Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•14 views

iframe forms <= 1.0 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not properly sanitize and escape the 'iframe' shortcode. This leads to the possibility of stored Cross-Site Scripting where arbitrary web scripts can be injected into pages...

6.4CVSS5.7AI score0.00403EPSS
Exploits1References1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•20 views

Ads by datafeedr.com < 1.2.0 - Unauthenticated Remote Code Execution

Description The plugin does not adequately secure the 'dfadsajaxloadads' function, leading to a potential Remote Code Execution RCE vulnerability...

9.8CVSS9.7AI score0.02196EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•9 views

Buzzsprout Podcasting < 1.8.5 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not adequately sanitize and escape user-supplied attributes in the 'buzzsprout' shortcode, which leads to a potential Stored Cross-Site Scripting vulnerability. This issue can result in the injection of arbitrary web scripts into pages, which are then executed when a...

6.4CVSS5.9AI score0.00508EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•31 views

LearnDash LMS < 4.5.3.1 - SQL Injection

Description The plugin does not properly neutralize special elements used in an SQL command, leading to potential SQL injection vulnerability...

8.8CVSS7.5AI score0.00684EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•20 views

Grid Plus < 1.3.3 - Subscriber+ Grid Layout Creation/Deletion/Update

Description The plugin does not properly implement capability checks on the 'gridplussavelayoutcallback' and 'gridplusdeletecallback' functions, leading to unauthorized creation, deletion and update of grid layout by any authenticated users, such as subscriber...

5.4CVSS5.7AI score0.00473EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•8 views

Zotpress < 7.3.5 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00351EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•11 views

Google Maps made Simple <= 0.6 - Subscriber+ SQL Injection

Description The plugin does not properly escape user-supplied parameters nor adequately prepare its SQL queries within the plugin's shortcode...

8.8CVSS7.2AI score0.00565EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•15 views

Smart Online Order for Clover < 1.5.5 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•9 views

nsc theme <= 1.0 - Reflected Cross-Site Scripting

Description The theme does not sufficiently sanitize input or escape output, leading to potential Reflected Cross-Site Scripting via prototype pollution...

6.1CVSS6AI score0.00386EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•14 views

Post Meta Data Manager < 1.2.1 - Unauthenticated Data Deletion

Description The plugin does not perform proper capability checks on certain functions, leading to potential unauthorized modification of data. This could result in unauthenticated users being able to delete user, term, and post meta...

7.5CVSS7AI score0.00468EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•19 views

Groundhogg < 2.7.11.11 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00316EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•10 views

Shortcode Menu <= 3.2 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not properly sanitize user input or escape output in the 'shortmenu' shortcode, leading to a Stored Cross-Site Scripting vulnerability. This issue allows authenticated users with contributor-level and above permissions to inject arbitrary web scripts into pages...

6.4CVSS5.5AI score0.00417EPSS
Exploits1References1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•15 views

RSVPMarker < 10.6.7 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in David F. Carr RSVPMaker rsvpmaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 10.6.6...

9.8CVSS7.4AI score0.00862EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•11 views

Post Meta Data Manager < 1.2.1 - Subscriber+ Privilege Escalation

Description The plugin does not properly implement capability checks on certain functions, which results in potential unauthorized modification of data. As a result, authenticated users with subscriber-level permissions can potentially gain elevated privileges...

8.8CVSS7AI score0.00536EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•16 views

idbbee <= 1.0 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not adequately sanitize and escape user supplied attributes in the 'idbbee' shortcode. This can lead to injection of arbitrary web scripts that execute whenever a user accesses an injected page...

5.4CVSS7.4AI score0.00378EPSS
Exploits1References1
WPVulnDB
WPVulnDB
•added 2023/11/03 12:0 a.m.•15 views

WC Captcha <= 1.5 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5AI score0.00316EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/31 12:0 a.m.•25 views

Contact Form to DB by BestWebSoft < 1.7.2 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db allows SQL Injection.This issue affects Contact Form to DB by BestWebSoft –...

9.8CVSS7.2AI score0.00716EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/31 12:0 a.m.•14 views

WPPizza < 3.18.3 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00331EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/31 12:0 a.m.•11 views

Appointment booking addon for Gravity Forms <= 1.9.5.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC The "Translations" settings of the...

4.8CVSS4.7AI score0.00418EPSS
Exploits1
WPVulnDB
WPVulnDB
•added 2023/10/31 12:0 a.m.•10 views

RSVPMarker < 9.9.4 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in David F. Carr RSVPMaker rsvpmaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 9.9.3...

7.2CVSS7.4AI score0.0068EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/31 12:0 a.m.•16 views

10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion

Description The plugin does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service. PoC fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php", "headers": "content-type":...

9.1CVSS6.4AI score0.02811EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/31 12:0 a.m.•18 views

EventPrime < 3.3.6 - Booking Pricing Bypass

Description The plugin specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment. PoC Create an Event, noting its ID. Add a ticket type to the Event, ensuring that the price is not zero. As a logged-in user, go through the process of paying...

5.3CVSS5.3AI score0.00541EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/30 12:0 a.m.•6 views

Deeper Comments <= 2.1.1 - Subscriber+ Arbitrary Options Update

Description The plugin does not have authorisation in its updateoptions AJAX action, allowing any authenticated users, such as subscribers to update arbitrary blog options like defaultrole etc...

7AI score
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•11 views

Add Shortcodes Actions And Filters < 2.10 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•14 views

Contact Form Builder, Contact Widget <= 2.1.7 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00331EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•16 views

Seraphinite Accelerator < 2.2.29 - Authenticated Arbitrary Redirect

Description The plugin does not validate the URL to redirect any authenticated user to, leading to an arbitrary redirect PoC Make a logged in user open https://example.com/wp-admin/admin-ajax.php?action=seraphaccelact=acceptEula=https%3A%2F%2Fwpscan.com...

5.4CVSS5.8AI score0.0037EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•11 views

Triberr <= 4.1.1 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00316EPSS
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•16 views

Custom post types <= 5.0.0 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS6AI score0.00316EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•13 views

Archivist – Custom Archive Templates <= 1.7.5 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

6.1CVSS5.7AI score0.00294EPSS
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•11 views

WooCommerce PDF Invoice Builder < 1.2.104 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•21 views

WP Full Stripe Free <= 1.6.1 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00316EPSS
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•13 views

CPT Shortcode Generator <= 1.0 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.00214EPSS
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•11 views

Lava Directory Manager <= 1.1.34 - Unauthenticated Stored XSS

Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...

7.1CVSS5.8AI score0.00331EPSS
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•16 views

SALESmanago < 3.2.5 - Log Injection via Weak Authentication Token

Description The plugin uses a weak authentication toke for it's /wp-json/salesmanago/v1/callbackApiV3 API endpoint, allowing unauthenticated attackers to inject arbitrary content into the plugin logs...

5.3CVSS6.8AI score0.00513EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•17 views

Seraphinite Accelerator < 2.2.29 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...

6.1CVSS6.1AI score0.00444EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•12 views

Dropbox Folder Share <= 1.9.7 - Unauthenticated Remote Code Execution via LFI

Description The plugin does not validate the path and name of a file before including it, allowing unauthenticated visitors to include and execute arbitrary php files on the server, leading to remote code execution...

9.8CVSS7.8AI score0.00995EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•19 views

User Feedback < 1.0.10 - Unauthenticated Stored XSS

Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...

7.1CVSS5.8AI score0.00354EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•20 views

Forminator and Forminator Pro < 1.27.0 - Admin+ Stored Cross-Site Scripting

Description The plugin does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. PoC...

4.8CVSS6.9AI score0.00451EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•9 views

Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure

Description The plugin does not properly validate authorization in calls to the parseRemoteRequest function allowing unauthenticated visitors with knowledge of an existing WooCommerce Order ID to expose sensitive WooCommerce order information e.g., Name, Address, Email Address, and other order...

7.5CVSS6.2AI score0.00606EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•11 views

WP Knowledgebase <= 1.3.4 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•12 views

Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC v 3.1.1 - fbplugin video...

5.4CVSS5.8AI score0.00426EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•10 views

WooHoo Newspaper Magazine Theme <= 2.5.3 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC Make an admin open an HTML page with the following HTML: See that the plugin's "Header Options Toolbar Options Title" has be...

8.8CVSS6.1AI score0.00379EPSS
Exploits2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•14 views

Minimum Purchase for WooCommerce <= 2.0.0.1 - Contributor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.7AI score0.0031EPSS
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•19 views

Article Analytics <= 1.0 - Unauthenticated SQL injection

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection vulnerability. PoC On a Wordpress blog using MySQL the following PoC allows to extract the hash of the...

9.8CVSS6.9AI score0.01012EPSS
Exploits2References1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•13 views

Category SEO Meta Tags <= 2.5 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.0031EPSS
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•21 views

Add Custom Body Class <= 1.4.1 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not properly escape the addcustombodyclass parameter before outputting it to the page, allowing users with the role of contributor of higher to inject arbitrary web scripts potentially targeting higher privileged users...

6.4CVSS6.4AI score0.00312EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•15 views

Spider Facebook <= 1.0.15 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00324EPSS
Exploits0References2
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•15 views

Popup Box < 3.7.9 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC 1 Create a new popup via /wp-admin/admin.php?page=ays-pb=add 2 Set its "Custom content...

4.8CVSS4.8AI score0.00451EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•11 views

Bonus for Woo < 5.8.3 - Reflected Cross-Site Scripting

Description The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC Make a logged in admin open one of the URL below...

6.1CVSS5.5AI score0.00444EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/27 12:0 a.m.•12 views

Webmaster Tools <= 2.0 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.0031EPSS
Exploits0References2
Total number of security vulnerabilities14602