14603 matches found
WebP Converter for Media <= 1.0.2 - Cross-Site Request Forgery (CSRF)
The WebP Converter for Media WordPress plugin was affected by a Cross-Site Request Forgery CSRF security vulnerability...
WP-Members <= 3.2.7 - Cross-Site Request Forgery (CSRF)
No CSRF Protection on Add new Fields. Can also Edit and Delete fields the same way. PoC 1.Download csrfwp-members.html 2.Change URL in html file.FORM ACTION. 3.Submit Request. Video POC : https://drive.google.com/file/d/1TuJK0NjxznjTDmoJF5wbGu2vMAXXikw/view?usp=sharing HTMLFILE :...
Hostel Plugin <= 1.1.3 - Unauthenticated Stored XSS
This vulnerability allows any user can inject Javascript code and the code will be executed on the admin side when he visits the Bookings Page Authentication Required:No Affected Version: 1.1.3 or possibly below Fixed version:1.1.4...
Option Tree < 2.7.0 - PHP Object Injection
The OptionTree WordPress plugin was affected by a PHP Object Injection security vulnerability...
Form Maker by 10Web < 1.13.5 - Cross-Site Request Forgery (CSRF) to LFI
Form Maker by WD plugin suffers from a CSRF issue that could lead to an LFI attack...
Booking < 8.4.5.15 - SQL Injection
The Booking Calendar WordPress plugin was affected by a SQL Injection security vulnerability...
WP Live Chat Support < 8.0.18 - Cross-Site Scripting (XSS)
The 3CX Live Chat WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
LoginPress <= 1.1.15 - Authenticated Blind SQL Injection
Blind time-based SQL injection, combined with lack of permission check resulted in an unauthorised attack which can be performed by any user on the site including subscriber profiles. 1. Lack of permission check in settings import Similar to our recent analysis, this vulnerability was also caused...
WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option
The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this. See references for discussion of the issue. The problem is in the fil...
WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The sitepress-multilingual-cms WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. PoC POST /wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT...
Geo Mashup <= 1.10.3 - Unspecified Cross-Site Scripting (XSS)
The Geo Mashup WordPress plugin was affected by an Unspecified Cross-Site Scripting XSS security vulnerability...
Open Graph for Facebook, Google+ and Twitter Card Tags <= 2.2.4 - Authenticated Reflected XSS
There is a reflected XSS vulnerability caused by "Open Graph for Facebook, Google+ and Twitter Card Tags" in the wdfbogerror parameter on a GET request when editing a post. This can be exploited by tricking an authenticated Wordpress administrator into clicking a malicious link. This vulnerabilit...
Booking Calendar <= 2.2.2 - Parameters Tampering Allowing Arbitrary Prices Change
Note: It is unclear whether or not this issue has been remediated...
Tagregator <= 0.6 - Stored XSS
The Tagregator WordPress plugin was affected by a Stored XSS security vulnerability...
WP Background Takeover <= 4.1.4 - Directory Traversal
Allows for an attacker to browse files via the download.php file PoC http://target.com/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php...
Newsletters Lite < 4.6.8.6 - PHP Object Injection
The Newsletters WordPress plugin was affected by a PHP Object Injection security vulnerability...
Ninja Forms < 3.2.15 - Parameter Tampering
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin was affected by a Parameter Tampering security vulnerability...
Soundy Background Music <= 3.9 - Cross-Site Scripting (XSS)
The last time it was checked the plugin was still affected and had been closed...
Elementor Page Builder <= 1.7.12 - Authenticated Unrestricted Editing
Many AJAX actions are unsecured, allowing logged in users unrestricted access to the internal Elementor functions...
PopCash.Net Code Integration Tool <= 1.0 - Cross-Site Scripting (XSS)
The PopCash Code Integration Tool WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Responsive Image Gallery, Gallery Album <= 1.2.0 - Authenticated SQL Injection
The Responsive Image Gallery, Gallery Album WordPress plugin was affected by an Authenticated SQL Injection security vulnerability...
BackupGuard < 1.1.47 - Authenticated Cross-Site Scripting (XSS)
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
EELV Newsletter < 4.6.1 - CSRF & XSS
The EELV Newsletter WordPress plugin was affected by a CSRF & XSS security vulnerability...
Nelio Ab Testing < 4.6.4 - CSRF
The Nelio AB Testing WordPress plugin was affected by a CSRF security vulnerability...
Twitter Cards Meta <= 2.4.5 - CSRF and XSS
The Twitter Cards Meta – Best Twitter Card Plugin for WordPress WordPress plugin was affected by a CSRF and XSS security vulnerability...
Dtracker <= 1.5 - Unauthorised Contract Creation
Plugin is still affected and has been closed...
Wp2android 1.1.4 - Unauthenticated File Upload
Plugin is still affected and has been closed...
WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
Description This can be exploited by unauthenticated users in versions 4.7 and 4.7.1 by leveraging this vulnerability https://wpvulndb.com/vulnerabilities/8734...
WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete
...
Kama Click Counter <= 3.4.9 - Authenticated Blind SQL Injection
The Kama Click Counter WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability. PoC http://www.example.com/wp-admin/admin.php?page=kama-clic-counterby=linkname=ASC%2cselectfromselectsleep30a=1...
Neosense Theme < 1.8 - Unrestricted File Upload
Neosense is a commercial WordPress theme by dynamicpress. Version 1.7 and possibly earlier includes in its theme directory a copy of the "qquploader" ajax file uploader, which does not verify user authorization. Using this uploader, an attacker can upload any file to the site. The uploaded file i...
Total Security < 3.4.1 - XSS & Settings Change
The Total Security WordPress plugin was affected by a XSS & Settings Change security vulnerability...
PeepSo <= 1.6.0 - Authenticated Privilege Escalation
Unfiltered input allows a logged in user to escalate their permissions to that of an Administrator...
WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
...
e-search <= 1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The e-search WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/e-search/tmpl/dateselect.php?date-from=""...
Pondol Form to Mail <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The pondol-formmail WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability...
GoCodes <= 1.3.5 - Authenticated XSS & Blind SQL Injection
The gocodes WordPress plugin was affected by an Authenticated XSS & Blind SQL Injection security vulnerability...
404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection
Description The 404 to 301 – Redirect, Log and Notify 404 Errors WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability...
neuvoo-jobroll <= 2.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The neuvoo-jobroll WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability...
Easy Media Gallery <= 1.3.47 - Cross Site Scripting (XSS)
The Gallery – Photo Albums Plugin WordPress plugin was affected by a Cross Site Scripting XSS security vulnerability...
WP Limit Login Attempts <= 2.0.0 - Unauthenticated SQL Injection
The WP Limit Login Attempts WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability...
Broken Link Manager <= 0.5.5 - Unauthenticated Stored Cross-Site Scripting (XSS)
The Broken Link Manager WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability...
NEX-Forms <= 4.0 - Unauthenticated Blind SQL Injection
The NEX-Forms – Ultimate Form Builder – Contact forms and much more WordPress plugin was affected by an Unauthenticated Blind SQL Injection security vulnerability...
StageShow <= 5.0.8 - Open Redirect
The StageShow WordPress plugin was affected by an Open Redirect security vulnerability. PoC http://www.example.com/wp-content/plugins/stageshow/stageshowredirect.php?url=http%3A%2F%2F2buntu.com...
RobotCPA Plugin V5 - Unauthenticated Local File Inclusion
The robotcpa WordPress plugin was affected by an Unauthenticated Local File Inclusion security vulnerability. PoC This issue has been seen exploited in the wild with the following payload: http://www.example.com/wp-content/plugins/robotcpa/f.php?l=..%2F..%2F..%2Fwp-config.php...
ZoomSounds <= 2.0 - Remote File Upload
The dzs-zoomsounds WordPress plugin was affected by a Remote File Upload security vulnerability...
WP Fastest Cache < 0.8.3.5 - Multiple CSRF
The WP Fastest Cache WordPress plugin was affected by a Multiple CSRF security vulnerability...
WP Membership <= 1.2.3 - Multiple Vulnerabilities
The wp-membership WordPress plugin was affected by a Multiple Vulnerabilities security vulnerability...
Encrypted Contact Form <= 1.0.4 - CSRF & XSS
The Encrypted Contact Form WordPress plugin was affected by a CSRF & XSS security vulnerability...
Quota < 1.2.5 - Unspecified XSS
The quota WordPress theme was affected by an Unspecified XSS security vulnerability...