Lucene search
K
WpvulndbMost viewed

14602 matches found

WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.20 views

Simple Paypal Shopping Cart <= 3.5 - Cross-Site Request Forgery (CSRF)

The WordPress Simple PayPal Shopping Cart WordPress plugin was affected by a Cross-Site Request Forgery CSRF security vulnerability...

6.8CVSS2.2AI score0.01076EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 10:58 a.m.20 views

WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()

...

4.3CVSS1.3AI score0.01398EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.20 views

slidedeck2 < 2.1.20130313 - XSS in ZeroClipboard

The SlideDeck 2 Lite Responsive Content Slider WordPress plugin was affected by a XSS in ZeroClipboard security vulnerability. PoC /wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard.swf?id="catcheif!self.aself.a=!alertdocument.cookie//...

4.3CVSS0.6AI score0.06316EPSS
Exploits4References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.20 views

plugin wordTube <= 1.43 - (wpPATH) RFI

The wordtube WordPress plugin was affected by a wpPATH RFI security vulnerability...

6.8CVSS1.9AI score0.40099EPSS
Exploits3References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.20 views

Wordpress <= 1.5.1.3 - Remote Code Execution

...

7.5CVSS2.4AI score0.38771EPSS
Exploits5Affected Software1
WPVulnDB
WPVulnDB
added 2014/08/01 12:0 a.m.20 views

Advanced Dewplayer <= 1.2 - download-file.php dew_file Parameter Traversal Arbitrary File Access

The Advanced Dewplayer WordPress plugin was affected by a download-file.php dewfile Parameter Traversal Arbitrary File Access security vulnerability...

5CVSS3.8AI score0.19641EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/06/26 12:0 a.m.20 views

Simple Share Buttons Adder 4.4 - options-general.php Multiple Admin Actions CSRF

The Simple Share Buttons Adder WordPress plugin was affected by an options-general.php Multiple Admin Actions CSRF security vulnerability...

6.8CVSS2.4AI score0.02805EPSS
Exploits1References3Affected Software1
WPVulnDB
WPVulnDB
added 2014/06/12 12:0 a.m.20 views

WP Tmkm Amazon <= 1.5b - XSS

The wp-tmkm-amazon WordPress plugin was affected by a XSS security vulnerability...

4.3CVSS1.9AI score0.02041EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2014/04/28 12:0 a.m.20 views

TinyMCE Color Picker 1.1 - tinymce-colorpicker.php Missing edit_others_posts Capability Check

The TinyMCE Color Picker WordPress plugin was affected by a tinymce-colorpicker.php Missing editothersposts Capability Check security vulnerability...

5CVSS2.5AI score0.01784EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/04/25 12:0 a.m.20 views

WP eBay Product Feeds < 1.2 - Cross-Site Scripting via rss_url Parameter

The WP eBay Product Feeds WordPress plugin was affected by a Cross-Site Scripting via rssurl Parameter security vulnerability. PoC http://localhost/wordpress/wp-content/plugins/ebay–feeds–for–wordpress/magpie/scripts/magpieslashbox.php?rssurl=%3Cscript%3Ealert%281%29%3C/script%3E...

4.3CVSS0.6AI score0.0118EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/04/25 12:0 a.m.20 views

Podcast Channels < 0.28 - Unauthenticated Reflected XSS

The Podcast Channels WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability. PoC http://127.0.0.1/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&...

4.3CVSS1.1AI score0.03779EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/04/25 12:0 a.m.20 views

WP e-Commerce Swipe <= 3.1.0 - Multiple XSS Issues

The last time it was checked the plugin was still affected and had been closed. PoC...

4.3CVSS6.3AI score0.01163EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/04/25 12:0 a.m.20 views

Wordpress Social Login < 2.1.5 - XSS

The WordPress Social Login WordPress plugin was affected by a XSS security vulnerability...

4.3CVSS2.5AI score0.01629EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/02/12 12:0 a.m.20 views

Nextend Facebook Connect <= 1.4.59 - Cross-Site Scripting (XSS)

The Nextend Social Login and Register WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...

4.3CVSS2AI score0.0377EPSS
Exploits3References1Affected Software1
WPVulnDB
WPVulnDB
added 2014/01/31 12:0 a.m.20 views

Media File Renamer <= 1.7.0 - Stored Cross-Site Scripting (XSS)

The Media File Renamer – Auto & Manual Rename WordPress plugin was affected by a Stored Cross-Site Scripting XSS security vulnerability...

2.1CVSS2.3AI score0.01593EPSS
Exploits3References3Affected Software1
WPVulnDB
WPVulnDB
added 2013/08/26 12:0 a.m.20 views

Contact Form 3.34 - contact_form.php cntctfrm_contact_message Parameter XSS

The Contact Form by BestWebSoft WordPress plugin was affected by a contactform.php cntctfrmcontactmessage Parameter XSS security vulnerability...

4.3CVSS2.6AI score0.00923EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2012/08/10 12:0 a.m.20 views

Quick Post Widget 1.9.1 - Multiple Cross-Site Scripting (XSS)

The quick-post-widget WordPress plugin was affected by a Multiple Cross-Site Scripting XSS security vulnerability...

4.3CVSS1.7AI score0.02041EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2012/05/22 12:0 a.m.20 views

Events Manager < 5.1.7 - Cross-Site Scripting (XSS)

The Events Manager WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...

4.3CVSS2AI score0.00913EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2012/05/15 12:0 a.m.20 views

Pretty Link Lite <= 1.5.3 - Cross-Site Scripting (XSS)

The Pretty Links – Link Management, Branding, Tracking & Sharing Plugin WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...

4.3CVSS1.3AI score0.02407EPSS
Exploits1References3Affected Software1
WPVulnDB
WPVulnDB
added 2012/05/15 12:0 a.m.20 views

Survey And Quiz Tool <= 2.9.2 - Cross Site Scripting

The wp-survey-and-quiz-tool WordPress plugin was affected by a Cross Site Scripting security vulnerability...

1.6AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2012/01/26 12:0 a.m.20 views

Slideshow Gallery 2 <= 1.1.4 - Cross-Site Scripting (XSS)

The last time it was checked the plugin was still affected and had been closed...

4.3CVSS2AI score0.03748EPSS
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2003/06/02 12:0 a.m.20 views

WordPress 0.7 - SQL Injection

...

7.5CVSS1.8AI score0.02903EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.19 views

Visualizer < 3.11.2 - Authenticated (Subscriber+) SQL Injection

Description The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the saveQuery function in all versions up to, and including, 3.11.1 due to a missing capability check on a function that runs SQL Queries. This makes it possible for...

8.8CVSS7.3AI score0.00441EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.19 views

BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness

Description The BuddyForms plugin for WordPress is vulnerable to Email Verification Bypass in all versions up to, and including, 2.8.9 via the use of an insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification...

6.5CVSS6.9AI score0.00388EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.19 views

Integrate Google Drive < 1.3.94 - Missing Authorization

Description The Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress Site plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and includin...

9.8CVSS6.7AI score0.0041EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.19 views

Save as PDF Plugin by Pdfcrowd < 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Save as PDF Plugin by Pdfcrowd plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

6.5CVSS5.7AI score0.00295EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.19 views

SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! < 1.0.48 - Authenticated (Contributor+) Stored Cross-Site Scripting via Trigger Link Shortcode

Description The SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Trigger Link shortcode in all versions up to, and including, 1.0.47 due to insufficient input sanitization and output...

6.4CVSS5.8AI score0.00355EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/30 12:0 a.m.19 views

DethemeKit For Elementor < 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via slitems Attribute

Description The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slitems' attribute within the plugin's De Product Tab & Slide widget in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user...

6.4CVSS7.8AI score0.00321EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/29 12:0 a.m.19 views

HUSKY – Products Filter Professional for WooCommerce < 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3.5.3 due to insufficient input sanitization and output escaping on user supplied attributes...

6.4CVSS5.8AI score0.00334EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/28 12:0 a.m.19 views

FooBox (Free and Premium) < 2.7.28 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Go to settings and change the...

7.7AI score0.00335EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/28 12:0 a.m.19 views

Essential Addons for Elementor PRO – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Carousel Widget

Description The Essential Addons for Elementor PRO – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team Member Carousel widget in all Pro versions up to, and including, 5.8.14 due to insufficient...

6.4CVSS5.8AI score0.00263EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/24 12:0 a.m.19 views

Testimonial Carousel For Elementor < 10.2.1 - Missing Authorization to Limited Setting Update

Description The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'savetestimonialsoptioncallback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated...

5.3CVSS6.7AI score0.00402EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/23 12:0 a.m.19 views

Unlimited Elements for Elementor < 1.5.108 - Contributor+ SQLi

Description The plugin is vulnerable to SQL Injection via the ‘datapostids0’ parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and...

8.8CVSS7.3AI score0.00454EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/23 12:0 a.m.19 views

YITH WooCommerce Ajax Search < 2.4.1 - Unauthenticated Stored Cross-Site Scripting

Description The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

7.2CVSS6AI score0.0101EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/23 12:0 a.m.19 views

WP Photo Album Plus < 8.7.00.004 - Unauthenticated Arbitrary Shortcode Execution

Description The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running doshortcod...

7.3CVSS7.5AI score0.00478EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.19 views

ChaosTheory < 1.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The ChaosTheory theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject...

6.5CVSS5.6AI score0.00253EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.19 views

Order Export & Order Import for WooCommerce < 2.5.0 - Authenticated (Administrator+) PHP Object Injection

Description The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.9 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Administrator-level access and above,...

4.4CVSS7.4AI score0.00244EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.19 views

Uber Menu < 3.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

Description The UberMenu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ubermenu-col, ubermenumobileclosebutton, ubermenutoggle, ubermenu-search shortcodes in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on...

6.4CVSS5.8AI score0.00267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.19 views

ArForms < 6.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add or edit an existing form an...

7.8AI score0.00351EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.19 views

Testimonial Carousel For Elementor < 10.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'showlinetext ' and 'slidebuttonhoveranimation' parameters in versions up to, and including, 10.1.1 due to insufficient input sanitization and output escaping. This makes i...

6.5CVSS5.9AI score0.00413EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/16 12:0 a.m.19 views

Heateor Social Login WordPress < 1.1.32 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Heateor Social Login WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.1.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

5.8AI score0.00341EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.19 views

Stockholm < 9.7 - Authenticated (Contributor+) Local File Inclusion

Description The Stockholm theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution ...

8.8CVSS7.9AI score0.00514EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.19 views

Arigato Autoresponder and Newsletter < 2.7.2.4 - Cross-Site Request Forgery

Description The Arigato Autoresponder and Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2.3. This is due to missing or incorrect nonce validation on the contactform function. This makes it possible for unauthenticated attacke...

4.3CVSS6.6AI score0.00249EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.19 views

MC Woocommerce Wishlist < 1.7.9 - Missing Authorization

Description The MC Woocommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deleteitem function in versions up to, and including, 1.7.8. This makes it possible for unauthenticated attackers to remove items from wishlists...

5.3CVSS6.9AI score0.00316EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.19 views

Custom Post Type Attachment < 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via pdf_attachment Shortcode

Description The Custom Post Type Attachment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pdfattachment' shortcode in all versions up to, and including, 3.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS5.8AI score0.00273EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.19 views

Email Subscribers by Icegram Express < 5.7.20 - Missing Authorization in handle_ajax_request

Description The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handleajaxrequest function in all versions up to, and including, 5.7.19. This makes it possible f...

8.8CVSS7.3AI score0.00392EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/13 12:0 a.m.19 views

YITH WooCommerce Gift Cards < 4.13.0 - Missing Authorization to Unauthenticated WooCommerce Settings Update

Description The YITH WooCommerce Gift Cards plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'savemailstatus' and 'saveemailsettings' functions in all versions up to, and including, 4.12.0. This makes it possible for unauthenticated...

5.3CVSS6.7AI score0.00504EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/09 12:0 a.m.19 views

Ninja Forms – The Contact Form Builder That Grows With You < 3.8.1 - Admin+ Stored Cross-Site Scripting

Description The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a form field in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for...

5.8AI score0.00454EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/09 12:0 a.m.19 views

Gutenberg Blocks with AI by Kadence WP – Page Builder Features < 3.2.20 - Contributor+ Server-Side Request Forgery

Description The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.19. This makes it possible for authenticated attackers, with contributor-level access and above, to make web...

7.7CVSS6.7AI score0.00505EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/09 12:0 a.m.19 views

LearnPress – WordPress LMS Plugin < 4.2.6.6 - Unauthenticated Bypass to User Registration

Description The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'createaccount' function in the checkout. This makes it possible for unauthenticated attackers to...

6.5CVSS7AI score0.00712EPSS
Exploits1References1Affected Software1
Total number of security vulnerabilities5000