14603 matches found
Blog2Social <= 5.0.2 - Authenticated Cross-Site Scripting (XSS)
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. PoC http://example.com/wp-admin/admin.php?page=blog2social-ship=70&b2s;action=1&b2s;updatepublishdate='"...
JSmol2WP <= 1.07 - Unauthenticated Cross-Site Scripting (XSS)
The jsmol2wp WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. PoC http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true=saveFile=%3Cscript%3Ealert/xss/%3C/script%3E=text/html;%20charset=utf-8...
Yoast SEO <= 9.1 - Authenticated Race Condition
According to the changelog, "Race Condition which leads to command execution, by users with SEO Manager roles."...
Social Sharing Plugin – Kiwi <= 2.0.10 - Update Any Option
The Social Sharing Plugin – Kiwi WordPress plugin was affected by an Update Any Option security vulnerability...
Enfold Theme < 4.2.1 - Rewrite Portfolio Permalink Structure & Information Disclosure
The changelog describes two security fixes: - fixed: security issue that would allow an attacker to export your enfold theme settings - fixed: security issue that allowed an attacker to rewrite the portfolio permalink structure...
Read and Understood <= 2.1 - Authenticated Stored XSS & CSRF
The Read and Understood WordPress plugin was affected by an Authenticated Stored XSS & CSRF security vulnerability...
WordPress Concours <= 1.1 - Authenticated Cross-Site Scripting (XSS)
The wp-concours WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
...
Simple Login Log <= 1.1.0 - Authenticated SQL Injection
The Simple Login Log WordPress plugin was affected by an Authenticated SQL Injection security vulnerability...
MailChimp for WordPress <= 4.1.6 - Authenticated Cross-Site Scripting (XSS)
Usage of the output of addqueryarg without escaping in various places in the WordPress Backend leads to reflected XSS vulnerability. PoC URL/wp-admin/admin.php?page=mailchimp-for-wp-integrations&"...
Photo Gallery by WD <= 1.3.50 - Authenticated SQL Injection
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by an Authenticated SQL Injection security vulnerability...
Bridge Theme <= 11.1 - DOM Cross-Site Scripting (XSS)
The bridge WordPress theme was affected by a DOM Cross-Site Scripting XSS security vulnerability...
Simple Custom CSS and JS <= 3.3 - Authenticated Cross-Site Scripting (XSS)
The Simple Custom CSS and JS WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
Clean Login <= 1.7.12 - Change Redirect URL CSRF
The Clean Login WordPress plugin was affected by a Change Redirect URL CSRF security vulnerability. PoC...
Cforms & CformsII < 14.13 - SQL Injection
...
WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
...
Stop User Enumeration 1.3.5-1.3.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The Stop User Enumeration WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/?author=1...
ColorWay < 3.4.2 - Cross-Site Scripting (XSS)
The ColorWay WordPress theme was affected by a Cross-Site Scripting XSS security vulnerability...
WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
...
WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
...
S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The s3-video WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/s3-video/views/video-management/previewvideo.php?media=""...
Music Store <= 1.0.41 - Cross-Site Scripting (XSS)
The Music Store – WordPress eCommerce WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
WordPress 3.7-4.4.1 - Open Redirect
...
Pie-Register <= 2.0.18 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability...
Easy2Map <= 1.2.9 - Reflected Cross-Site Scripting (XSS)
The Easy2Map WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability...
CKEditor for WordPress <= 4.5.3 - Authenticated Reflected Cross-Site Scripting (XSS)
The CKEditor for WordPress WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability...
GigPress <= 2.3.10 - Authenticated XSS & Blind SQLi
The GigPress WordPress plugin was affected by an Authenticated XSS & Blind SQLi security vulnerability...
SEO Redirection < 2.9 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability in its settings page, via the search GET parameter PoC https://example.com/wp-admin/options-general.php?page=seo-redirection.php=posts=%22+onmouseover%3Dalert%281%29+%3E...
WP Symposium <= 15.5.1 - Unauthenticated SQL Injection
Wordpress plugin wp-symposium version 15.5.1 and probably all existing previous versions suffers from an unauthenticated SQL Injection in getalbumitem.php, parameter 'size'. The issue is exploitable even if the plugin is deactivated. PoC PoC URL :...
Job Manager <= 0.7.22 - Unauthenticated Stored Cross-Site Scripting (XSS)
The Job Manager WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. PoC Go to the job listings page /index.php/jobs/apply/, then click on "send through your résumé", add the payload '" to the email field. The JavaScript will be executed on t...
S3Bubble Amazon S3 Video And Audio Streaming With Analytics <= 2.0 - Arbitrary File Download
The s3bubble-amazon-s3-audio-streaming WordPress plugin was affected by an Arbitrary File Download security vulnerability...
NewStatPress <= 1.0.4 - SQL Injection
The Search functionality is susceptible to a SQL Injection attack due to usage of user input without sanitation. In particular, at line 98 of 'includes/nspsearch.php'. Utilising a specially crafted SQL query, we can trigger disclosure of user hashes through an IMG tag as the data channel. PoC The...
Nextend Twitter Connect <= 1.5.1 - Reflected Cross-Site Scripting (XSS)
The nextend-twitter-connect WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability...
NewStatPress 0.9.8 - XSS & SQL Injection
The NewStatPress WordPress plugin was affected by a XSS & SQL Injection security vulnerability...
GigPress <= 2.3.8 - Authenticated SQL Injection
The GigPress WordPress plugin was affected by an Authenticated SQL Injection security vulnerability...
Digital Store < 1.3.3 - Unspecified XSS
The digital-store WordPress theme was affected by an Unspecified XSS security vulnerability...
WooCommerce <= 2.2.10 - Cross-Site Scripting (XSS)
The WooCommerce WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Pictobrowser Gallery <= 0.3.1 - Multiple CSRF
Plugin is still affected and has been closed...
Ad Manager <= 1.1.2 - Open Redirection
The wordpress-admanager WordPress plugin was affected by an Open Redirection security vulnerability...
MaxButtons 1.26.0 - Cross Site Scripting (XSS)
The WordPress Button Plugin MaxButtons WordPress plugin was affected by a Cross Site Scripting XSS security vulnerability...
Google Calendar Events < 2.0.4 - XSS
The Simple Calendar – Google Calendar Plugin WordPress plugin was affected by a XSS security vulnerability...
WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
...
BookX 1.7 - includes/bookx_export.php file Parameter Remote Path Traversal File Access
The bookx WordPress plugin was affected by an includes/bookxexport.php file Parameter Remote Path Traversal File Access security vulnerability...
Simple Retail Menus 4.0.1 - includes/mode-edit.php targetmenu Parameter SQL Injection
The Simple Retail Menus WordPress plugin was affected by an includes/mode-edit.php targetmenu Parameter SQL Injection security vulnerability...
ShareThis 7.0.3 - Setting Manipulation CSRF
The share-this WordPress plugin was affected by a Setting Manipulation CSRF security vulnerability...
Terillion Reviews < 1.2 - Profile Id Field XSS
The terillion-reviews WordPress plugin was affected by a Profile Id Field XSS security vulnerability...
Zopim Live Chat <= 1.2.5 - XSS in ZeroClipboard
The Zendesk Chat WordPress plugin was affected by a XSS in ZeroClipboard security vulnerability...
Cardoza WordPress Poll <= 34.05 - Multiple External Function Remote Poll Manipulation
The WordPress Poll WordPress plugin was affected by a Multiple External Function Remote Poll Manipulation security vulnerability...
Login With Ajax - Cross-Site Request Forgery
The Login With Ajax WordPress plugin was affected by a Cross-Site Request Forgery security vulnerability...
bbPress - forum.php page Parameter SQL Injection
The bbPress WordPress plugin was affected by a forum.php page Parameter SQL Injection security vulnerability...