Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•22 views

WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload

Description The plugin does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE. PoC Make sure to have both WooCommerce and NinjaForms 3.4.34.2 NF's latest version on the 3.4 branch installed, then follow those...

9.8CVSS9.8AI score0.00877EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•11 views

Front End PM < 11.4.3 - Sensitive Data Exposure via Directory Listing

Description The plugin does not block listing the contents of the directories where it stores attachments to private messages, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled. PoC...

6.5CVSS6.4AI score0.00409EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•22 views

SendPulse Free Web Push < 1.3.2 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•15 views

Templately < 2.2.6 - Unauthenticated Arbitrary Post Deletion

Description The plugin does not properly authorize the saved-templates/delete REST API call, allowing unauthenticated users to delete arbitrary posts. PoC Ensure the Elementor plugin is installed so that the Elementor Template functionality is enabled. curl -X POST...

7.5CVSS7.7AI score0.00608EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•16 views

History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it. PoC 1 Navigate to Instagram Feed Settings Manage Sources, then cli...

7.2CVSS8.2AI score0.00676EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/16 12:0 a.m.•21 views

User Registration < 3.0.4.2 - Admin+ Stored XSS

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Install and activate this...

4.8CVSS4.9AI score0.00562EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•9 views

Sp*tify Play Button for WordPress <= 2.10 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•21 views

WP 6.3-6.3.1 - Contributor+ Stored XSS via Footnotes Block

Description WordPress does not escape some of its Footnotes block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.1AI score
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•135 views

WP < 6.3.2 - Contributor+ Comment Disclosure

Description WordPress does not properly restrict comments to be accessed, allowing contributor to read comments on private and password protect posts they don't have access to...

4.3CVSS4.7AI score0.01045EPSS
Exploits1References1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•12 views

GoodBarber < 1.0.24 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.9AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•10 views

Publish Confirm Message < 2.0 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS8.6AI score0.00214EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•7 views

Blog Manager Light <= 1.20 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•181 views

WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution

Description WordPress does not restrict which shortcode can be excuted via the parsemediashortcode AJAX action, allowing any authenticated user, such as subscriber to execute arbitrary shortcodes...

7.6AI score
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•8 views

Gutenberg < 16.8.1 - Contributor+ Stored XSS

Description The plugin does not adequately escape the content of the footnotes within the paragraph block of the block editor, leading to a Contributor+ Cross-Site Scripting vulnerability. PoC 1. Create a new post as a Contributor user. 2. Add a paragraph block and add a footnote to the...

6AI score
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•10 views

Urvanov Syntax Highlighter < 2.8.34 - Highlighting Blocks Mgt via CSRF

Description The plugin does not have CSRF checks when managing highlighting blocks, which could allow attackers to make logged in admins update, create, duplicate and delete them via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•45 views

WP < 6.3.2 - Unauthenticated Post Author Email Disclosure

Description WordPress does not properly restrict which user fields are searchable via the REST API. PoC from multiprocessing import Pool import requests import string import json import sys if lensys.argv != 2: printf'USAGE: sys.argv0 ' sys.exit url = sys.argv1.rstrip'/' + '/wp-json/wp/v2/users'...

5.3CVSS5.4AI score0.03862EPSS
Exploits4References2
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•68 views

Gutenberg < 16.8.1 - Contributor+ Stored XSS via Navigation Links Block

Description The plugin does not escape some of its Navigation block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.6AI score0.00788EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•45 views

WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block

Description WordPress does not escape some of its Navigation block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.5AI score0.00788EPSS
Exploits1References1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•321 views

WP 5.6-6.3.1 - Reflected XSS via Application Password Requests

Description WordPress does not sanitise and escape the successurl and rejecturl parameters before outputting it back in the page when requesting application passwords, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

6.3AI score
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/13 12:0 a.m.•124 views

WP < 6.3.2 - Denial of Service via Cache Poisoning

Description A Denial of Service could occur via Cache Poisoning when the X-HTTP-Method-Override header is sent in a request to the REST API in an heavily cached configuration...

7AI score
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•13 views

Keap Landing Pages <= 1.4.2 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00227EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•12 views

Localize Remote Images <= 1.0.9 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•45 views

Oxygen Builder < 4.4 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•9 views

WP Responsive header image slider <= 3.2.1 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.4CVSS5.6AI score0.00348EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•14 views

WP Bing Map Pro < 5.0 - CSRF

Description Cross-Site Request Forgery CSRF vulnerability in dan009 WP Bing Map Pro plugin 5.0 versions...

8.8CVSS6.7AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•14 views

Thumbnail Slider With Lightbox < 1.0.1 - Image Lightboxes via CSRF

Description The plugin does not have CSRF check when deleting image lightboxes, which could allow attackers to make logged in admins perform such action via a CSRF attack...

4.3CVSS6.4AI score0.00259EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•13 views

WP Power Stats <= 2.2.3 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•13 views

Perelink Pro <= 2.1.4 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.0021EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•11 views

DX-auto-save-images <= 1.4.0 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•11 views

CLUEVO LMS, E-Learning Platform < 1.11.0 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•8 views

Sign-up Sheets < 2.2.9 - Settings Update/Reset via CSRF

Description The plugin does not have CSRF check in place when updating and reseting its settings, which could allow attackers to make a logged in admin change and reset them via a CSRF attack...

8.8CVSS6.9AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•9 views

WP iCal Availability <= 1.0.3 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.0021EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•11 views

Instagram for WordPress <= 2.1.6 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.4CVSS5.6AI score0.00355EPSS
Exploits0References1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•12 views

Interactive World Map <= 3.2.0 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•13 views

Contact Form by Supsystic <= 1.7.27 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•13 views

Simple Org Chart <= 2.3.4 - Unauthenticated Tree Settings Update

Description The plugin does not have authorisation when updating its Tree settings, which could allow unauthenticated attackers to change them...

6.4AI score0.00295EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•15 views

Social Proof Testimonials and Reviews by Repuso < 5.02 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•9 views

Backend Localization <= 2.1.10 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00227EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•11 views

Disabler <= 3.0.3 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00229EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•10 views

Instant CSS < 1.2.2 - Theme/CSS/Minify/Preprocessor Data Update via CSRF

Description The plugin does not have CSRF checks when updating its Theme, CSS, Minify and Preprocessor data, which could allow attackers to make logged in admins perform such actions via CSRF attacks...

8.8CVSS6.5AI score0.00227EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•12 views

Mobile Address Bar Changer <= 3.0 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.9AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•10 views

AI Content Writing Assistant <= 1.1.5 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•9 views

Hide Admin Notices < 2.3.3 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•10 views

Category Meta <= 1.2.8 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•12 views

WP Mail SMTP Pro < 3.8.1 - Unauthenticated Email Address Disclosure

Description The plugin does not have authorisation in the isprintpage function, allowing unauthenticated users to retrieve sensitive information such as email address...

5.3CVSS6.1AI score0.00429EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•12 views

Simple Org Chart <= 2.3.4 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•14 views

SB Child List <= 4.5 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•14 views

WP-FlyBox <= 6.46 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•22 views

WP Site Protector <= 2.0 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00227EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/10/12 12:0 a.m.•8 views

SIS Handball <= 1.0.45 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00201EPSS
Exploits0
Total number of security vulnerabilities14603