Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•13 views

bbp style pack < 5.6.8 - Contributor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.7AI score0.00328EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•13 views

Caret Country Access Limit <= 1.0.2 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•15 views

Hitsteps Web Analytics < 5.87 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•15 views

Pinpoint Booking System < 2.9.9.4.1 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS8.7AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•17 views

Mailrelay < 2.1.2 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.0021EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•12 views

Recip.ly < 1.1.8 - Unauthenticated File Upload

Description A vulnerability was found in reciply Plugin up to 1.1.7 on WordPress. It has been rated as critical. This issue affects some unknown processing of the file uploadImage.php. The manipulation leads to unrestricted upload. The attack may be initiated remotely...

9.8CVSS9.5AI score0.00599EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•17 views

which template file < 4.9 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•10 views

Fotomoto <= 1.2.8 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00324EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•27 views

Post Gallery <= 2.3.12 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•12 views

Feed Statistics <= 4.1 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•12 views

AMP WP <= 1.5.15 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•121 views

Snap Pixel <= 1.5.7 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00204EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•8 views

Automated Editor <= 1.3 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•20 views

Stout Google Calendar <= 1.2.3 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•13 views

WP Attachments <= 5.0.6 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•14 views

Responsive Image Gallery, Gallery Album <= 2.0.3 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00184EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•17 views

Ultimate Taxonomy Manager <= 2.0 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.0021EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•13 views

Abandoned Cart Lite for WooCommerce < 5.16.0 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00316EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•14 views

Mediabay <= 1.6 - Editor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the editor role and above to perform Stored Cross-Site Scripting attacks...

5.9CVSS5.7AI score0.00307EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•21 views

MailChimp Forms by MailMunch < 3.1.5 - Arbitrary Actions via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•19 views

simple-download-button-shortcode <= 1.1.1 - Sensitive Data Disclosure

Description A vulnerability classified as problematic has been found in simple-download-button-shortcode Plugin 1.0 on WordPress. Affected is an unknown function of the file simple-download-buttondl.php of the component Download Handler. The manipulation of the argument file leads to information...

7.5CVSS6.3AI score0.00578EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•17 views

HTML5 Maps < 1.7.1.5 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.0021EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•15 views

WOLF < 1.0.7.2 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS6AI score0.00283EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•12 views

Constant Contact Forms by MailMunch < 2.0.11 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•12 views

Complete Open Graph <= 3.4.5 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS6AI score0.00316EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•14 views

WP Open Street Map < 1.30 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•15 views

Lazy Load for Videos < 2.18.3 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS8.7AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•18 views

Who Hit The Page – Hit Counter <= 1.4.14.3 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•9 views

Social Feed <= 2.2.0 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00331EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•15 views

WhitePage <= 1.1.5 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•13 views

Embed Calendly < 3.7 Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS5.6AI score0.00348EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•14 views

Woo Custom Emails <= 2.2 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS6.1AI score0.00311EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•23 views

Tiny Carousel Horizontal Slider <= 8.1 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00335EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•15 views

PixFields < 0.7.1 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.00215EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•14 views

Taggbox <= 3.1 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS8.7AI score0.00192EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•8 views

Simple SEO < 2.0.26 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

5.4CVSS6.5AI score0.00186EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•8 views

Comments Ratings <= 1.1.7 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/17 12:0 a.m.•10 views

Media Library Assistant < 3.12 - Author+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks...

5.9CVSS5.7AI score0.00339EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•11 views

Awesome Support < 6.1.5 - Insufficient permission check in wpas_edit_reply

Description The plugin does not correctly authorize the wpaseditreply function, allowing users to edit posts for which they do not have permission. PoC Log in as a subscriber and run the following code in the browser, setting the replyid to any post ID. fetch"/wp-admin/admin-ajax.php", "headers":...

4.3CVSS6.4AI score0.00405EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•12 views

Responsive Pricing Table < 5.1.8 - Admin+ Stored Cross-Site Scriping

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Create a New Pricing Table and...

4.8CVSS4.8AI score0.00436EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•12 views

Sort SearchResult By Title < 11.0 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•18 views

URL Shortify < 1.7.9.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Multiple parameters in the plugin'...

4.8CVSS4.9AI score0.00408EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•21 views

Eupago Gateway For Woocommerce < 3.1.10 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00254EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•19 views

WP Discord Invite < 2.5.2 - Admin+ Stored Cross Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to the WP Discord Invite...

4.8CVSS5.5AI score0.00402EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•14 views

WP Simple Table Manager Plugin <= 1.5.6 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Click Simple Table Manager the...

4.8CVSS5.4AI score0.00405EPSS
Exploits2References1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•15 views

BuddyMeet < 2.3.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.7AI score0.00328EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•16 views

Awesome Support < 6.1.5 - Reflected Cross-Site Scripting

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC Visit the following URL as an admin user, with any valid ticket ID. Press the acce...

6.1CVSS5.1AI score0.00398EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•13 views

Ninja Forms < 3.6.34 - Admin+ Stored XSS

Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use JS in posts/comments etc however the...

4.8CVSS5.3AI score0.0062EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•9 views

Awesome Support < 6.1.5 - Submitter+ Arbitrary File Deletion

Description The plugin does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server. PoC 1. Visit Tickets Settings File Upload 2. Ensure "Enable File Upload", "Enable drag-n-drop uploader for ticket form", and "Check...

8.1CVSS6.3AI score0.0066EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•22 views

WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload

Description The plugin does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE. PoC Make sure to have both WooCommerce and NinjaForms 3.4.34.2 NF's latest version on the 3.4 branch installed, then follow those...

9.8CVSS9.8AI score0.00877EPSS
Exploits2Affected Software1
Total number of security vulnerabilities14602