Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.14 views

Nafeza Prayer Time <= 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Nafeza Prayer Time plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS5.7AI score0.00271EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.14 views

SEOPress < 7.8 - Contributor+ Stored XSS

Description The plugin does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks. PoC As a contributor, create a new Post, at the bottom of the page put the following payload in the "SEO Title"...

5AI score0.00337EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.17 views

Essential Real Estate <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'erepropertymap' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.8AI score0.00324EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.17 views

Essential Real Estate <= 4.4.2 - Insecure Direct Object Reference to Arbitrary Attachment Deletion

Description The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the removepropertyattachmentajax function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS6.6AI score0.00462EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.14 views

Social Link Pages: link-in-bio landing pages for your social media profiles <= 1.6.9 - Missing Authorization to Arbitrary Page Creation and Cross-Site Scripting

Description The Social Link Pages: link-in-bio landing pages for your social media profiles plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the importlinkpages function in all versions up to, and including, 1.6.9. This makes it possible for...

7.2CVSS6.7AI score0.00312EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.21 views

tagDiv Composer < 4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via button Shortcode

Description The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button shortcode in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.9AI score0.0029EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.65 views

PDF.js < 4.2.67 - Arbitrary JavaScript Execution

Description PDF.js is vulnerable to Arbitrary JavaScript Execution in versions prior to 4.2.67. This is due to a missing type check when handling fonts. This makes it possible for authenticated attackers, with contributor-level or above permissions, to execute arbitrary JavaScript if they can...

6.5AI score0.72648EPSS
Exploits15References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.17 views

Slider Revolution < 6.7.11 - Authenticated (Author+) Stored Cross-Site Scripting via Add Layer class, id, and title Attributes

Description The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Add Layer widget in all versions up to, and including, 6.7.11 due to insufficient input sanitization and output escaping on the user supplied 'class', 'id', and 'title' attributes...

6.4CVSS5.7AI score0.00279EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/03 12:0 a.m.12 views

Download Attachments <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Download Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'download-attachments' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.8AI score0.00334EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/01 12:0 a.m.11 views

Shield Security – Smart Bot Blocking & Intrusion Prevention Security < 19.1.11 - Cross-Site Request Forgery

Description The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.1.13. This is due to missing or incorrect nonce validation on the exec function. This makes it possible fo...

4.3CVSS6.4AI score0.00219EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.14 views

Premium Addons for Elementor < 4.10.32 - Contributor+ DOM-Based Stored Cross-Site Scripting via Global Tooltip

Description The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Global Tooltip widget in all versions up to, and including, 4.10.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

5.4CVSS5.8AI score0.00324EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.14 views

WooCommerce Multilingual & Multicurrency with WPML < 5.3.4 - Shop Manager+ SQL Injection

Description The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 5.3.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

7.6CVSS7.4AI score0.00541EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.15 views

CSSable Countdown <= 1.5 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

5.4AI score0.00354EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.8 views

Widget Bundle <= 2.0.0 - Widget Disable/Enable via CSRF

Description The plugin does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack PoC This PoC disables the User Registration widget. To do so, make a logged in admin open an HTML file containing:...

6.2AI score0.00199EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.13 views

WooCommerce Multilingual & Multicurrency with WPML < 5.3.4 - Shop Manager+ SQL Injection

Description The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 5.3.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

7.6CVSS7.4AI score0.00541EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.21 views

wpDataTables - Tables & Table Charts (Premium) < 6.4 - Missing Authorization to DataTable Access & Modification

Description The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdtajaxactions.php file in all versions up to, and including, 6.3.2. This makes it...

7.3CVSS6.6AI score0.00325EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.15 views

Premium Addons for Elementor < 4.10.32 - Missing Authorization to Information Disclosure

Description The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gettemplatecontent function in all versions up to, and including, 4.10.31. This makes it possible for authenticated attackers, with...

4.3CVSS6.4AI score0.00341EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.13 views

Elements For Elementor < 2.2 - Authenticated (Contributor+) Local File Inclusion via Multiple Widget Attributes

Description The Elements For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.1 via the 'beforeafterlayout' attribute of the beforeafter widget, the 'eventsgridlayout' attribute of the eventsgrid and list widgets, the 'marqueelayout'...

8.8CVSS7.6AI score0.00802EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.7 views

Popup Builder < 4.3.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS

Description The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on...

6.4CVSS5.7AI score0.00267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.13 views

Content Blocks (Custom Post Widget) < 3.3.1 - Authenticated (Contributor+) Local File Inclusion via Shortcode

Description The Content Blocks Custom Post Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'contentblock' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inclu...

8.8CVSS7.6AI score0.00618EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.14 views

WP Logs Book <= 1.0.1 - Unauthenticated Stored XSS

Description The plugin does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting PoC 1. On the login page, enter any username and for the password enter 2. As an admin, view the logs at:...

6.2AI score0.00307EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.13 views

WP Logs Book <= 1.0.1 - Disable Logging via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC Make an admin open an HTML file containing:...

6.2AI score0.05957EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.13 views

WP Logs Book <= 1.0.1 - Log Clearing via CSRF

Description The plugin does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack PoC Make an admin open an HTML file containing: Note: The 404 Error Logs can also be cleared by modifying the PoC...

6.2AI score0.00183EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.17 views

QQWorld Auto Save Images <= 1.9.8 - Missing Authorization to Arbitrary Post Content Retrieval

Description The QQWorld Auto Save Images plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the saveremoteimagesgetautosavedresults function hooked via a norpriv AJAX in all versions up to, and including, 1.9.8. This makes it possible for...

5.3CVSS5.5AI score0.00349EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.12 views

PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

5.4AI score0.00319EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.15 views

Master Slider - Responsive Touch Slider < 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'msslide' shortcode in all versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied 'cssclass'...

6.4CVSS5.7AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.15 views

CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

4.9AI score0.00332EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.18 views

WordPress Infinite Scroll – Ajax Load More < 7.1.2 - Authenticated (Contributor+) Cross-Site Scripting

Description The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ajaxloadmore shortcode in versions up to, and including, 7.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.8AI score0.0039EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.10 views

Contact Form Manager < 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Contact Form Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's xyz-cfm-form shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

6.4CVSS5.7AI score0.00273EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.16 views

Widget Bundle <= 2.0.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Enable the "Text Form" widget...

5.4AI score0.00356EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.13 views

CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF

Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks PoC Codes:...

6.5AI score0.00209EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.14 views

Content Blocks (Custom Post Widget) < 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via content_block Shortcode

Description The Content Blocks Custom Post Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'contentblock' shortcode in all versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS5.8AI score0.00314EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.13 views

PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC paypalbutton type="addtocart...

5.6AI score0.00315EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.13 views

WooCommerce Multilingual & Multicurrency with WPML < 5.3.4 - Shop Manager+ SQL Injection

Description The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 5.3.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

7.6CVSS7.4AI score0.00541EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.17 views

wpDataTables - Tables & Table Charts (Premium) < 6.3.2 - Unauthenticated SQL Injection

Description The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the 'idkey' parameter of the wdtdeletetablerow AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplie...

10CVSS7.4AI score0.00657EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.16 views

Google CSE <= 1.0.7 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

5.4AI score0.00255EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.8 views

WP eMember < 10.3.9 - Reflected Cross-Site Scripting

Description The WooCommerce and WP eMember Integration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 10.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6AI score0.0044EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.18 views

DOP Shortcodes <= 1.2 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Add the following shortcode ...

5.6AI score0.00315EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.8 views

wpForo Forum < 2.3.4 - Authenticated (Contributor+) SQL Injection

Description The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

9.9CVSS7.2AI score0.00457EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.15 views

Royal Elementor Addons and Templates < 1.3.976 - Authenticated (Contributor+) Stored Cross-Site Scripting via Back to Top Widget

Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Back to Top widget in all versions up to, and including, 1.3.975 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

6.4CVSS5.8AI score0.00324EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.14 views

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.2.1 - Missing Authorization to Privilege Escalation

Description The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'importformaction' function in versions up to, and including, 3.2.0.1. This...

7.1CVSS6.4AI score0.00334EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.12 views

Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder < 2.5.52 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘buttononeid’ parameter in all versions up to, and including, 2.5.51 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS5.8AI score0.00326EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.9 views

Widget Bundle <= 2.0.0 - Unauthencated Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users PoC On a site with the User Login/Registration widget active, have an unauthenticated user send...

6AI score0.00408EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.10 views

Page Builder Gutenberg Blocks – CoBlocks < 3.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles

Description The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Social Profiles widget in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

6.4CVSS5.8AI score0.00326EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.15 views

Royal Elementor Addons and Templates < 1.3.976 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's image hotspot, image accordion, off canvas, woogrid, and product mini cart widgets in all versions up to, and including, 1.3.975 due to insufficient input...

6.4CVSS5.7AI score0.00342EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.11 views

Premium Addons for Elementor < 4.10.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget

Description The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 4.10.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.8AI score0.00332EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.12 views

Starter Templates — Elementor, WordPress & Beaver Builder Templates < 4.2.2 - Contributor+ Stored Cross-Site Scripting

Description The Starter Templates — Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customuploadmimes’ function in versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes...

6.4CVSS5.8AI score0.00446EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/31 12:0 a.m.16 views

WooCommerce Multilingual & Multicurrency with WPML < 5.3.4 - Shop Manager+ SQL Injection

Description The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 5.3.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

7.6CVSS7.4AI score0.00541EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/30 12:0 a.m.19 views

DethemeKit For Elementor < 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via slitems Attribute

Description The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slitems' attribute within the plugin's De Product Tab & Slide widget in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user...

6.4CVSS7.8AI score0.00321EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/30 12:0 a.m.17 views

Happy Addons for Elementor < 3.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion

Description The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ha-ia-content-button’ parameter in all versions up to, and including, 3.10.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.8AI score0.00325EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14602