Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•24 views

WordPress Amazon S3 Plugin < 1.6 - Reflected XSS

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC...

4.8CVSS5.3AI score0.00442EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•13 views

Time Sheets < 1.29.3 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Login as Admin. 2. Go to...

4.8CVSS4.9AI score0.00442EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•16 views

Simple Giveaways < 2.45.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC As admin, add/edit a sharing method "Giveaways...

4.8CVSS4.9AI score0.00442EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•38 views

TreePress – Easy Family Trees & Ancestor Profiles < 3.0.0 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some parameters, which could allow users with the Admin role to perform Cross-Site Scripting attacks...

5.9CVSS6AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•16 views

WP Content Filter – Censor All Offensive Content From Your Site <= 3.0.1 - Admin+ Stored Cross Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.7AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•12 views

Admin Log <= 1.50 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS8.3AI score0.00271EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•17 views

Read More Without Refresh <= 3.1 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.7AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•18 views

Simple Mobile URL Redirect <= 1.7.2 - Cross-Site Request Forgery

Cross-Site Request Forgery CSRF vulnerability in Ozette Plugins Simple Mobile URL Redirect plugin = 1.7.2 versions...

8.8CVSS6.9AI score0.0161EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•17 views

Klaviyo <= 3.0.10 - Admin+ Stored XSS

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Klaviyo Settings, and at Klaviyo...

4.8CVSS5.2AI score0.00442EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•21 views

Simple Giveaways < 2.45.1 - Editor+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its Giveaways options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Login with an editor user and add/edi...

4.8CVSS4.9AI score0.00446EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•19 views

Kanban Boards for WordPress <= 2.5.20 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.7AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/20 12:0 a.m.•23 views

FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field

The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the...

5.4CVSS6AI score0.00478EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•35 views

Bookly < 21.6 - Unauthenticated Stored XSS

The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...

7.2CVSS6.3AI score0.00464EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•22 views

Open RDW kenteken voertuiginformatie < 2.1.0 - Reflected XSS

The plugin does not sanitise and escape the opendatardwkenteken parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS6.3AI score0.00382EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•17 views

SEO by Squirrly SEO < 12.1.21 - Missing Authorization

The plugin does not check capabilities in some AJAX actions, allowing low-privileged users to perform privileged actions...

6.6AI score0.00397EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•16 views

WP Simple Events <= 1.0 - Admin+ Cross Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.7AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•15 views

Ecwid Shopping Cart < 6.11.5 - Contributor+ Stored Cross-Site Scriping

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

6.5CVSS6.1AI score0.00387EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•15 views

WooCommerce Weight Based Shipping < 5.5.0 - Settings Update via CSRF

The plugin does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack...

8.8CVSS8.2AI score0.00249EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•19 views

WP Express Checkout < 2.2.9 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. If the 'Admin Dashboard Access Permission' is set...

4.8CVSS5.4AI score0.00352EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•26 views

WP Popup Banners <= 1.2.5 - Subscriber+ SQLi

The plugin does not properly sanitise and escape the bannerid parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers...

8.8CVSS7.7AI score0.0094EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•18 views

SEO by Squirrly SEO < 12.1.21 - Reflected Cross-Site Scripting

The plugin does not sanitize and escape the "page" and "tab" URL parameters, leading to a Reflected Cross-Site Scripting vulnerability...

7.1CVSS6.1AI score0.0041EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•15 views

Article Directory <= 1.3 - Admin+ Stored XSS

The plugin does not properly sanitize the publishtermstext setting before displaying it in the administration panel, which may enable administrators to conduct Stored XSS attacks in multisite contexts. PoC POST /wordpress/wp-admin/options.php HTTP/1.1 Host: 172.28.128.6 User-Agent: Mozilla/5.0...

4.8CVSS4.9AI score0.0047EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•16 views

Return and Warranty Management System for WooCommerce <= 1.2.3 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS6AI score0.00382EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•14 views

eCommerce Product Catalog < 3.3.9 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS5.4AI score0.00377EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•25 views

WP-Advanced-Search <= 3.3.8 - Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.7AI score0.0026EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/17 12:0 a.m.•17 views

WP Job Portal <= 2.0.1 - Subscriber+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks...

5.9AI score0.00361EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/16 12:0 a.m.•13 views

WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure

The plugin does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post. PoC Run the below command in the...

6.5CVSS6.2AI score0.00795EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/16 12:0 a.m.•17 views

WP Tiles <= 1.1.2 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC wp-tiles extraclasses='"...

5.4CVSS5AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/16 12:0 a.m.•19 views

Import External Images <= 1.4 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.7AI score0.00256EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/16 12:0 a.m.•10 views

Newsmag <= 2.4.4 - Subscriber+ Reflected Cross-Site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

6.5CVSS6AI score0.0037EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/16 12:0 a.m.•17 views

Event Manager for WooCommerce < 3.7.8 - Cross-Site Request Forgery (CSRF)

The plugin does not protect its uninstallreasonsubmission action against CSRF attacks, allowing an unauthenticated attacker to trick a logged in admin to submit a deactivate reason by submitting a crafted request...

8.8CVSS6.9AI score0.00293EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/16 12:0 a.m.•22 views

WP Simple Shopping Cart 4.6.3 - Unauthenticated PII Disclosure

The plugin saves exported shopping cart data in a publicly accessible directory, allowing unauthenticated users to retrieve PII such as full names, email/IP address etc...

5.3CVSS6.2AI score0.00549EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/16 12:0 a.m.•12 views

SMTP2GO < 1.5.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.7AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/16 12:0 a.m.•13 views

Mediciti Lite <= 1.3.0 - Reflected XSS

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Note: This is very likely the same issue than...

6AI score0.0037EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/15 12:0 a.m.•40 views

PB SEO Friendly Images <= 4.0.5 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/15 12:0 a.m.•18 views

Plugin for Google Reviews < 2.2.4 - Subscriber+ SQLi

The plugin does not properly sanitise and escape the placeid parameter before using it in a SQL statement via the grwoverviewajax AJAx action, leading to a SQL injection exploitable by any authenticated users, such as subscriber...

9.1CVSS9.1AI score0.00634EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/15 12:0 a.m.•16 views

WP Email Capture < 3.11 - Unauthenticated Email Capture Download

The plugin does not have authorisation in the wpemailcaptureoptionsprocess function, hooked to admininit, allowing unauthenticated users to download Email Captures and retrieve email addresses...

6.5AI score0.00547EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•19 views

Chronoforms <= 7.0.9 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.7AI score0.0026EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•19 views

WP Basic Elements <= 5.2.15 - Cross-Site Request Forgery (CSRF)

The plugin does not protect its wpbesavesettings ajax actions against CSRF attacks, allowing an unauthenticated attacker to update the plugin settings by tricking a logged in admin to submit a crafted request...

8.8CVSS6.8AI score0.00253EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•13 views

Tags Cloud Manager <= 1.0.0 - Reflected XSS

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against ??? high privilege users such as admin|only unauthenticated users...

6.3AI score0.00382EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•14 views

xili-tidy-tags <= 1.12.03 - Cross-Site Request Forgery

The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks. The original researcher didn't provide enough information on which actions could be performed...

8.8CVSS6.6AI score0.00269EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•18 views

Embed Any Document < 2.7.2 - Author+ Stored XSS

The plugin does not validate and sanitize upload SVG files, which could allow users with an author role and above to perform Stored Cross-Site Scripting attacks...

5.9CVSS5.8AI score0.00384EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•18 views

Modern Footnotes < 1.4.16 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.7AI score0.00386EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•14 views

Admin side data storage for Contact Form 7 <= 1.1.1 - Unauthenticated Reflected XSS

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS6AI score0.00382EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•11 views

LOGIN AND REGISTRATION ATTEMPTS LIMIT <= 2.1 - Cross-Site Request Forgery (CSRF)

The plugin does not protect some of its actions against CSRF attacks, allowing an attacker to perform actions on their behalf by tricking a logged in user to submit a crafted request...

8.8CVSS6.6AI score0.0026EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•13 views

Modern Events Calendar lite <= 5.16.2 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to the import/export section. 2. Enter...

4.8CVSS5AI score0.00501EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•14 views

Yandex.News Feed by Teplitsa <= 1.12.5 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.7AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/14 12:0 a.m.•15 views

Easy Event calendar <= 1.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow users with a role of Admin to perform Cross-Site Scripting attacks...

5.9CVSS6.1AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/13 12:0 a.m.•17 views

Site Reviews < 6.6.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.8AI score0.00411EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/03/13 12:0 a.m.•13 views

CMS Press <= 0.2.3 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.7AI score0.00369EPSS
Exploits0Affected Software1
Total number of security vulnerabilities14603