Lucene search
K
WpvulndbMost viewed

14603 matches found

WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.22 views

GRAND Flash Album Gallery 0.55 - admin/news.php want2Read Parameter Traversal Arbitrary File Access

The Album and Image Gallery with Lightbox – Flagallery Photo Portfolio WordPress plugin was affected by an admin/news.php want2Read Parameter Traversal Arbitrary File Access security vulnerability...

2.9AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.22 views

WP Symposium <= 11.11.26 - Cross-Site Scripting (XSS)

The wp-symposium WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...

4.3CVSS1.5AI score0.02368EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.22 views

WP Symposium <= 11.11.26 - Remote File Upload Code Execution

The wp-symposium WordPress plugin was affected by a Remote File Upload Code Execution security vulnerability...

7.5CVSS2.8AI score0.04249EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.22 views

Age Verification <= 0.4 - Open Redirect

The age-verification WordPress plugin was affected by an Open Redirect security vulnerability...

5.8CVSS2.1AI score0.10603EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.22 views

Buddypress <= 1.9.1 - Stored Cross-Site Scripting (XSS)

The BuddyPress WordPress plugin was affected by a Stored Cross-Site Scripting XSS security vulnerability...

4.3CVSS1.3AI score0.02587EPSS
Exploits3References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.22 views

WordPress <= 3.0.5 wp-admin/press-this.php Privilege Escalation

...

4CVSS2.7AI score0.01775EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.22 views

Contextual Related Posts < 1.8.10.2 - Multiple Parameter SQL Injection

The Contextual Related Posts WordPress plugin was affected by a contextual-related-posts.php Multiple Parameter SQL Injection security vulnerability...

7.5CVSS2.1AI score0.02031EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.22 views

Newsletter Manager < 1.0.2 - Authenticated Reflected Cross Site Scripting

The Newsletter Manager WordPress plugin was affected by a Cross Site Scripting security vulnerability...

4.3CVSS1.7AI score0.02058EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.22 views

adminimize 1.7.21 - 'page' Parameter Cross Site Scripting

The Adminimize WordPress plugin was affected by a 'page' Parameter Cross Site Scripting security vulnerability...

4.3CVSS2AI score0.10911EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.22 views

WordPress 2.9 - Failure to Restrict URL Access

Description When WordPress implemented the new Trash feature they failed to change the permissions granted when the post is in the trash. This means that an unauthenticated user cannot see the post, however an authenticated user can, no matter what privileges they have, even ‘subscriber’. See...

4CVSS6AI score0.09855EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2014/05/28 12:0 a.m.22 views

Oleggo Livestream <= 0.2.6 - XSS

Plugin is still affected and has been closed...

4.3CVSS2.8AI score0.01629EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/05/07 12:0 a.m.22 views

Prostore < 1.1.3 - Open Redirection

The prostore WordPress theme was affected by an Open Redirection security vulnerability. PoC /wp-content/themes/prostore/go.php?https://example.com...

0.4AI score
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/04/28 12:0 a.m.22 views

TinyMCE Color Picker 1.1 - tinymce-colorpicker.php Color Saving CSRF

The TinyMCE Color Picker WordPress plugin was affected by a tinymce-colorpicker.php Color Saving CSRF security vulnerability...

6.8CVSS3.3AI score0.00952EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2013/12/08 12:0 a.m.22 views

FormCraft - form.php id Parameter SQL Injection

The formcraft WordPress plugin was affected by a form.php id Parameter SQL Injection security vulnerability...

7.5CVSS2.7AI score0.04785EPSS
Exploits2References2Affected Software1
WPVulnDB
WPVulnDB
added 2013/03/05 12:0 a.m.22 views

Count Per Day <= 3.2.5 - daytoshow Parameter XSS

The Count per Day WordPress plugin was affected by a daytoshow Parameter XSS security vulnerability...

4.3CVSS2.3AI score0.00984EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2012/04/03 12:0 a.m.22 views

Another WordPress Classifieds <= 1.8.9.4 - Unspecified Image Upload

The WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds WordPress plugin was affected by an Unspecified Image Upload security vulnerability...

10CVSS2.8AI score0.02607EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2011/03/17 12:0 a.m.22 views

WP Recaptcha < 3.0 - Multiple CSRF

The wp-recaptcha WordPress plugin was affected by a Multiple CSRF security vulnerability...

6.8CVSS1.7AI score0.01065EPSS
Exploits0References3Affected Software1
WPVulnDB
WPVulnDB
added 2005/05/07 12:0 a.m.22 views

WordPress <= 1.5.1.2 - Email Spoofing

...

5CVSS1.5AI score0.02578EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2025/02/12 12:0 a.m.21 views

Avada Theme < 7.11.14 - Unauthenticated Arbitrary Shortcode Execution

Description The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before...

9.8CVSS7.6AI score0.02104EPSS
Exploits1References1
WPVulnDB
WPVulnDB
added 2024/09/25 12:0 a.m.21 views

012 PS Multi Languages <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The 012 Ps Multi Languages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via translated titles in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS7.8AI score0.00263EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.21 views

Easy WP SMTP by SendLayer < 2.3.1 - Exposure of Sensitive Information via the UI

Description The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This make...

2.7CVSS6.2AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.21 views

Newsletters < 4.9.6 - Reflected Cross-Site Scripting

Description The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.9.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th...

7.1CVSS6.3AI score0.00288EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.21 views

WP Docs < 2.1.4 - Reflected Cross-Site Scripting

Description The WP Docs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

7.1CVSS6.3AI score0.00327EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/12 12:0 a.m.21 views

Himer - Social Questions and Answers < 2.1.1 - Arbitrary Group Joining via CSRF

Description The theme does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack PoC The PoC will be displayed on June 26, 2024, to give users the time to update...

6.4AI score0.00193EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/06 12:0 a.m.21 views

Pure Chat – Live Chat Plugin & More! < 2.23 - Cross-Site Request Forgery

Description The Pure Chat plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.22. This is due to missing or incorrect nonce validation on the purechatupdate function. This makes it possible for unauthenticated attackers to update chat details v...

4.3CVSS6.4AI score0.00183EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.21 views

tagDiv Composer < 4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via button Shortcode

Description The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button shortcode in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.9AI score0.0029EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.21 views

wpDataTables - Tables & Table Charts (Premium) < 6.4 - Missing Authorization to DataTable Access & Modification

Description The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdtajaxactions.php file in all versions up to, and including, 6.3.2. This makes it...

7.3CVSS6.6AI score0.00325EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/29 12:0 a.m.21 views

Tainacan < 0.21.4 - Unauthenticated Stored Cross-Site Scripting

Description The Tainacan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 0.21.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that wi...

7.1CVSS5.9AI score0.00311EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/22 12:0 a.m.21 views

Hash Elements < 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets

Description The Hash Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter within multiple widgets in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

6.4CVSS5.8AI score0.00314EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/22 12:0 a.m.21 views

NextScripts: Social Networks Auto-Poster < 4.4.4 - Subscriber+ Sensitive Information Exposure

Description The plugin is vulnerable to Sensitive Information Exposure via the 'nxsgetExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets...

8.5CVSS6.5AI score0.00345EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.21 views

Popup Maker WP <= 1.2.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The Popup Maker WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to injec...

6.5CVSS5.9AI score0.00256EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.21 views

weMail < 1.14.3 - Missing Authorization to Notice Dismissal

Description The weMail plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the connectnotice function in versions up to, and including, 1.14.2. This makes it possible for unauthenticated attackers to dismiss notices...

5.3CVSS6.6AI score0.00381EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.21 views

Easy Digital Downloads < 3.2.12 - Unauthenticated Sensitive Information Exposure

Description The Easy Digital Downloads – Sell Digital Files & Subscriptions eCommerce Store + Payments Made Easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.11. This makes it possible for unauthenticated attackers to extract...

7.5CVSS6.9AI score0.00635EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.21 views

Xserver Migrator < 1.6.2.1 - Arbitrary File Upload via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to upload arbitrary files granted they can trick a site administrator into performing an action such as...

9.6CVSS9.2AI score0.00263EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.21 views

GWP-Histats <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The GWP-Histats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

6.5CVSS5.9AI score0.00312EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.21 views

Contact Form to Any API < 1.1.9 - Authenticated (Subscriber+) SQL Injection

Description The Contact Form to Any API plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.1.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticate...

8.5CVSS7.3AI score0.00549EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.21 views

Perfect Pullquotes <= 1.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Perfect Pullquotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.5CVSS5.9AI score0.00411EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.21 views

Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) < 1.1.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Effect Widget

Description The Magical Addons For Elementor Header Footer Builder, Free Elementor Widgets, Elementor Templates Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's text effect widget in all versions up to, and including, 1.1.37 due to insufficient input...

6.4CVSS5.9AI score0.00272EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.21 views

Business Card <= 1.0.0 - Arbitrary Card Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks PoC Make a logged in admin open an HTML document containing where is a valid ID:...

6.3AI score0.00276EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.21 views

YITH WooCommerce Compare < 2.38.0 - Cross-Site Request Forgery

Description The YITH WooCommerce Compare is vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to add/remove things from a product compare via a forged request granted they can...

4.3CVSS6.9AI score0.00204EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.21 views

Leaky Paywall < 4.20.9 - Missing Authorization to Price Manipulation

Description The Leaky Paywall plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 4.20.8. This is due to the plugin allowing the price field to be user supplied. This makes it possible for unauthenticated attackers to alter the price of memberships...

7.5CVSS7.1AI score0.00466EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.21 views

ElementsKit Elementor addons 3.0.7 - 3.1.2 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS6AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/02 12:0 a.m.21 views

Flattr <= 1.2.2 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Flattr" settings 2. In...

5.3AI score0.00372EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.21 views

XStore Core <= 5.3.5 - Missing Authorization

Description The XStore Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized...

8.8CVSS6.7AI score0.00417EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.21 views

WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Authenticated (Subscriber+) SQL Injection

Description The WooCommerce Amazon Affiliates - Wordpress Plugin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 14.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

9.6CVSS7.5AI score0.00529EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.21 views

Recencio Book Reviews <= 1.66.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Recencio Book Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.66.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...

6.5CVSS5.9AI score0.00373EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.21 views

Smart Forms < 2.6.92 - Missing Authorization to Notice Dismissal

Description The Smart Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rednaosmartformsdontshowagain function in versions up to, and including, 2.6.91. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS6.7AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.21 views

VikRentCar Car Rental Management System < 1.3.3 - Information Exposure

Description The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.2 due to publicly accessible PDF files. This makes it possible for unauthenticated attackers to extract potentially sensitive...

5.9CVSS6.7AI score0.00554EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.21 views

Frontend Dashboard < 2.2.4 -

Description The Frontend Dashboard plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to extract sensitive data...

7.5CVSS6.9AI score0.0068EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.21 views

Max Addons Pro for Bricks < 1.6.2 - Reflected Cross-Site Scripting

Description The Max Addons Pro for Bricks plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

7.1CVSS6.5AI score0.00354EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities5000