Lucene search
K
WpvulndbMost viewed

14603 matches found

WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.21 views

AppPresser < 4.3.1 - Missing Authorization

Description The AppPresser plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggleloggingcallback function in versions up to, and including, 4.3.0. This makes it possible for unauthenticated attackers to enable and disable logging...

6.5CVSS6.9AI score0.00456EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.21 views

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup < 4.0.31 - Open Redirect

Description The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.0.30. This is due to insufficient validation on the redirect url supplied via the redirectto...

6.1CVSS6.8AI score0.00526EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.21 views

Qi Addons For Elementor < 1.7.1 - Contributor+ Stored XSS

Description The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget's attributes due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to...

6.4CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.21 views

Essential Addons for Elementor < 5.9.16 - Contributor+ Stored Cross-Site Scripting

Description The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery & Interactive Circle widgets in all versions up to, and including, 5.9.15 due to...

6.4CVSS5.9AI score0.00557EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.21 views

Code Insert Manager (Q2W3 Inc Manager) <= 2.5.3 - Reflected Cross-Site Scripting

Description The Code Insert Manager Q2W3 Inc Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

5.8CVSS6.7AI score0.00288EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.21 views

Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress < 2.0.74 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure

Description The Radio Player plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.73. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive...

5.4CVSS6.6AI score0.0035EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.21 views

Premium Addons for Elementor < 4.10.29 - Contributor+ Stored Cross-Site Scripting

Description The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post ticker widget in all versions up to, and including, 4.10.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.9AI score0.00444EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.21 views

ShopLentor < 2.8.2 - Contributor+ Template Reset

Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'woolentortemplatestore' function. This makes it possible for authenticated attackers, with contributor access and above to access the nonce used to access this function and set a...

4.3CVSS6.4AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/17 12:0 a.m.21 views

EZ Form Calculator <= 2.14.0.3 - Reflected Cross-Site Scripting

Description The EZ Form Calculator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.14.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

7.1CVSS6.3AI score0.00351EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/17 12:0 a.m.21 views

MultiParcels Shipping For WooCommerce < 1.16.9 - Cross-Site Request Forgery

Description The MultiParcels Shipping For WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 1.16.9 exclusive. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perfo...

4.3CVSS6.7AI score0.00212EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.21 views

Paid Memberships Pro < 3.0.2 - Cross-Site Request Forgery

Description The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the pmproupdatelevelgrouporder...

5.3CVSS6.3AI score0.00297EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.21 views

Easy Logo <= 1.9.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Easy Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

5.9CVSS5.9AI score0.00319EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.21 views

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) < 3.1.0 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Description The WP Cookie Consent for GDPR, CCPA & ePrivacy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdprpolicyprocessdelete function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers t...

5.3CVSS6.7AI score0.0053EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.21 views

WP Meta SEO < 4.5.13 - Unauthenticated Stored Cross-Site Scripting via Referer header

Description The WP Meta SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Referer’ header in all versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

7.2CVSS5.9AI score0.00445EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.21 views

MihanPanel < 12.7 - Cross-Site Request Forgery

Description The MihanPanel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 12.7. This is due to missing or incorrect nonce validation on the delete and deleteall cases. This makes it possible for unauthenticated attackers to delete IP addresses from the blocked...

5.4CVSS6.4AI score0.00197EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.21 views

WP Login and Logout Redirect < 2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The WP Login and Logout Redirect plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.7AI score0.00319EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.21 views

Advanced Order Export For WooCommerce < 3.4.5 - Shop Manager+ Remote Code Execution

Description The plugin is vulnerable to Remote Code Execution in all versions up to, and including, 3.4.4. This makes it possible for authenticated attackers, with shop manager-level access and above, to execute code on the server...

9.1CVSS7.9AI score0.00691EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/11 12:0 a.m.21 views

EmbedPress < 3.9.9 - Missing Authorization via handle_calendly_data

Description The EmbedPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the handlecalendlydata function in versions up to, and including, 3.9.8. This makes it possible for unauthenticated attackers to update calendly settings...

9.8CVSS6.4AI score0.00397EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/11 12:0 a.m.21 views

User Activity Log < 2.0 - Admin+ SQL Injection

Description The plugin is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL...

7.6CVSS8.2AI score0.00515EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/09 12:0 a.m.21 views

WP Radio – Worldwide Online Radio Stations Directory for WordPress <= 3.1.9 - Missing Authorization via multiple AJAX actions

Description The WP Radio – Worldwide Online Radio Stations Directory for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 3.1.9. This makes it possible for...

6.4CVSS6.1AI score0.00379EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/08 12:0 a.m.21 views

Element Pack Elementor Addons < 5.5.4 - Contributor+ Stored XSS via Trailer Box Widget

Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘elementpackwrapperlink’ attribute of the Trailer Box widget due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

6.4CVSS5.8AI score0.00434EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/05 12:0 a.m.21 views

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) < 2.8.5 - Authenticated (Contributor+) Stored Cross-site Scripting via QR Code Widget

Description The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution formerly WooLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's QR Code Widget in all versions up to, and including, 2.8.4 due to insufficient input...

6.4CVSS6AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/05 12:0 a.m.21 views

MM-email2image <= 0.2.5 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Add the following payload to...

8.2AI score0.00624EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

ProfileGrid < 5.7.9 - Unauthenticated SQL Injection

Description The ProfileGrid plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to...

9.8CVSS7.5AI score0.02267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

WP Travel Engine < 5.8.0 - Unauthenticated SQL Injection

Description The WP Travel Engine plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacke...

9.8CVSS7.8AI score0.02267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

The Plus Blocks for Block Editor | Gutenberg < 3.2.6 - Reflected Cross-Site Scripting

Description The The Plus Blocks for Block Editor | Gutenberg plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS6.3AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

WP Express Checkout (Accept PayPal Payments) < 2.3.8 - Unauthenticated Price Manipulation

Description The WP Express Checkout Accept PayPal Payments plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 2.3.7. This is due to insufficient validation on the pricing data being passed to the server. This makes it possible for unauthenticated...

7.5CVSS6.5AI score0.00521EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

Custom post types, Custom Fields & more < 5.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Custom post types, Custom Fields & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and custom post meta in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping on user supplied post me...

6.4CVSS5.8AI score0.00435EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

10Web Map Builder for Google Maps <= 1.0.74 - Authenticated (Administrator+) SQL Injection

Description The 10Web Map Builder for Google Maps plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.74 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

7.6CVSS7.5AI score0.00541EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.21 views

Floating Chat Widget < 3.1.9 - Editor+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Chaty New Widget" 2...

5.3AI score0.00394EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.21 views

Hash Elements < 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Hash Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to injec...

6.5CVSS5.8AI score0.00348EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.21 views

Better Comments < 1.5.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. From the WordPress menu on the...

5.5AI score0.00403EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.21 views

RoyalSlider < 3.4.3 - Reflected Cross-Site Scripting

Description The RoyalSlider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

7.1CVSS6.5AI score0.00354EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.21 views

Off-Canvas Sidebars & Menus (Slidebars) < 0.5.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Off-Canvas Sidebars & Menus Slidebars plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.5CVSS5.9AI score0.00351EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.21 views

Molongui < 4.7.8 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Molongui plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrar...

6.5CVSS5.9AI score0.0036EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.21 views

Stratum < 1.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Stratum plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

6.5CVSS5.8AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.21 views

Easy Social Share Buttons < 9.5 - Reflected Cross-Site Scripting

Description The easy-social-share-buttons3 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 9.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.1CVSS6.4AI score0.00354EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.21 views

Otter Blocks < 2.6.6 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's widgets due to insufficient input sanitization and output escaping on user supplied attributes such as 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

6.4CVSS5.8AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/28 12:0 a.m.21 views

Better Elementor Addons < 1.4.2 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the widget link URL values due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject...

6.4CVSS6.2AI score0.00404EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/28 12:0 a.m.21 views

Media Library Assistant < 3.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via mla_gallery Shortcode

Description The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.8AI score0.00439EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/27 12:0 a.m.21 views

Elementor Addon Elements < 1.13.2 - Contributor+ Stored XSS

Description The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to...

5.4CVSS5.8AI score0.00516EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/26 12:0 a.m.21 views

VK All in One Expansion Unit < 9.96.0.0 - Unauthenticated Password Protected Content Access

Description The plugin is vulnerable to Sensitive Information Exposure via social meta tags, allowing unauthenticated attackers to view limited password protected content...

6.5CVSS7.2AI score0.00678EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/26 12:0 a.m.21 views

Networker - Tech News WordPress Theme with Dark Mode < 1.1.10 - Missing Authorization

Description The Networker - Tech News WordPress Theme with Dark Mode theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the adminreloadnavmenu function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated...

5.3CVSS6.7AI score0.00504EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.21 views

Better Search < 3.3.1 - Unauthenticated Stored Cross-Site Scripting

Description The Better Search – Relevant search results for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping. This makes it possible for...

7.1CVSS6.1AI score0.00354EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.21 views

WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution

Description The WP Fusion Lite – Marketing Automation and CRM Integration for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.41.24. This makes it possible for authenticated attackers, with contributor-level access and above, to execut...

9.9CVSS7.5AI score0.01626EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.21 views

Survey Maker < 4.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Survey Maker – Best WordPress Survey Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

5.9CVSS5.8AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.21 views

Popup Maker – Popup for opt-ins, lead gen, & more < 1.18.3 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS5.8AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/20 12:0 a.m.21 views

Email Subscription Popup < 1.2.21 - Unauthenticated Stored Cross-Site Scripting

Description The Email Subscription Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '$email' parameter in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS6.2AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/18 12:0 a.m.21 views

ElementsKit Elementor addons < 3.0.4 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

5.5CVSS5.9AI score0.00432EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/13 12:0 a.m.21 views

Essential Addons for Elementor < 5.9.10 - Contributor+ Stored Cross-Site Scripting via Event Calendar

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's event calendar widget in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

7.4CVSS5.7AI score0.00549EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities5000