Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•18 views

Podlove Subscribe button < 1.3.9 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•15 views

WordPress Social Login and Register < 7.6.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•69 views

Easy Panorama < 1.1.5 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00442EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•16 views

Inline Tweet Sharer < 2.6 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•18 views

Quick Contact Form < 8.0.4 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•14 views

WP Insert < 2.5.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•14 views

Ultimate WP Query Search Filter <= 1.0.10 - Contributor+ XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00361EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•18 views

WP BaiDu Submit <= 1.2.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•12 views

Upload File Type Settings <= 1.1 - Admin+ Stored XSS

The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...

5.9CVSS6.6AI score0.00369EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•11 views

Download Info Page <= 1.3.9 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•17 views

Sticky Ad Bar <= 1.3.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•20 views

Archivist - Custom Archive Templates < 1.7.5 - Stored XSS via CSRF

The plugin does not have CSRF when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

8.8CVSS6AI score0.00248EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•19 views

Service Area Postcode Checker <= 2.0.8 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•25 views

vSlider Multi Image Slider for WordPress <= 4.1.2 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.9CVSS5.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•14 views

WordPress Social Login and Register < 7.5.15 - Multiple CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins perform unwanted actions via CSRF attacks...

8.8CVSS6.7AI score0.00256EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•15 views

Tapfiliate < 3.0.13 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•17 views

Click to Call or Chat Buttons < 1.5.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/15 12:0 a.m.•17 views

Feed Changer & Removerr < 0.3 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•16 views

Multi Rating < 5.0.6 - Reflected XSS

The plugin does not sanitise and escape the from-date, to-date and post-id parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00382EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•19 views

Client Logo Carousel <= 3.0.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Note: 1. First, you need to add a...

5.4CVSS5AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•12 views

Quick Event Manager < 9.6.5 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•13 views

My Tickets < 1.9.11 - Bulk Emailing via CSRF

The plugin does not have CSRF check when bulk emailing, which could allow attackers to make logged in admins perform such action via a CSRF attack...

8.8CVSS8.2AI score0.00276EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•13 views

Conditional Payments for WooCommerce < 2.3.2 - Plugin RuleSets Activation/Deactivation via CSRF

The plugin does not have CSRF checks when activating and deleting its rulesets, which could allow attackers to make logged in users perform such actions via CSRF attacks...

5.4CVSS6.4AI score0.00215EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•10 views

WP Prayer < 1.9.7 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•14 views

Locatoraid Store Locator < 3.9.12 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS8.3AI score0.00248EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•16 views

Interactive SVG Image Map Builder < 1.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•36 views

NextGEN Gallery < 3.29 - Thumbnail Deletion via CSRF

The plugin does not have CSRF checks when deleting Thumbnail, which could allow attackers to make logged in users with the editPost capability to perform such action via a CSRF attack...

4.3CVSS5.7AI score0.00229EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•12 views

Opt-Out for Google Analytics < 2.3.5 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•6 views

Ocean Extra < 2.1.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Note: This requires the OceanWP theme to...

1.2AI score
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•16 views

Quick Paypal Payments < 5.7.26 - Unauthenticated Payment Message Deletion/Update

The plugin does not have authorisation in the downloadlogs function, allowing unauthenticated users to export, delete payment messages, as well as update payment message options...

6.9AI score0.00754EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•14 views

Quick Paypal Payments < 5.7.26 - Unauthenticated Stored XSS

The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...

7.1CVSS5.8AI score0.00406EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•18 views

Popup Builder by OptinMonster < 2.12.2 - Subscriber+ Arbitrary Post Content Disclosure

The plugin does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected ones. PoC Run one of the below commands in the...

6.5CVSS6.9AI score0.00778EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/14 12:0 a.m.•13 views

Ocean Extra < 2.1.3 - Subscriber+ Arbitrary Post Content Disclosure

The plugin does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones. PoC Note: This requires the OceanWP theme to be...

6.5CVSS6.8AI score0.00654EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•16 views

Resume Builder <= 3.1.1 - Subscriber+ Stored XSS

The plugin does not sanitize and escape some parameters related to Resume, which could allow users with a role as low as subscriber to perform Stored XSS attacks against higher privilege users PoC Run the below command in the developer console of the web browser while being on the blog as...

5.4CVSS5.7AI score0.00444EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•17 views

Fancy Comments WordPress < 1.2.11 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00361EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•14 views

Advanced Recent Posts <= 0.6.14 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC lptwrecentposts colorscheme='"...

5.4CVSS5AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•38 views

Beautiful Cookie Consent Banner < 2.10.2 - Unauthenticated Stored XSS

The plugin does not have authorisation and CSRF check when updating its settings, and does not escape some of them when outputting them, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks. An initial fix was released in version 2.10.1, and completed in...

2.2AI score
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•19 views

Shoppable Images Lite < 1.2.4 - Arbitrary Post Deletion via CSRF

The plugin does not have CSRF checks in some places, for example when deleting/updating images. Furthermore, it does not ensure that the image to be deleted are actually images, which could allow attackers to make logged in admins delete arbitrary posts via a CSRF attack...

8.8CVSS6.8AI score0.00248EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•44 views

WooCommerce Checkout Field Manager < 18.0 - Unauthenticated Arbitrary File Upload

The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server PoC 1. Install and activate woocommerce dependency, no setup required 2. Install and active the vulnerable plugin n-media-woocommerce-checkout-fields...

9.8CVSS9.4AI score0.04427EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•15 views

Product GTIN (EAN, UPC, ISBN) for WooCommerce <= 1.1.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC wpmproductgtin id='1' wrapper='div...

5.4CVSS5.2AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•10 views

Announce from the Dashboard < 1.5.2 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•17 views

Cost Calculator <= 1.8 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC ndcostcalculator id='"...

5.4CVSS5AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•18 views

DupeOff <= 1.6 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•11 views

Twitch Player < 2.1.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•23 views

WordPress Social Login and Register < 7.6.1 - Unauthenticated Arbitrary Content Deletion

The plugin does not have authorisation in some AJAX actions, allowing unauthenticated users to call them and perform unauthorised actions, such as delete social profile data...

6.9AI score0.0073EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•24 views

eVision Responsive Column Layout Shortcodes <= 2.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC bscolumns class='" onmouseover="alert1"...

5.4CVSS5AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•22 views

Simple Yearly Archive < 2.1.9 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00369EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•21 views

i2 Pros & Cons <= 1.3.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC i2prosandcons showbutton='true'...

5.4CVSS5AI score0.00471EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•30 views

UpQode Google Maps <= 1.0.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Exploit: vcugmmap mapheight='100px;...

2.5AI score0.0053EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/02/13 12:0 a.m.•17 views

Download Attachments <= 1.2.24 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC download-attachments containerclass='"...

5.4CVSS5AI score0.00482EPSS
Exploits1Affected Software1
Total number of security vulnerabilities14603