14602 matches found
Nexter Extension < 2.0.4 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Google Calendar Events < 3.2.6 - Cross-Site Request Forgery (CSRF)
Description The Plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
AI ChatBot < 4.9.1 - Missing authorization in AJAX calls
Description The plugin does not check capabilities when processing AJAX actions, allowing unauthenticated attackers to perform actions intended for higher privileged users...
AI ChatBot < 4.9.1 - Cross-Site Request Forgery (CSRF)
Description The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request...
AI ChatBot < 4.9.3 - Missing authorization in AJAX calls
Description The plugin does not check capabilities when processing AJAX actions, allowing unauthenticated attackers to perform actions intended for higher privileged users. This vulnerability is the same as CVE-2023-5533 but was reintroduced in version 4.9.2...
WP Lightbox 2 <= 3.0.6.5 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Print, PDF, Email by PrintFriendly < 5.5.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Proofreading < 1.1 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Ajax Archive Calendar < 2.6.8 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
AI ChatBot < 4.9.1 - Subscriber+ Arbitrary File Deletion
Description The plugin does not properly validate files to be deleted in the qcldopenaideletetrainingfile function, allowing users with roles as low as subscriber to delete arbitrary files on the server...
AI ChatBot < 4.9.3 - Subscriber+ Arbitrary File Deletion
Description The plugin does not properly validate files to be deleted in the qcldopenaideletetrainingfile function, allowing users with roles as low as subscriber to delete arbitrary files on the server. This vulnerability is the same as CVE-2023-5212 but was accidentally reintroduced in version...
Maileon < 2.16.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
AI ChatBot < 4.9.3 - Cross-Site Request Forgery (CSRF)
Description The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request. This vulnerability is the same as CVE-2023-5534, but was reintroduced in version 4.9....
WP GoToWebinar < 14.46 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP ULike < 4.6.9 - Contributor+ Stored Cross Site Scripting via Shortcode
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
LiteSpeed Cache < 5.7 - Contributor+ Stored XSS
Description The plugin does not escape the cache attribute of its esi shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WOLF < 1.0.7.2 - Cross-Site Request Forgery (CSRF)
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Serial Numbers for WooCommerce – License Manager < 1.6.4 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Wp Ultimate Review <= 2.2.5 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Rocket Font <= 1.2.3 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Royal Elementor Addons and Templates 1.4.78 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Note that this vulnerability is identical to https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ as it was introduce...
Userback < 1.0.14 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Smooth Scroll Links <= 1.1.0 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
OPcache Dashboard <= 0.3.1 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Thumbnail Slider With Lightbox < 1.0.20 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
ChatBot < 4.9.1 - Unauthenticated Blind SQL Injection
Description The plugin is vulnerable to SQL Injection via the $strid parameter in versions up to, and including...
Widgets for Google Reviews < 10.9.1 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
WP Simple HTML Sitemap < 2.6 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR
Description The plugin is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function...
Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure
Description The plugin exposes sensitive information to unauthenticated users...
Social Media Share Buttons & Social Sharing Icons < 2.8.6 - Subscriber+ Sensitive Information Exposure
Description The plugin exposes sensitive information to unauthenticated users...
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Product Category Tree <= 2.5 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Tweeple <= 0.9.5 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
flowpaper < 2.0.4 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Booster for WooCommerce < 7.1.3 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Sitekit < 1.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Icegram Express < 5.6.24 - Admin+ Directory Traversal
Description The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector...
QR Twitter Widget <= 0.2.3 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Team Showcase < 2.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure
Description The plugin is vulnerable to Sensitive Information Exposure via the ai-debug-processing-fe URL parameter...
Ebook Store <= 5.785 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WhatsApp Share Button <= 1.0.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Photospace Responsive < 2.1.2 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
User Location and IP <= 1.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Form Maker by 10Web < 1.15.19 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...