Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.16 views

WP Captcha <= 2.0.0 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00216EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.7 views

WP Custom Post Template <= 1.0 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.18 views

Easy Cookie Law <= 3.1 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

6.5CVSS6.9AI score0.00191EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.15 views

WP Captcha <= 2.0.0 - Captcha Bypass

Description The plugin does not properly check the Captcha, allowing user to bypass it...

6.3AI score0.00428EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.19 views

Remove/hide Author, Date, Category Like Entry-Meta <= 2.1 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.21 views

AWP Classifieds < 4.3.1 - Categories Mgt via CSRF

Description The plugin does not have CSRF checks when managing categories such as deleting, updating etc, which could allow attackers to make logged in admins perform such actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.9 views

wpCentral <= 1.5.7 - Settings Update via CSRF

Description The plugin does not have CSRF checks when updating allowed IP addresses and reseting connection key, which could allow attackers to make logged in admins perform such actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.14 views

authLdap < 2.5.9 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00204EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.16 views

WP HTML Mail < 3.4.2 - Test Email Sending via CSRF

Description The plugin does not have CSRF check when sending test emails, which could allow attackers to make logged in admins perform such action via a CSRF attack...

8.8CVSS6.4AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.11 views

MailMunch – Grow your Email List < 3.1.3 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.17 views

WooCommerce Product Attachment < 2.2.0 - Checkout Attachements Update via CSRF

Description The plugin does not have CSRF check when saving checkout attachements, which could allow attackers to make logged in users perform such action via a CSRF attack...

6.5CVSS6.4AI score0.00191EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.9 views

Responsive Gallery Grid <= 2.3.10 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00208EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.14 views

Mang Board WP <= 1.7.7 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.4AI score0.00227EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/10 12:0 a.m.20 views

SendPress Newsletters <= 1.23.11.6 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00211EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.27 views

Timthumb Scanner <= 1.54 - Scan Initialisation via CSRF

Description The plugin does not have CSRF check when starting a scan, which could allow attackers to make logged in admins perform such action via a CSRF attack...

8.8CVSS6.4AI score0.00227EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.17 views

WP Meta and Date Remover < 2.2.0 - Subscriber+ Stored XSS

Description The plugin provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site...

5.4CVSS5AI score0.00377EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.20 views

EventPrime < 3.2.0 - Reflected HTML Injection on keyword parameter

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to an HTML Injection on the plugin in the search area of the website. PoC Insert '"Clickme! on the keyword search field or directly on the link...

6.1CVSS6.4AI score0.0042EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.20 views

E2Pdf < 1.20.20 - Admin+ Stored Cross-Site Scriping

Description The plugin does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC 1 Create a new template on...

4.8CVSS4.8AI score0.00402EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.11 views

The Post Grid < 7.2.8 - Block CSS Update via CSRF

Description The plugin does not have CSRF check when updating its block CSS, which could allow attackers to make logged in admins perform such action via a CSRF attack...

8.8CVSS6.4AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.17 views

Photos and Files Contest Gallery – Contact Form < 21.2.8.1 - Unauthenticated Stored XSS via HTTP Headers

Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers. PoC 1. Use a proxy such as BurpSuite to add the following header to all requests: X-Forwarded-For: 11.11.11.11 2. Create a...

6.1CVSS6.1AI score0.00501EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.10 views

Table of Contents Plus < 2309 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.9AI score0.00221EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.14 views

WordPress File Sharing Plugin < 2.0.5 - Subscriber+ Sensitive Data and Files Exposure via IDOR

Description The plugin does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced PoC 1. Create a private folder that contains a file that you intend keep secret. 2. Add the plugin shortcode...

4.3CVSS4.8AI score0.00487EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.12 views

Post and Page Builder by BoldGrid < 1.24.2 - Editor Settings Update via CSRF

Description The plugin does not have CSRF check when updating the plugin's preferred editor settings, which could allow attackers to make logged in admin perform such action via a CSRF attack...

8.8CVSS6.9AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.19 views

Update ands from Zip File <= 2.0.0 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.17 views

EventPrime < 3.2.0 - Booking Creation via CSRF

Description The plugin does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks. PoC Create an Event, noting its ID. Add a ticket type to the Event the details don't matter. As a logged-in user, visit a page wi...

4.3CVSS4.6AI score0.00231EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.9 views

Popup box < 3.7.2 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. PoC 1. Create a new PopUp Box within the...

4.8CVSS4.8AI score0.00402EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.34 views

Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload

Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. PoC Make sure you have Elementor installed and a page or post edited with Elementor. Here's the python script that will execute the...

9.8CVSS9.6AI score0.81695EPSS
Exploits18Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.13 views

EventPrime < 3.2.0 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. PoC POC 1 - Visit any of the following pages created by the plugin: - Event...

6.1CVSS6.1AI score0.0042EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.12 views

Optimize Database after Deleting Revisions <= 5.1 - Database Optimization via CSRF

Description The plugin does not have CSRF check when starting the database optimization process, which could allow attackers to make logged in admins perform such action via a CSRF attack...

8.8CVSS6.4AI score0.00214EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.18 views

Fattura24 < 6.2.8 - Reflected Cross-Site Scripting

Description The plugin does not sanitize or escape the 'id' parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting vulnerability. PoC wp-admin/options-general.php?page=fatt-24-tax=12...

6.1CVSS6.1AI score0.00396EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.14 views

Login screen manager <= 3.5.2 - Admin+ Stored XSS

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC Put the following payload in the...

4.8CVSS4.8AI score0.00379EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.12 views

Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update

Description The plugin does not prevent users with low privileges like subscribers from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS. PoC Once the site gets at least 25 conversions using the plugin, a notice will show up on the...

8.1CVSS7AI score0.0058EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.17 views

CITS Support svg, webp Media and TTF,OTF File Upload < 3.0 - Author+ Stored XSS via SVG

Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. PoC As an author, upload an SVG with the payload: View the SVG and see the XSS...

5.4CVSS5.3AI score0.0039EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.19 views

FooGallery < 2.3.2 - Extensions Mgt via CSRF

Description The plugin does not have CSRF checks when activating/deactivating and downloading extensions, which could allow attackers to make logged in admins perform such actions via CSRF attacks...

8.8CVSS6.5AI score0.00221EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/09 12:0 a.m.27 views

Memberlite Shortcodes < 1.3.9 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Po...

5.4CVSS5.4AI score0.00449EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/06 12:0 a.m.14 views

CP Blocks < 1.0.21 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.00204EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/06 12:0 a.m.15 views

Schedule Posts Calendar < 5.3 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/06 12:0 a.m.14 views

Laposta Signup Basic < 1.4.2 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/05 12:0 a.m.14 views

Newsletter Lite < 4.9.3 - Admin+ Command Injection

Description The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. PoC 1 Navigate to "Newsletters Configuration History & Emails Configuration"...

7.2CVSS7.3AI score0.00963EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/04 12:0 a.m.15 views

WooCommerce Dynamic Pricing and Discount Rules < 2.4.1 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/03 12:0 a.m.21 views

WP Pipes < 1.4.1 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

6.5CVSS6.5AI score0.00202EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/03 12:0 a.m.11 views

Taboola < 2.0.2 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.0021EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/03 12:0 a.m.11 views

Photo Gallery by Ays < 5.2.7 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.5AI score0.00214EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/03 12:0 a.m.10 views

POEditor < 0.9.5 - CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS7AI score0.00208EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/02 12:0 a.m.13 views

Swifty Bar, sticky bar by WPGens < 1.2.11 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.0031EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/02 12:0 a.m.10 views

Contractor Contact Form Website to Workflow Tool < 4.1.0 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00351EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/02 12:0 a.m.15 views

WP Jump Menu <= 3.6.4 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00336EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/02 12:0 a.m.16 views

Email posts to subscribers <= 6.2 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.0031EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2023/10/02 12:0 a.m.17 views

Onclick Show Popup < 6.6 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.6AI score0.00382EPSS
Exploits3Affected Software1
WPVulnDB
WPVulnDB
added 2023/10/02 12:0 a.m.12 views

Tiger Forms < 2.1.0 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00351EPSS
Exploits0Affected Software1
Total number of security vulnerabilities14603