Lucene search
K
WpvulndbMost viewed

14603 matches found

WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.22 views

WPFront User Role Editor < 4.1.0 - Limited Information Exposure

Description The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfrontuserroleeditorassignrolesuserautocomplete AJAX action. This makes it possible for authenticated attackers, with...

4.3CVSS6.5AI score0.0052EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.22 views

Hot Random Image < 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute in versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-leve...

6.5CVSS5.9AI score0.00348EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.22 views

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget

Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00433EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.22 views

Breeze < 2.1.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape its breezeapitoken settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.8AI score0.00342EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.22 views

WordPress File Upload < 4.24.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The WordPress File Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 4.24.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.5AI score0.0036EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.22 views

Ecwid Ecommerce Shopping Cart < 6.12.11 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 6.12.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

6.4CVSS5.5AI score0.00353EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/28 12:0 a.m.22 views

WP-Eggdrop <= 0.1 - Cross-Site Request Forgery to Settings Update

Description The WP-Eggdrop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the wpeggupdateOptions function. This makes it possible for unauthenticated attackers to update the plugin...

5.4CVSS6.6AI score0.00189EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/27 12:0 a.m.22 views

GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress < 6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The GamiPress – The 1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 6.9.0 due to insufficient input sanitization and...

6.4CVSS5.6AI score0.00363EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/27 12:0 a.m.22 views

Hubbub Lite – Fast, Reliable Social Network Sharing Buttons < 1.33.2 - PHP Object Injection

Description The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input via the 'dpspmaybeunserialize' function. This makes it possible for authenticated...

7.5CVSS7AI score0.00921EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.22 views

Automation By Autonami < 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Automation By Autonami plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...

6.5CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.22 views

Barcode Scanner with Inventory & Order Manager < 1.5.4 - Reflected Cross-Site Scripting

Description The Barcode Scanner with Inventory & Order Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS6.3AI score0.00379EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/19 12:0 a.m.22 views

Advanced Classifieds & Directory Pro < 3.1.2 - Missing Authorization to Arbitrary Attachment Deletion

Description The Advanced Classifieds & Directory Pro plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajaxcallbackdeleteattachment function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with...

4.3CVSS6.5AI score0.00539EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/19 12:0 a.m.22 views

Woomotiv < 3.5.0 - Review Count Reset via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'ajaxcancelreview' function. This makes it possible for unauthenticated attackers to reset the site's review count via a forged request granted they can trick a site administrato...

4.3CVSS4.7AI score0.00253EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/19 12:0 a.m.22 views

Order Tip for WooCommerce < 1.4.0 - Missing Authorization to Unauthenticated Data Export

Description The Order Tip for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exporttipstocsv function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to export the plugin's...

5.3CVSS6.8AI score0.00517EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/15 12:0 a.m.22 views

MasterStudy LMS < 3.3.0 - Missing Authorization to Sensitive Information Exposure in search_posts

Description The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the searchposts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above,...

4.3CVSS6.1AI score0.00468EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/14 12:0 a.m.22 views

WP Recipe Maker < 9.3.0 - Authenticated Stored Cross-Site Scripting via Video Embed

Description The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access t...

4.8CVSS5.7AI score0.00426EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.22 views

Page Builder Gutenberg Blocks < 3.1.7 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Create/Edit a Post, add an "Icon" block...

5.2AI score0.00446EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.22 views

Team Circle Image Slider With Lightbox < 1.0.1 - Image Data Update via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the circlethumbnailsliderwithlightboximagemanagementfunc function. This makes it possible for unauthenticated attackers to edit image data which can be used to inject malicious...

5.3CVSS6.5AI score0.00202EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.22 views

EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Unauthenticated Stored Cross-Site Scripting

Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'offlinestatus' parameter in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.5CVSS6AI score0.00374EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/06 12:0 a.m.22 views

Otter Blocks PRO < 2.6.4 - Unauthenticated Stored Cross-Site Scripting via SVG Upload

Description The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file upload form, which allows SVG uploads, in all versions up to, and including, 2.6.3 due to insufficient input sanitization and...

6.1CVSS6AI score0.00466EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.22 views

GenerateBlocks < 1.8.3 - Contributor+ Arbitrary Draft/Private Post Access

Description The plugin is vulnerable to Sensitive Information Exposure via Query Loop, allowing authenticated attackers, with contributor access and above, to see contents of posts and pages in draft or private status as well as those with scheduled publication dates...

4.3CVSS6.3AI score0.00575EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.22 views

Avada < 7.11.6 - Authenticated(Contributor+) Sensitive Information Exposure via Form Entries

Description The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view...

6.5CVSS6.2AI score0.00658EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.22 views

Exclusive Addons for Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.7AI score0.01593EPSS
Exploits12References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.22 views

Beaver Builder – WordPress Page Builder < 2.7.4.3 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the audio widget 'linkurl' parameter due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute...

6.4CVSS5.8AI score0.00532EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/28 12:0 a.m.22 views

BeePress <= 6.9.8 - Cross-Site Request Forgery via beepress-pro.php

Description The BeePress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.9.8. This is due to missing or incorrect nonce validation on multiple functions in the beepress-pro.php. This makes it possible for unauthenticated attackers to modify the...

7.1CVSS6.6AI score0.00184EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/27 12:0 a.m.22 views

Payment Gateway for Telcell < 2.0.4 - Unauthenticated Open Redirect

Description The plugin does not validate the apiurl parameter before redirecting the user to its value, leading to an Open Redirect issue PoC https://localhost/wp-admin/admin.php?page=wc-settings=redirecttelcellformurl=https://www.google.com...

6.5AI score0.00464EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/27 12:0 a.m.22 views

Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan < 4.53 - Missing Authorization to Authenticated (Subscriber+) Table Truncation

Description The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihackertruncatescantable function in all versions up to, and including,...

4.3CVSS6.4AI score0.00361EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/27 12:0 a.m.22 views

MainWP Dashboard < 5.0 - Cross-Site Request Forgery via posting_bulk

Description The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the 'postingbulk' function. This makes it...

4.3CVSS6.4AI score0.00303EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/27 12:0 a.m.22 views

Simple Tweet <= 1.4.0.2 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Simple Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tweet this text value in all versions up to, and including, 1.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00532EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/24 12:0 a.m.22 views

ProfilePress < 4.15.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode

Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's reg-select-role shortcode in all versions up to, and including, 4.15.0 due to...

5.5CVSS5.6AI score0.00443EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.22 views

Colibri Page Builder < 1.0.260 - Import Images, Delete Post, Save Theme Data via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the apiCall function, allowing unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request...

4.3CVSS6.6AI score0.00212EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.22 views

Widget for Social Page Feeds < 6.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Create a new Facebook like...

7.2AI score0.00396EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/20 12:0 a.m.22 views

ProfilePress < 4.15.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its login-password shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.5CVSS5.7AI score0.00483EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/20 12:0 a.m.22 views

Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure

Description The plugin contains a vulnerability that allows you to read and download PHP logs without authorization PoC 1 Admin should click on "Save as TXT file" in http://yoursite/wordpress/wp-admin/admin.php?page=rrrlgvwr-monitor.php 2 Then someone else can go to...

8.6AI score0.00587EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/12 12:0 a.m.22 views

Buttons Shortcode and Widget <= 1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Description The Buttons Shortcode and Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

4.9CVSS5.7AI score0.0031EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/09 12:0 a.m.22 views

WP RSS Aggregator < 4.23.6 - Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source

Description The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This makes it possible for authenticated attackers, with administrator-level access and above, to make web...

4.7CVSS6.5AI score0.00363EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/08 12:0 a.m.22 views

Coupon Referral Program <= 1.7.2 - Unauthenticated PHP Object Injection

Description The Coupon Referral Program plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.2 via deserialization of untrusted input. This makes it possible for unuathenitcated attackers. to inject a PHP Object. No known POP chain is present in the...

7.5CVSS7.3AI score0.00767EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/06 12:0 a.m.22 views

Cloudflare < 4.12.3 - Missing Authorization via initProxy

Description The Cloudflare plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'initProxy' function in versions up to and including 4.12.2. This makes it possible for authenticated attackers, with subscriber access and above, to send requests...

8.1CVSS6.8AI score0.00848EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/06 12:0 a.m.22 views

3D Tag Cloud <= 3.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Description The 3D Tag Cloud plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious JavaScript via a forged request...

8.8CVSS6.3AI score0.0023EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/05 12:0 a.m.22 views

Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently < 4.1.2 - Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save

Description The Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.1 via deserialization of untrusted input in the mepeventmetasave function. This makes it possible for...

3.6CVSS8.3AI score0.00499EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/02 12:0 a.m.22 views

JobSearch WP Job Board < 2.3.4 - Authentication Bypass

Description The plugin does not prevent attackers from logging-in as any users with the only knowledge of that user's email address. PoC Browse to the site, paste the following in your browser's console replace the email address with that site's administrator's email address:...

6.5AI score0.00549EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/24 12:0 a.m.22 views

Views for WPForms < 3.2.3 - Missing Authorization via create_view

Description The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'createview' function in all versions up to, and including, 3.2.2. This makes it possible for...

4CVSS6.2AI score0.00428EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/24 12:0 a.m.22 views

WebSub (FKA. PubSubHubbub) < 3.2.0 - Admin+ Stored XSS

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.3CVSS5.8AI score0.00304EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/24 12:0 a.m.22 views

VK Block Patterns < 1.31.2.0 - Cross-Site Request Forgery

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

4.3CVSS7.1AI score0.00669EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/22 12:0 a.m.22 views

Asgaros Forum < 2.8.0 - Unauthenticated PHP Object Injection in prepare_unread_status

Description The Asgaros Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.7.2 via deserialization of untrusted input in the prepareunreadstatus function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP...

9.8CVSS7.3AI score0.00581EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/15 12:0 a.m.22 views

FastDup – Fastest WordPress Migration & Duplicator < 2.2 - Directory Listing to Account Takeover and Sensitive Data Exposure

Description The plugin does not prevent directory listing in sensitive directories containing export files. PoC 1 Run backup function http://yoursite/wordpress/wp-admin/admin.php?page=njt-fastdup/ 2 During backup creation, you can intercept the following paths:...

5.3CVSS5.6AI score0.00913EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/12 12:0 a.m.22 views

Page Builder: Live Composer < 1.5.29 - Author+ PHP Object Injection

Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input. This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an...

7.7CVSS7.3AI score0.00496EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/12 12:0 a.m.22 views

Booster Elite for WooCommerce < 7.1.2 - Missing Authorization to Order Information Disclosure

Description The Booster Elite for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 7.1.2 exclusive. This makes it possible for authenticated attackers, with subscriber-level access and above, to view...

6.5CVSS6.2AI score0.00529EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/12 12:0 a.m.22 views

ActivityPub for WordPress < 1.0.6 - Unauthenticated REST API Access

Description The plugin does not properly authorize access to the REST API, allowing an unauthenticated attacker to access restricted endpoints...

9.5AI score0.00325EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/01/05 12:0 a.m.22 views

WooCommerce PDF Invoice Builder < 1.2.102 - Cross-Site Request Forgery

Description The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.101. This is due to missing or incorrect nonce validation in the /pages/invoicelist.php file. This makes it possible for unauthenticated attackers...

8.8CVSS6.6AI score0.00221EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities5000