Lucene search
K
WpvulndbMost viewed

14603 matches found

WPVulnDB
WPVulnDB
added 2020/05/12 12:0 a.m.22 views

Paytium < 3.1.2 - Stored Cross-Site Scripting (XSS)

Both authenticated and unauthenticated stored XSS issues via fields in the payment details...

2.9AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2020/03/11 12:0 a.m.22 views

Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation

"The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users" providing subscriber-level users and above with the ability to escalate their privileges. PoC POST /wp-admin/admin-ajax.php?importpage=wordpresshfusercsv=3...

6.5CVSS0.5AI score0.01727EPSS
Exploits2References2Affected Software1
WPVulnDB
WPVulnDB
added 2020/02/25 12:0 a.m.22 views

Pricing Table by Supsystic < 1.8.2 - Insecure Permissions on AJAX Actions

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or...

7.5CVSS1.1AI score0.01677EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2020/01/19 12:0 a.m.22 views

Elementor Page Builder < 2.8.4 - Cross-Site Scripting (XSS)

Elementor Page Builder before 2.8.4 does not sanitise data when creating a new template, which could lead to Cross-Site Scripting issues...

7.5CVSS1.3AI score0.01675EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2020/01/17 12:0 a.m.22 views

Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS

Lack of CSRF checks and sanitisation on the plugin's settings page could allow XSS attacks via CSRF. PoC...

6.8CVSS3.4AI score0.0132EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/12/19 12:0 a.m.22 views

301 Redirects - Easy Redirect Manager <= 2.40 - Authenticated Arbitrary Redirect Injection and Modification, XSS, and CSRF

The weaknesses allow for any authenticated user, even subscribers, to modify, delete, and inject redirect rules that could potentially result in a loss of site availability, in addition to XSS and CSRF. PoC...

6CVSS4.7AI score0.00859EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/10/16 12:0 a.m.22 views

Events Manager < 5.9.6 - Authenticated Stored Cross-Site Scripting (XSS)

The Events Manager WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS security vulnerability...

3.5CVSS2AI score0.01238EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/10/02 12:0 a.m.22 views

Download Plugins and Themes from Dashboard <= 1.5.0 - Unauthenticated Stored XSS

NinTechNet discovered a multiple security issues within the Download Plugins and Themes from Dashboard WordPress plugin. The plugin's setting update request did not check for authorisation, allowing an unauthenticated user to inject malicious JavaScript, which would be stored in the backend...

4.3CVSS1.5AI score0.00924EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2019/08/17 12:0 a.m.22 views

Easy Property Listings < 3.4 - Cross-Site Scripting (XSS)

Changelog for 3.4 mentions: - MAJOR Security Update Release. Important to update to the latest version to protect your website. Easy Property Listings has been reviewed and approved by the WordPress plugin team. - This is a critical update to Easy Property Listings plugin that is focused on...

4.3CVSS1.6AI score0.00995EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/08/07 12:0 a.m.22 views

Login Or Logout Menu Item <= 1.1.1 - Unauthenticated Options Change

The Login or Logout Menu Item WordPress plugin was affected by an Unauthenticated Options Change security vulnerability...

5.8CVSS2.7AI score0.01467EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/07/26 12:0 a.m.22 views

Advanced Contact form 7 DB <= 1.6.1 - SQL Injection

The Advanced Contact form 7 DB WordPress plugin was affected by a SQL Injection security vulnerability...

7.5CVSS2.4AI score0.03995EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/07/23 12:0 a.m.22 views

WPS Hide Login <= 1.5.2.2 - Multiples Issues

Protection Bypasses...

7.5CVSS1.7AI score0.08584EPSS
Exploits4References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/07/18 12:0 a.m.22 views

Everest Forms <= 1.4.9 - SQL Injection

The Contact Form, Drag and Drop Form Builder for WordPress – Everest Forms WordPress plugin was affected by a SQL Injection security vulnerability...

7.5CVSS1.9AI score0.02581EPSS
Exploits0References3Affected Software1
WPVulnDB
WPVulnDB
added 2019/07/17 12:0 a.m.22 views

WP Code Highlight.js < 0.6.3 - CSRF to Stored XSS

Lack of CSRF checks could allow attackers to make a logged in admin create XSS payloads. PoC...

6.8CVSS3.5AI score0.01343EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/07/15 12:0 a.m.22 views

Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution

The Ad Inserter – Ad Manager & AdSense Ads WordPress plugin was affected by an Authenticated Remote Code Execution security vulnerability. PoC The nonce aicheck in the final request can be obtained by querying the homepage with the AIWPDEBUGGING cookie set to 2. Then, use an account with a role a...

6.5CVSS0.2AI score0.03635EPSS
Exploits2References2Affected Software1
WPVulnDB
WPVulnDB
added 2019/07/09 12:0 a.m.22 views

Appointment Hour Booking <= 1.1.45 - Stored Cross-Site Scripting (XSS)

It is possible for an unauthenticated user to inject malicious JavaScript into a booking form, which will then be executed when an authenticated user views the booking in the WordPress admin interface. PoC POST /booking-form/ HTTP/1.1 Host: test.local User-Agent: Mozilla/5.0 Macintosh; Intel Mac ...

4.3CVSS6.2AI score0.01376EPSS
Exploits2References3Affected Software1
WPVulnDB
WPVulnDB
added 2019/07/08 12:0 a.m.22 views

Rencontre – Dating Site <= 3.1.2 - SQLi & XSS

SQL injection & XSS vulnerability in Rencontre – Dating Site Plugin For WordPress...

7.5CVSS2.2AI score0.02201EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/06/23 12:0 a.m.22 views

CP Contact Form with Paypal <= 1.3.01 - Multiple XSS

The CP Contact Form with PayPal WordPress plugin was affected by a Multiple XSS security vulnerability. PoC Version =1 fixed in 1.2.98...

4.3CVSS2.2AI score0.0094EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/06/18 12:0 a.m.22 views

Easy Pdf Restaurant Menu Upload < 1.2 - XSS

The Easy PDF Restaurant Menu Upload WordPress plugin was affected by a XSS security vulnerability...

4.3CVSS2.3AI score0.0093EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/06/12 12:0 a.m.22 views

Easy Digital Downloads <= 2.9.15 - Stored XSS

Stored XSS Cross Site Scripting via the IP addresses in logs...

4.3CVSS2.3AI score0.00971EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/05/31 12:0 a.m.22 views

Zoho SalesIQ <= 1.0.8 - XSS & CSRF

The Zoho SalesIQ WordPress plugin was affected by a XSS & CSRF security vulnerability...

6.8CVSS2.7AI score0.01587EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2019/05/27 12:0 a.m.22 views

SAML SP Single Sign On <= 4.8.72 - Cross-Site Scripting (XSS)

The SAML Single Sign On – SSO Login WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...

4.3CVSS1.4AI score0.01066EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2019/05/20 12:0 a.m.22 views

FV Flowplayer Video Player <= 7.3.14.727 - SQL Injection

Changelog states: "Security - fix for SQL injection vulnerability in email subscription"...

7.5CVSS2.2AI score0.01815EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/05/06 12:0 a.m.22 views

W3 Total Cache < 0.9.7.3 - Cryptographic Signature Bypass

The return value of opensslverify is not properly validated, which allows to bypass the cryptographic check...

2.6AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2019/04/11 12:0 a.m.22 views

Ninja Forms File Uploads Extension <= 3.0.22 - Unauthenticated Arbitrary File Upload

The ninja-forms-uploads WordPress plugin was affected by an Unauthenticated Arbitrary File Upload security vulnerability...

6.8CVSS2.7AI score0.13018EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2019/03/04 12:0 a.m.22 views

The Events Calendar < 4.8.2 - XSS

The The Events Calendar WordPress plugin was affected by a XSS security vulnerability...

4.3CVSS2.2AI score0.0106EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2018/12/13 12:0 a.m.22 views

WordPress <= 5.0 - Authenticated Post Type Bypass

Description According to WordPress: "Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input."...

6.5CVSS7.6AI score0.04214EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2018/12/07 12:0 a.m.22 views

Advanced Custom Fields <= 5.7.7 - Authenticated Cross-Site Scripting (XSS)

According to the vendor: "This release contains a fix to a recently reported XSS vunerability sic. This report showed it was possible for a logged in author to save unfiltered HTML within a custom field value. This is something that should not be possible without the unfilteredhtml capability."...

3.5CVSS0.00948EPSS
Exploits0References3Affected Software1
WPVulnDB
WPVulnDB
added 2018/11/15 12:0 a.m.22 views

Slideshow Gallery <= 1.6.8 - XSS and SQLi

The Slideshow Gallery WordPress plugin was affected by a XSS and SQLi security vulnerability...

7.5CVSS2.4AI score0.02193EPSS
Exploits3References2Affected Software1
WPVulnDB
WPVulnDB
added 2018/11/05 12:0 a.m.22 views

Media File Manager <= 1.4.2 - Authenticated Multiple Vulnerabilities

Following the PoC you can combine the vulnerabilities to obtain PHP code execution and read sensitive file. By default the File Manager can only be used by Administrator users, however, any user role can be configured to use it. PoC Diretory Trasversal: POST /wordpress/wp-admin/admin-ajax.php...

5CVSS0.12128EPSS
Exploits5References2Affected Software1
WPVulnDB
WPVulnDB
added 2018/09/06 12:0 a.m.22 views

wpForo < 1.5.2 - Privilege Escalation

The wpForo Forum WordPress plugin was affected by a Privilege Escalation security vulnerability...

7.5CVSS3.1AI score0.02733EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2018/08/29 12:0 a.m.22 views

WooCommerce <= 3.4.4 - Potential Object Injection

According to WooCommerce: "Versions 3.4.4 and earlier are affected by an issue where a function that updates attributes could lead to object injection. This is related to the WordPress 4.8.3 security release. This issue can only be exploited by users who can edit attributes and should not be...

2.9AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2018/05/15 12:0 a.m.22 views

WP Live Chat Support < 8.0.08 - Cross-Site Scripting (XSS)

The 3CX Live Chat WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...

3.5CVSS1.2AI score0.01098EPSS
Exploits2References2Affected Software1
WPVulnDB
WPVulnDB
added 2018/04/26 12:0 a.m.22 views

Caldera Forms <= 1.5.9.1 - Multiple Cross-Site Scripting (XSS)

The Caldera Forms – More Than Contact Forms WordPress plugin was affected by a Multiple Cross-Site Scripting XSS security vulnerability...

3.5CVSS1.6AI score0.04578EPSS
Exploits4References3Affected Software1
WPVulnDB
WPVulnDB
added 2018/03/15 12:0 a.m.22 views

Duplicator <= 1.2.32 - Cross-Site Scripting (XSS)

The Duplicator – WordPress Migration Plugin WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...

4.3CVSS2.1AI score0.03495EPSS
Exploits5References2Affected Software1
WPVulnDB
WPVulnDB
added 2018/03/02 12:0 a.m.22 views

NextGEN Gallery <= 2.2.46 - Galley Paths Not Secured

The changelog states: "Secured: Gallery paths and the ability to manage tags Kudos: ElevenPaths Telefonica cibersecurity Unit"...

5CVSS2.5AI score0.0207EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2018/01/08 12:0 a.m.22 views

GD Rating System 2.3 - Multiple Vulnerabilities

The GD Rating System WordPress plugin was affected by a Multiple Vulnerabilities security vulnerability...

5CVSS2.2AI score0.03699EPSS
Exploits8References1Affected Software1
WPVulnDB
WPVulnDB
added 2017/12/24 12:0 a.m.22 views

Football Pool < 2.6.5 - Multiple XSS

The Football Pool WordPress plugin was affected by a Multiple XSS security vulnerability...

4.3CVSS1.5AI score0.00905EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2017/10/23 12:0 a.m.22 views

Contact Form for WordPress – Ultimate Form Builder Lite <= 1.3.6 - SQL Injection

The Contact Form for WordPress – Ultimate Form Builder Lite WordPress plugin was affected by a SQL Injection security vulnerability...

7.5CVSS9.7AI score0.02482EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/09/26 12:0 a.m.22 views

Content Timeline <= 4.4.2 - Multiple Blind SQL Injection

Multiple Blind SQL injections in the premium 'Content Timeline' Plugin. One unauthenticated and two authenticated injections. Contacted the author twice without any response. History: 09-16-2017 Contacted the author 09-16-2017 Requested CVE-ID 09-18-2017 CVE-ID Received 09-18-2017 Contacted the...

7.5CVSS0.2AI score0.05248EPSS
Exploits4References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/09/25 12:0 a.m.22 views

WordPress 4.4-4.8.1 - Path Traversal in Customizer

Description A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team...

7.5CVSS8.5AI score0.07824EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2017/09/22 12:0 a.m.22 views

Responsive Image Gallery, Gallery Album <= 1.2.0 - Authenticated SQL Injection

The Responsive Image Gallery, Gallery Album WordPress plugin was affected by an Authenticated SQL Injection security vulnerability...

7.5CVSS2.7AI score0.03189EPSS
Exploits3References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/07/30 12:0 a.m.22 views

WP Live Chat Support < 7.1.05 - Cross-Site Scripting (XSS)

WP Live Chat Support is vulnerable by sending XSS payloads through chat. PoC...

4.3CVSS0.6AI score0.00915EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2017/07/26 12:0 a.m.22 views

FormCraft - Premium WordPress Form Builder <= v3.2.31 - Authenticated Stored XSS

WordPress FormCraft Premium WordPress Form Builder versions 3.2.31 and below suffer from a persistent Cross-Site Scripting XSS vulnerability. PoC Authenticated Stored XSS: New Form Heading Heading Text input field is vulnerable. The payload will execute when the form is displayed...

3.5CVSS2.3AI score0.00696EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/07/06 12:0 a.m.22 views

Shortcodes Ultimate <= 4.9.9 - Authenticated Directory Traversal

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin was affected by an Authenticated Directory Traversal security vulnerability...

4CVSS3.2AI score0.02571EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/05/16 12:0 a.m.22 views

WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF

...

4.3CVSS2.1AI score0.02004EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/04/19 12:0 a.m.22 views

Simple Job Board <= 2.4.3 - Reflected XSS

The Simple Job Board WordPress plugin was affected by a Reflected XSS security vulnerability...

4.3CVSS1.9AI score0.00915EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2017/04/10 12:0 a.m.22 views

Calendar by WD <= 1.5.51 - Authenticated Blind SQL Injection

The SpiderCalendar WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability...

7.5CVSS2.8AI score0.02267EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2017/04/06 12:0 a.m.22 views

Twitter Cards Meta <= 2.4.5 - CSRF and XSS

The Twitter Cards Meta – Best Twitter Card Plugin for WordPress WordPress plugin was affected by a CSRF and XSS security vulnerability...

6.8CVSS2.2AI score0.00922EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2017/03/07 12:0 a.m.22 views

Webapp builder 2.0 - Unauthenticated File Upload

Plugin is still affected and has been closed...

7.5CVSS1.9AI score0.12641EPSS
Exploits4References3Affected Software1
Total number of security vulnerabilities5000