Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
•added 2023/02/21 12:0 a.m.•19 views

Jobs for WordPress < 2.5.11 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/21 12:0 a.m.•29 views

ProfilePress < 4.5.5 - Reflected XSS

The plugin does not sanitise and escape various parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS6.4AI score0.00411EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/21 12:0 a.m.•18 views

Smart Logo Showcase Lite <= 1.1.9 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC smlsgutenblock heading='XSS'...

5.4CVSS5AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•16 views

Companion Sitemap Generator <= 4.5.2 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC html-sitemap columns='1"...

5.4CVSS5.4AI score0.00444EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•41 views

Multiple Page Generator Plugin - MPG < 3.3.10 - Multiple CSRF

The plugin does not have CSRF checks in some places for example when delving projects, toggling cache etc, which could allow attackers to make logged in admins perform unwanted actions via CSRF attacks...

8.8CVSS8.3AI score0.0026EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•16 views

Bing Site Verification using Meta Tag <= 1.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•16 views

FluentSMTP < 2.2.3 - Stored XSS via Email Logs

The plugin does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks XSS when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML. PoC XSS Payload : Steps to reproduce: 1...

5.4CVSS5.4AI score0.00507EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•11 views

Sitemap Index <= 1.2.3 - Admin+ XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00397EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•20 views

10WebMapBuilder < 1.0.73 - Unauthenticated SQLi

The plugin does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection PoC Note: /2022/12/29/map/ is page/post where the GoogleMapsWD is embed POST /2022/12/29/map/ HTTP/1.1...

9.8CVSS9.3AI score0.03911EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•11 views

Video Gallery < 1.7.7 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•15 views

Real Estate 7 < 3.3.2 - Reflected XSS

The theme does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.8AI score0.00382EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•18 views

WP Custom Fields Search < 1.2.35 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.7AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•13 views

WP Dynamic Keywords Injector < 2.3.16 - Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS8.2AI score0.00253EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•11 views

Juicer < 1.11 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC juicer name='" onmouseover=alert/XSS/...

5.4CVSS5AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•19 views

Video Background < 2.7.5 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC v 2.7.5 vidbg loop="1;alert/XSS-loop/;...

5.4CVSS4.9AI score0.00534EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•12 views

Stock market charts from finviz <= 1.0.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•24 views

ProfilePress < 4.5.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00411EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•7 views

Books Gallery < 4.4.9 - CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS6.7AI score0.00256EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•14 views

WP Table Builder < 1.4.7 - Admin+ Stored XSS

The plugin does not sanitise and escape some of parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00396EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•24 views

Clio Grow < 1.0.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•12 views

Theme Tweaker <= 5.20 - Cross-Site Request Forgery

The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks. The original researcher didn't provide enough information on which actions could be performed...

8.8CVSS6.6AI score0.00256EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•18 views

Circles Gallery <= 1.0.10 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•10 views

Sponsors Carousel <= 4.02 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters such as its image title, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•24 views

Accept Stripe Donation - AidWP < 3.1.6 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS8.3AI score0.0026EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•12 views

Visualizer < 3.9.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00421EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•17 views

Namaste! LMS < 2.6 - Admin+ Stored XSS

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. One XSS issue was fixed in version 2.5.9.9. The...

4.8CVSS5AI score0.00442EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•15 views

Ditty < 3.0.33 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00387EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•18 views

Community by PeepSo < 6.0.3.0 - Multiple CSRF

The plugin does not have CSRF checks in some places, for example when unsubscribing email subscribers and delete the plugin, which could allow attackers to make logged in admins perform such actions via CSRF attacks...

8.8CVSS8.3AI score0.00256EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/20 12:0 a.m.•18 views

Social Login WP <= 5.0.0.0 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS8.5AI score0.00255EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/17 12:0 a.m.•14 views

Portfolio Slideshow <= 1.13.0 - Contributor+ XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.0037EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/17 12:0 a.m.•20 views

Google Maps v3 Shortcode <= 1.2.1 - Contributor+ XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.0037EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/17 12:0 a.m.•14 views

Simple PDF Viewer <= 1.9 - Contributor+ XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00361EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/17 12:0 a.m.•14 views

Podlove Podcast Publisher <= 3.8.3 - Cross-Site Request Forgery

The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks. The original researcher didn't provide enough information on which actions could be performed...

8.8CVSS6.6AI score0.00271EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/17 12:0 a.m.•23 views

WP Coder < 2.5.4 - Admin+ SQLi

The plugin does not properly sanitise and escape the id parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...

7.2CVSS7.1AI score0.00798EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/16 12:0 a.m.•50 views

Media Library Assistant < 3.06 - Admin+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC POST /wp-admin/tools.php?page=insertfixit-tools HTTP/1.1...

7.2CVSS7.8AI score0.00785EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/16 12:0 a.m.•20 views

Schema - All In One Schema Rich Snippets < 1.6.6 - Multiple CSRF

The plugin does not properly validate a user intended to do an action, which they could have done using nonce checks. This makes it possible for attackers to conduct CSRF attacks against an unsuspecting administrator, tricking their browser into editing some of the plugin's settings...

8.8CVSS6AI score0.00256EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/16 12:0 a.m.•24 views

WordPress Infinite Scroll - Ajax Load More < 5.6.0.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Examples a lot of attributes are...

5.4CVSS5.3AI score0.00478EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/16 12:0 a.m.•21 views

Portfolio - WordPress Portfolio < 2.8.11 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5AI score0.00361EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/16 12:0 a.m.•20 views

Campaign URL Builder < 1.8.2 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC The shortcode need to be active can be...

5.4CVSS5.4AI score0.00444EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/16 12:0 a.m.•181 views

WoodMart < 7.1.2 - Unauthenticated Arbitrary Shortcode Injection

The theme could allow arbitrary shortcode to be injected when the "Display results from blog" settings is enabled, which could lead to Reflected XSS for example, when using a shortcode vulnerable to XSS PoC When the "Display results from blog" settings is enabled:...

0.6AI score0.00523EPSS
Exploits3References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•13 views

Archivist - Custom Archive Templates < 1.7.5 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•16 views

Nooz < 1.7.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•16 views

JSON Content Importer < 1.3.16 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•13 views

VikBooking Hotel Booking Engine & PMS < 1.6.0 - Multiple CSRF

The plugin does not have CSRF checks in various functions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS6.1AI score0.00232EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•9 views

FireCask Like & Share Button < 1.2 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•133 views

Zeno Font Resizer < 1.8.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00442EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•10 views

WP Email Capture < 3.10 - Email Captures Update via CSRF

The plugin does not have CSRF checks when updating its Email Captures, which could allow attackers to make logged in admins perform such action via a CSRF attack...

8.8CVSS6.7AI score0.00256EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•19 views

Quick Paypal Payments < 5.7.26 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00361EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•15 views

Podlove Subscribe button < 1.3.9 - Multiple CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins perform unwanted actions such as create/update/delete buttons, as well update/create formats via CSRF attacks...

8.8CVSS6.7AI score0.00248EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•11 views

WP Open Social <= 5.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
Total number of security vulnerabilities14603