update/Reset and Stored XSS

The lack of proper CSRF and Authorisation checks could allow an unauthenticated attacker to update or reset the plugin's settings. Furthermore, when updating the livechatemail option, no sanitisation is performed, leading to a Stored XSS issue in the plugin's settings page. CSRF and XSS fixed in...

0.5AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/05/10 12:0 a.m.27 views

Form Maker by 10Web < 1.13.3 - Authenticated SQL Injection

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin was affected by an Authenticated SQL Injection security vulnerability...

7.5CVSS2.6AI score0.06214EPSS
Exploits6References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/05/06 12:0 a.m.27 views

W3 Total Cache <= 0.9.7.3 - Cross-Site Scripting (XSS)

The W3 Total Cache WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. PoC...

1.5AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/04/08 12:0 a.m.27 views

Groundhogg < 1.3.5 - Remote Code Execution

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin was affected by a Remote Code Execution security vulnerability...

6.5CVSS3.2AI score0.04529EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
added 2019/03/14 12:0 a.m.27 views

SG Optimizer <= 5.0.12 - Unauthenticated File Upload

According to the original researchers: "A successful attack on the SiteGround Optimizer would allow bad actors to store backdoors on vulnerable sites."...

4.9AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2018/12/13 12:0 a.m.27 views

WordPress <= 5.0 - Authenticated File Delete

Description According to WordPress: "Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to."...

6.5CVSS7.7AI score0.03596EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2017/11/14 12:0 a.m.27 views

TablePress <= 1.8 - Authenticated XML External Entity (XXE)

The TablePress WordPress plugin was affected by an Authenticated XML External Entity XXE security vulnerability...

4CVSS2.5AI score0.01058EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/07/10 12:0 a.m.27 views

WP Live Chat Support < 7.1.03 - XSS

The 3CX Live Chat WordPress plugin was affected by a XSS security vulnerability...

4.3CVSS1.6AI score0.00933EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2017/05/24 12:0 a.m.27 views

All In One Schema.org Rich Snippets <= 1.4.4 - Authenticated Cross-Site Scripting (XSS)

The Schema – All In One Schema Rich Snippets WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. PoC http://vulnerablesite.com/wp-admin/admin.php?page=richsnippetdashboardforcesend=truesendlabel=...

4.3CVSS0.5AI score0.00897EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/05/16 12:0 a.m.27 views

WordPress 3.3-4.7.4 - Large File Upload Error XSS

...

4.3CVSS1.3AI score0.01925EPSS
Exploits0References4Affected Software1
WPVulnDB
WPVulnDB
added 2017/04/01 12:0 a.m.27 views

Image Gallery with Slideshow <= 1.5.2 - Multiple XSS and SQL Injection

The plugin is still affected and has been closed...

7.5CVSS2.9AI score0.03435EPSS
Exploits5References1Affected Software1
WPVulnDB
WPVulnDB
added 2017/02/20 12:0 a.m.27 views

AnyVar 0.1.1 - Stored Cross-Site Scripting (XSS)

The anyvar WordPress plugin was affected by a Stored Cross-Site Scripting XSS security vulnerability...

4.3CVSS1.5AI score0.0091EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2016/11/15 12:0 a.m.27 views

NextGEN Gallery <= 2.1.56 - Authenticated Local File Inclusion (LFI) & SQLi

The WordPress Gallery Plugin – NextGEN Gallery WordPress plugin was affected by an Authenticated Local File Inclusion LFI & SQLi security vulnerability...

7.5CVSS2.6AI score0.02538EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2016/06/21 12:0 a.m.27 views

WordPress 4.5.2 - Redirect Bypass

...

5CVSS1.5AI score0.02832EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2016/06/21 12:0 a.m.27 views

WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS

...

4.3CVSS2.2AI score0.02123EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2015/09/15 12:0 a.m.27 views

WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)

...

3.5CVSS1AI score0.02148EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2015/07/27 12:0 a.m.27 views

Clean Login < 1.5.1 - Reflected XSS

The Clean Login WordPress plugin was affected by a Reflected XSS security vulnerability...

4.3CVSS2.7AI score0.00923EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2015/07/22 12:0 a.m.27 views

Count Per Day 3.4 - SQL Injection

The Count per Day WordPress plugin was affected by a SQL Injection security vulnerability...

6.5CVSS2.7AI score0.07166EPSS
Exploits4References1Affected Software1
WPVulnDB
WPVulnDB
added 2015/06/08 12:0 a.m.27 views

Easy2Map <= 1.24 - SQL Injection

The Function.php file uses sprintf to format queries being sent to the database, this doesn't provide proper sanitisation of user input or properly parameterises the query. PoC $ sqlmap -u 'http://www.example.com/wp-admin/admin-ajax.php' --data="mapID=11='+or+1%3D%3D1%3B=e2mimgsavemapname"...

7.5CVSS2.4AI score0.105EPSS
Exploits5References3Affected Software1
WPVulnDB
WPVulnDB
added 2015/05/12 12:0 a.m.27 views

Adsense Click Fraud Monitoring <= 1.7.5 - XSS

XSS via the phpwhois https://github.com/phpWhois/phpWhois component, which is also affected by a RCE apparently https://github.com/phpWhois/phpWhois/issues/34. It is unclear whether or not the issue has been fixed in the plugin...

4.3CVSS1.7AI score0.01117EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2015/04/26 12:0 a.m.27 views

WordPress <= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)

...

4.3CVSS1.6AI score0.17945EPSS
Exploits1References3Affected Software1
WPVulnDB
WPVulnDB
added 2015/04/02 12:0 a.m.27 views

Simple Ads Manager <= 2.5.94 - Arbitrary File Upload & SQL Injection

The simple-ads-manager WordPress plugin was affected by an Arbitrary File Upload & SQL Injection security vulnerability...

7.5CVSS2.9AI score0.14451EPSS
Exploits17References7Affected Software1
WPVulnDB
WPVulnDB
added 2014/12/07 12:0 a.m.27 views

ChurcHope Theme <= 2.1 - Local File Inclusion (LFI)

The vulnerability is caused by improper filtration of user-supplied input passed via the 'file' HTTP GET parameter to the '/lib/downloadlink.php' script, which is publicly accessible. PoC http://www.example.com/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php...

0.9AI score
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/10/13 12:0 a.m.27 views

WP-DBManager < 2.7.2 - Authenticated Command Injection

The WP-DBManager WordPress plugin was affected by an Authenticated Command Injection security vulnerability...

6.5CVSS3.1AI score0.03471EPSS
Exploits5References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:59 a.m.27 views

wpcb 2.4.8 - facture.php id Parameter Reflected XSS

The wpcb WordPress plugin was affected by a facture.php id Parameter Reflected XSS security vulnerability...

4.3CVSS2.8AI score0.01629EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:59 a.m.27 views

Cart66 Lite - admin.php cart66-products Page Multiple Field Stored XSS

The cart66-lite WordPress plugin was affected by an admin.php cart66-products Page Multiple Field Stored XSS security vulnerability...

4.3CVSS5.9AI score0.04084EPSS
Exploits6References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.27 views

seo-spy-google - ofc_upload_image.php Arbitrary File Upload

The seo-spy-google-wordpress-plugin WordPress plugin was affected by an ofcuploadimage.php Arbitrary File Upload security vulnerability...

7.5CVSS6.3AI score0.75838EPSS
Exploits8References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.27 views

php-analytics - ofc_upload_image.php Arbitrary File Upload

The php-analytics WordPress plugin was affected by an ofcuploadimage.php Arbitrary File Upload security vulnerability...

7.5CVSS6.3AI score0.75838EPSS
Exploits8References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.27 views

jaspreetchahals-coupons-lite <= 2.1 - XSS in ZeroClipboard

The JC Coupon WordPress plugin was affected by a XSS in ZeroClipboard security vulnerability...

4.3CVSS1.5AI score0.06316EPSS
Exploits4References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.27 views

geshi-source-colorer <= 0.13 - XSS in ZeroClipboard

The geshi-source-colorer WordPress plugin was affected by a XSS in ZeroClipboard security vulnerability...

4.3CVSS1.8AI score0.06316EPSS
Exploits4References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.27 views

Mingle Forum 1.0.33.3 - wpf.class.php Multiple Parameter SQL Injection

The mingle-forum WordPress plugin was affected by a wpf.class.php Multiple Parameter SQL Injection security vulnerability...

7.5CVSS2.6AI score0.02193EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.27 views

WP125 <= 1.4.9 - CSRF

The WP125 WordPress plugin was affected by a CSRF security vulnerability...

6.8CVSS3AI score0.0119EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.27 views

WordPress <= 3.3.2 - Cross-Site Scripting (XSS) in wp-includes/default-filters.php

...

4.3CVSS1.3AI score0.0212EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.27 views

WordPress 3.6 - SWF/EXE File Upload Cross-Site Scripting (XSS)

...

3.5CVSS1.4AI score0.01764EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.27 views

WordPress 2.1.2 - Authenticated XMLRPC SQL Injection

...

6.5CVSS2.7AI score0.07167EPSS
Exploits1References3Affected Software1
WPVulnDB
WPVulnDB
added 2013/06/21 12:0 a.m.27 views

Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure

...

1.8AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2012/04/20 12:0 a.m.27 views

WordPress 2.5 - 3.3.1 XSS in swfupload

...

5CVSS1.4AI score0.05323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/24 12:0 a.m.26 views

Divi < 4.25.2 - Contributor+ Stored XSS

Description The theme is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesse...

6.4CVSS5.6AI score0.00263EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.26 views

Checkout Field Editor for WooCommerce (Pro) < 3.6.3 - Unauthenticated Arbitrary File Deletion

Description The Checkout Field Editor for WooCommerce Pro plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 3.6.2. This is due to the plugin not properly validating a file or it's path prior to deleting it. This makes it possible for unauthenticat...

9.1CVSS7.5AI score0.0059EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/05 12:0 a.m.26 views

Slider Revolution < 6.7.11 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to...

5.9CVSS7.8AI score0.00283EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/29 12:0 a.m.26 views

Praison SEO WordPress <= 4.0.15 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Praison SEO WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...

6.5CVSS5.6AI score0.00256EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/23 12:0 a.m.26 views

WP-ViperGB < 1.6.2 - Cross-Site Request Forgery

Description The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's...

4.3CVSS6.4AI score0.00185EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.26 views

Tutor LMS Pro < 2.7.1 - Missing Authorization

Description The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add,...

8.2CVSS6.8AI score0.00329EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/09 12:0 a.m.26 views

LearnPress – WordPress LMS Plugin < 4.2.6.6 - Unauthenticated Time-Based SQL Injection

Description The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘termid’ parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

9.8CVSS9.6AI score0.36925EPSS
Exploits2References1Affected Software1
Total number of security vulnerabilities5000