Lucene search
K
WpvulndbMost viewed

14602 matches found

WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.19 views

EasyEvent <= 1.0.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC 1. Got to https://example.com/wp-admin/options-general.php?page=easyevent 2. In the ID...

5.7AI score0.00435EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.19 views

BEAR <= 1.1.4.1 & WOLF <= 1.0.8.1 - Cross-Site Request Forgery to Notice Dismissal

Description Multiple plugins and/or themes for WordPress are vulnerable to Cross-Site Request Forgery in various versions. This is due to missing or incorrect nonce validation on the admininit hook. This makes it possible for unauthenticated attackers to dismiss notices via a forged request grant...

8.8CVSS6.6AI score0.00224EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.19 views

Shortcodes and extra features for Phlox theme <= 2.15.5 - Contributor+ Stored XSS via title_tag

Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘titletag’ due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level and above permissions to inject arbitrary web scripts in pages that will...

6.4CVSS5.7AI score0.00414EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.19 views

NewsXpress < 1.0.8 - Cross-Site Request Forgery to Notice Dismissal

Description The NewsXpress theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the dismissedhandler function. This makes it possible for unauthenticated attackers to dismiss notices via a...

4.3CVSS6.4AI score0.002EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.19 views

Gutenverse < 1.9.1 - Contributor+ Stored XSS

Description The plugin does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the below cod...

6AI score0.00442EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.19 views

Responsive Lightbox < 2.4.7 - Information Disclosure

Description The plugin is vulnerable to unauthorized access due to a missing capability check on the galleryattributes function in versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with contributor-level access and above, to view post content they shouldn't...

8.8CVSS6.7AI score0.00356EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.19 views

GiveWP – Donation Plugin and Fundraising Platform < 3.7.0 - Contributor+ Stored Cross-Site Scripting via Shortcode

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's 'giveform' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

6.4CVSS5.7AI score0.00371EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/11 12:0 a.m.19 views

ProfileGrid < 5.7.7 - Authenticated (Subscriber+) Insecure Direct Object Reference

Description The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.7.6 due to missing validation on a user controlled key. This makes it possible for authenticated attacker...

7.1CVSS6.5AI score0.00379EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/11 12:0 a.m.19 views

Slideshow Gallery < 1.7.9 - Settings Reset via CSRF

Description The plugin does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack...

4.3CVSS5.5AI score0.002EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/11 12:0 a.m.19 views

EmbedPress < 3.9.12 - Missing Authorization

Description The EmbedPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the deletesourcedata and savesourcedata functions in versions up to, and including, 3.9.11. This makes it possible for unauthenticated attackers to modify data sources...

5.3CVSS6.4AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/11 12:0 a.m.19 views

Media Library Folders < 8.1.9 - Authenticated (Author+) Directory Traversal

Description The Media Library Folders plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.1.8. This makes it possible for authenticated attackers, with author-level access and above, to read/access the contents of arbitrary files on the server, which...

6.5CVSS6.5AI score0.00661EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/05 12:0 a.m.19 views

Salon booking system < 9.6.6 - Editor+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Salon Services Add New...

5.5AI score0.00418EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/05 12:0 a.m.19 views

Salon booking system < 9.6.6 - Editor+ Stored XSS via Email Settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin or editor depending on plugin configuration to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

5.4AI score0.00465EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/05 12:0 a.m.19 views

Happy Addons for Elementor < 3.10.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title HTML Tag

Description The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title HTML Tag in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.7AI score0.00361EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

CRM Perks Forms < 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to...

6.5CVSS5.8AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

Social Icons Widget & Block by WPZOOM < 4.2.16 - Missing Authorization

Description The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the zoomajaxsetpointertransient function in versions up to, and including, 4.2.15. This makes it possible for authenticated attackers, with...

8.8CVSS6.7AI score0.01517EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

CRM Perks Forms < 1.1.5 - Unauthenticated SQL Injection

Description The CRM Perks Forms plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacker...

10CVSS7.5AI score0.02267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

Woocommerce Social Media Share Buttons <= 1.3.0 - Cross-Site Request Forgery to Cross-Site Scripting

Description The Woocommerce Social Media Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to...

7.1CVSS6.5AI score0.00184EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

WP Cost Estimation & Payment Forms Builder < 10.1.76 - Authenticated (Contributor+) SQL Injection

Description The WP Cost Estimation & Payment Forms Builder plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 10.1.75 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

8.5CVSS7.5AI score0.00488EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

Paid Memberships Pro – Mailchimp Add On < 2.3.5 - Unauthenticated Information Disclosure

Description The Paid Memberships Pro – Mailchimp Add On plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.4 via log files. This makes it possible for unauthenticated attackers to extract information from log files...

5.3CVSS6.6AI score0.00447EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

Brave Popup Builder < 0.6.6 - Unauthenticated Server-Side Request Forgery

Description The Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.6.5. This makes it possible for unauthenticated attackers to make web requests to...

5.4CVSS6.8AI score0.00305EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

Contact Form 7 Newsletter <= 2.2 - Reflected Cross-Site Scripting

Description The Contact Form 7 Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

7.1CVSS6.3AI score0.00354EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

WPC Badge Management for WooCommerce < 2.4.1 - Missing Authorization

Description The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an...

8.8CVSS6.2AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

Events Manager < 6.4.7.2 - Cross-Site Request Forgery

Description The Events Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.4.7.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged...

4.3CVSS6.5AI score0.00212EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

GS Testimonial Slider < 3.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The GS Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, ...

6.5CVSS5.9AI score0.0036EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) < 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The OpenStreetMap for Gutenberg and WPBakery Page Builder formerly Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.5CVSS5.8AI score0.0036EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

Better Elementor Addons < 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above...

6.5CVSS5.8AI score0.00328EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

WPCS < 1.2.0.2 - Cross-Site Request Forgery

Description The WPCS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0.1. This is due to missing or incorrect nonce validation on the saveetalon function. This makes it possible for unauthenticated attackers to update the plugin's settings vi...

8.8CVSS6.4AI score0.00241EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

All In One Redirection <= 2.2.0 - Reflected Cross-Site Scripting

Description The All In One Redirection plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ...

7.1CVSS6.3AI score0.00418EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

IP Blocker Lite <= 11.1.1 - IP Spoofing

Description The LionScripts: IP Blocker Lite plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 11.1.1 due to insufficient IP address validation. This makes it possible for unauthenticated attackers to spoof their IP Address and bypass blocklisting...

5.3CVSS6.7AI score0.00536EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/03 12:0 a.m.19 views

Klarna Payments for WooCommerce < 3.3.0 - Missing Authorization

Description The Klarna Payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to perform an unauthorized action...

9.8CVSS5.9AI score0.00478EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/02 12:0 a.m.19 views

Genesis Blocks < 3.1.3 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the block content due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute...

6.4CVSS5.9AI score0.00333EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/02 12:0 a.m.19 views

Forminator < 1.29.1 - Reflected Cross-Site Scripting

Description The plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into...

7.1CVSS6.5AI score0.00426EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.19 views

Photo Gallery by Supsystic < 1.15.17 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Photo Gallery by Supsystic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.9AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.19 views

WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The WordPress Meta Data and Taxonomies Filter MDTF plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

7.1CVSS5.8AI score0.00421EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/01 12:0 a.m.19 views

Fancy Comments WordPress < 1.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Fancy Comments WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's facebookcommentsshortcode shortcode function in all versions up to, and including, 1.2.14 due to insufficient input sanitization and output escaping on user supplied...

6.5CVSS5.8AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.19 views

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Icons Widget

Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Icons widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

6.4CVSS5.9AI score0.00343EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/29 12:0 a.m.19 views

Pods < 3.1 - Contributor+ SQLi

Description The plugin is vulnerable to SQL Injection via shortcode due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access or higher, to append...

8.8CVSS7.6AI score0.00821EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/28 12:0 a.m.19 views

Pocket News Generator <= 0.2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Pocket News Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as "Consumer Key" and "Access Token" in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping. This makes it possible for...

4.8CVSS5.7AI score0.00322EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/27 12:0 a.m.19 views

WP Staging (Free < 3.4.0, Pro < 5.4.0) - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "WP Staging Backup &...

4.9AI score0.00423EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/27 12:0 a.m.19 views

WP Reset < 2.0 - Sensitive Information Exposure due to Insufficient Randomness

Description The plugin is vulnerable to Sensitive Information Exposure via the use of insufficiently random snapshot names, allowing unauthenticated attackers to extract sensitive data including site backups by brute-forcing the snapshot filenames...

5.9CVSS6.6AI score0.00704EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/27 12:0 a.m.19 views

coreActivity < 2.1 - Unauthenticated IP Spoofing

Description The plugin retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value PoC As unauthenticated: curl 'https://example.com/attacker' -H 'X-FORWARDED: 127.0.0.1' Then view the logs and note that the plugin...

6.5AI score0.00482EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/26 12:0 a.m.19 views

WordPress Action Network 1.4.3 - Admin+ SQLi

Description The plugin is vulnerable to SQL Injection via the 'bulk-action' parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and...

7.2CVSS7.8AI score0.00621EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/26 12:0 a.m.19 views

Simple Ajax Chat < 20240216 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Simple Ajax Chat – Add a Fast, Secure Chat Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20231101 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

4.4CVSS5.7AI score0.0033EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/26 12:0 a.m.19 views

Check & Log Email < 1.0.10 - Unauthenticated Hook Injection

Description The plugin is vulnerable to Unauthenticated Hook Injection via the checknonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, a...

8.1CVSS7.4AI score0.00732EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.19 views

Advanced Access Manager < 6.9.21 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS6.2AI score0.00438EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.19 views

Blocksy Companion < 2.0.32 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.5CVSS6AI score0.00346EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.19 views

Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing < 3.6.4 - Plugin Settings Update via CSRF

Description The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin is vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin'...

4.3CVSS6.5AI score0.0021EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.19 views

Page Builder: Pagelayer – Drag and Drop website builder < 1.8.5 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS5.8AI score0.00429EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.19 views

WP Coder < 3.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting

Description The WP Coder – Powerful HTML, CSS, JS and PHP Injection plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

5.9CVSS6.1AI score0.00316EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities5000