Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2023/10/27 12:0 a.m.19 views

WP Post Popup <= 3.7.3 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its inputs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Enter the following payload in the...

4.8CVSS4.9AI score0.00425EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2023/10/27 12:0 a.m.16 views

The Awesome Feed – Custom Feed <= 2.2.5 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00331EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/27 12:0 a.m.18 views

myStickymenu < 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion

Description The plugin does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions. PoC 1. Visit myStickymenu + Create new Welcome Bar. Ensure "Collect leads" is enabled, enable the toggle at the top, and Save. 2. In a logged-out window, fill the lead form in...

5.4CVSS6.2AI score0.0052EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/27 12:0 a.m.15 views

Internal Link Building <= 1.2.3 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00316EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/27 12:0 a.m.12 views

PubyDoc <= 2.0.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC 1 After the installing the plugin, create a new table at...

4.8CVSS5.2AI score0.00425EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2023/10/27 12:0 a.m.20 views

FreshMail For WordPress <= 2.3.2 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

6.1CVSS5.7AI score0.00288EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/27 12:0 a.m.16 views

Five Star Restaurant Menu and Food Ordering < 2.4.11 - Unauthenticated PHP Object Injection

Description The plugin unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog. PoC Run the below command in the developer console of the web browser while being on the blog...

9.8CVSS6.8AI score0.01245EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/27 12:0 a.m.19 views

Conversios.io < 6.5.4 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00331EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.13 views

Advanced Menu Widget <= 0.4.1 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admi...

6.4CVSS5.7AI score0.00352EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.9 views

Assistant < 1.4.4 - Editor+ SSRF

Description The plugin does not validate a parameter before making a request to it via wpremoteget, which could allow users with a role as low as Editor to perform SSRF attacks PoC As an Editor or above, open http://example.com/index.php?flasstimageproxy=https://127.0.0.1...

8.8CVSS8.7AI score0.00694EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.10 views

Copy Or Move Comments <= 5.0.4 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

6.1CVSS5.7AI score0.00388EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.9 views

Next Page <= 1.5.2 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00409EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.8 views

EG-Attachments <= 2.1.3 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00437EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.12 views

PDF Block <= 1.1.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.7AI score0.004EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.22 views

WP Hotel Booking < 2.0.8 - Unauthenticated SQLi

Description The plugin does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admininit, allowing unauthenticated users to perform SQL injections PoC Run the below command in the developer console of the web...

9.8CVSS9.8AI score0.63711EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.21 views

Scroll post excerpt <= 8.0 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00418EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.9 views

Fast WP Speed <= 1.0.0 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00437EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.11 views

WP Report Post <= 2.1.2 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00454EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.10 views

Sendle Shipping <= 5.17 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS6AI score0.00437EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.11 views

Simple Tweet <= 1.4.0.2 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00409EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.17 views

Novo-Map : your WP posts on custom google maps <= 1.1.2 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00271EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.8 views

WP Radio <= 3.1.9 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00269EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.15 views

EventON < 2.2.3 - Reflected Cross Site Scripting

Description The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin...

6.1CVSS6.2AI score0.00618EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.17 views

Easy Testimonial Slider and Form <= 1.0.18 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00418EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.10 views

Appointment Calendar <= 2.9.6 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00269EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.11 views

Live Chat with Facebook Messenger < 1.0 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admi...

6.4CVSS5.7AI score0.00532EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.16 views

Ultimate Taxonomy Manager <= 2.0 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00437EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.12 views

Peter’s Custom Anti-Spam < 3.2.3 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00437EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.11 views

LeadSquared Suite <= 0.7.4 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00409EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.20 views

WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion

Description The plugin does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts PoC Run the below command in the developer console of the web browser while...

5.4CVSS7.1AI score0.00271EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.13 views

Newsletter & Bulk Email Sender <= 2.0.1 - Contributor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.7AI score0.004EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.11 views

CPT Shortcode Generator <= 1.0 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS6AI score0.00409EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/26 12:0 a.m.19 views

WP Hotel Booking < 2.0.9 - Contributor+ Arbitrary Post Deletion

Description The plugin does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them PoC Run the below command in the developer console of the web browser while being on the blog as a Contributor user. This will put the...

5.4CVSS6.3AI score0.0052EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.15 views

Delete Me < 3.1 - Contributor+ Stored Cross-Site Scripting via Shortcode

Description The plugin does not validate and escape some of its attributes for the plugindeleteme shortcode before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against...

5.4CVSS6AI score0.00445EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.10 views

Libsyn Publisher Hub <= 1.4.4 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00437EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.10 views

Protección de Datos RGPD <= 3.1.0 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00437EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.12 views

BSK PDF Manager < 3.4.2 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its attributes for the bsk-pdfm-category-dropdown shortcode before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used agains...

6.4CVSS6AI score0.00449EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.11 views

Simple File List < 6.1.10 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00394EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.19 views

Internal Link Building <= 1.2.3 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00271EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.17 views

WP Font Awesome <= 1.7.9 - Contributor+ Stored Cross-Site Scripting via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admi...

6.4CVSS5.7AI score0.00565EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.8 views

WP EXtra < 6.3 - Subscriber+ .htaccess File Modification

Description The plugin is missing capability checks on the register function, allowing authenticated users, with roles as low as subscriber, to modify the contents of the site's .htaccess files, leading to potential remote code execution...

8.8CVSS6.9AI score0.01455EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.12 views

Reusable Text Blocks <= 1.5.3 - Author+ Stored Cross-Site Scripting via Shortcode

Description The plugin does not validate and escape some of its attributes for the text-blocks shortcode before outputting them back into the page, which could allow users with a role of Administrator or higher to perform Stored Cross-Site Scripting attacks, which could be used against...

5.5CVSS5.7AI score0.00439EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.9 views

Amministrazione Trasparente < 8.0.5 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00418EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.14 views

BuddyPress Global Search <= 1.2.1 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00418EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.7 views

Duplicate <= 0.1.6 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00279EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.10 views

EventPrime < 3.1.6 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00437EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.17 views

Auto Login New User After Registration <= 1.9.6 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00277EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.11 views

Product Category Tree <= 2.5 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.00271EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.12 views

ApplyOnline – Application Form Builder and Manager < 2.5.3 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00437EPSS
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/25 12:0 a.m.23 views

Open Graph Metabox <= 1.4.4 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00277EPSS
Exploits0References2
Total number of security vulnerabilities14602