14603 matches found
UniConsent Cookie Consent CMP for GDPR / CCPA < 1.4.4 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Blocks <= 1.6.42 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Social Metrics <= 2.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Popup contact form <= 7.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Click To Tweet <= 2.0.14 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Order Delivery Date for WP e-Commerce <= 1.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Insert Estimated Reading Time <= 1.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WWM Social Share On Image Hover <= 2.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Anchor Episodes Index (Spotify for Podcasters) < 2.1.8 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Rescue Shortcodes <= 2.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Regpack <= 0.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP Adminify < 3.1.6 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
FooGallery < 2.3.2 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Dreamfox Media Payment gateway per Product for Woocommerce < 3.2.8 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Popup contact form <= 7.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Images Slideshow by 2J <= 1.3.54 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Attorney <= 3 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Notice Bar < 3.1.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Locations <= 4.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Cooked <= 1.7.13 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Most Popular Posts Widget < 0.9 - Admin+ SQL injection
Description The plugin does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue...
The Awesome Feed – Custom Feed <= 2.2.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Back To The Top Button <= 2.1.5 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
wordpress publish post email notification < 1.0.2.3 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Blog Filter <= 1.4 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not adequately sanitize and escape the 'vivafbcomment' shortcode. This lack of proper input sanitization and output escaping allows authenticated users with contributor-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute...
OpenHook < 4.3.1 - Subscriber+ Remote Code Execution
Description The plugin does not prevent low-privileged users like subscribers from using its 'php' shortcode feature, leading to potential Remote Code Execution...
Goods Catalog <= 2.4.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WooCommerce PensoPay < 6.3.2 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WP-dTree <= 4.4.5 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Smarty for WordPress <= 3.1.35 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
authLdap <= 2.5.9 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Stock Quotes List <= 2.9.11 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WP Bannerize Pro <= 1.6.9 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
HollerBox < 2.3.3 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Photo Gallery Slideshow & Masonry Tiled Gallery < 1.0.14 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
User Feedback < 1.0.8 - Unauthenticated Stored XSS
Description The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
Font Awesome More Icons <= 3.5 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not properly sanitize and escape the 'icon' shortcode, leading to a potential Stored Cross-Site Scripting vulnerability. As a result, users with contributor-level permissions and above can inject arbitrary web scripts into pages...
Welcart e-Commerce < 2.8.22 - Editor+ Arbitrary File Upload
Description The plugin does not prevent users with editor or higher privileges from uploading an arbitrary file to an unauthorized directory...
Essential Blocks < 4.2.1 - Unauthenticated Object Injection
Description The plugin doesn't prevent unauthenticated attackers from deserializing user input, which could allow them to run code on the server if they have a POP chain allowing them to do so...
Font Awesome Integration <= 5.0 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not sufficiently sanitize and escape user-supplied attributes in the 'fawesome' shortcode, which can lead to the injection of arbitrary web scripts on pages accessed by users...
Welcart e-Commerce < 2.8.22 - Multiple XSS
Description The plugin does not sanitize and escape a parameter before outputting it back in multiple pages, leading to a Reflected Cross-Site Scripting which could be used against other users...
TM WooCommerce Compare & Wishlist <= 1.1.7 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not sufficiently sanitize and escape user-supplied attributes in the 'tmwoowishlisttable' shortcode. This leads to a Stored Cross-Site Scripting vulnerability, enabling authenticated users with contributor-level or higher permissions to inject arbitrary web scripts...
Welcart e-Commerce < 2.8.22 - Editor+ SQL Injection
Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, leading to an SQL injection exploitable by users with a role as low as an editor...
Welcart e-Commerce < 2.8.22 - Author+ SQL Injection
Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, leading to an SQL injection exploitable by users with a role as low as an author...
Welcart e-Commerce < 2.8.22 - Author+ Path Traversal
Description The plugin does not prevent users with author or higher privilege from obtaining partial information of the files on the web server...
Social Media & Share Icons < 2.8.4 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
GuruWalk Affiliates <= 1.0.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Ultimate Addons for Contact Form 7 < 3.2.1 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Sitekit < 1.4 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...