Lucene search
+L
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•25 views

Spotlight Social Feeds < 1.4.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Exploit Additional CSS classes for "Spotlight...

5.4CVSS5AI score0.00526EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•23 views

Zoho Forms < 3.0.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC As a contributor, put the following in ...

5.4CVSS5AI score0.01648EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•16 views

WP Terms Popup < 2.6.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•9 views

Modal Dialog < 3.5.10 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•11 views

Parsi Date < 4.0.2 - Reflected Cross-Site Scripting

The plugin does not escape generated URLs before outputing them in attrubutes, leading to Reflected Cross-Site Scripting...

1.6AI score
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•15 views

PickPlugins Product Slider for WooCommerce < 1.13.42 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC wcps id='" onmouseover="alert/XSS/"'...

5.4CVSS5AI score0.00477EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•16 views

WP Popups < 2.1.4.9 - Contributor+ Stored XSS

The plugin does not validate and escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5AI score0.00393EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•12 views

WP Helper Lite < 4.3 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape all GET parameters before outputting them back in an AJAX response, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin-ajax.php?action=surveySubmit="...

6.1CVSS6AI score0.44513EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•20 views

WP Google Review Slider < 11.8 - Subscriber+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. PoC Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST...

8.8CVSS9.1AI score0.00919EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•272 views

Lightweight Accordion < 1.5.15 - Contributor+ Stored XSS

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Exploit Additional CSS classes for "Lightweight...

5.4CVSS5AI score0.00562EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•19 views

WP TripAdvisor Review Slider < 10.8 - Subscriber+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. PoC Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST...

8.8CVSS9.1AI score0.04356EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•14 views

WP Review Slider < 12.2 - Subscriber+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. PoC Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST...

8.8CVSS9.1AI score0.00919EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•21 views

Image and Video Lightbox, Image PopUp < 2.1.6 - Admin+ Stored XSS

The plugin does not sanitise and escape various parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/23 12:0 a.m.•14 views

Oi Yandex.Maps <= 3.2.7 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00383EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/21 12:0 a.m.•15 views

Advanced Social Pixel <= 2.1.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•18 views

WP Flipclock < 1.8 - Contributor+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

6.5CVSS5.2AI score0.00393EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•21 views

WP Google Map < 4.4.0 - Editor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the Editor role and above to perform Stored Cross-Site Scripting attacks...

5.9CVSS5.1AI score0.0038EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•9 views

Quick Event Manager < 9.7.5 - Unauthenticated Stored XSS

The plugin does not sanitise and escape the "yourname" parameter, which could allow unauthenticated users to perform Cross-Site Scripting attacks...

7.1CVSS5.9AI score0.00406EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•19 views

MailOptin 1.2.54.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•19 views

WP Smart Preloader < 1.15.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•17 views

ProfilePress < 4.5.4 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00421EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•17 views

Simple Staff List < 2.2.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00393EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•16 views

Conversational Forms for ChatBot < 1.1.7 - Admin+ Stored XSS

The plugin does not sanitise and escape a form name, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•25 views

WP Google Maps < 9.0.16 - Admin+ Path Traversal

The plugin does not validate the XML Directory path settings, which could allow high privilege users such as admin to perform Path Traversal attacks...

6.5CVSS6.3AI score0.00754EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•16 views

Social Like Box and Page by WpDevArt < 0.8.40 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its select elements, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•15 views

FL3R FeelBox <= 8.1 - Unauthenticated SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC 1. Visit a blog post and extract the nonce from the source search for "feelboxAjax", and extract the "token" curl...

9.8CVSS9.5AI score0.0105EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•13 views

Heateor Social Comments < 1.6.2 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00383EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•16 views

Bubble Menu - Circle Floating Menu < 3.0.2 - Form Deletion via CSRF

The plugin does not have CSRF checks when deleting forms, which could allow attackers to make logged in users perform such actions via a CSRF attack...

5.4CVSS5.5AI score0.00234EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•26 views

VikRentCar < 1.3.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•13 views

Media Library Categories < 2.0.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•16 views

Contact Us page - Contact people LITE < 3.7.1 - Contact Update/Deletion/Creation via CSRF

The plugin does not have CSRF checks when creating, updating and deleting contacts, which could allow attackers to make logged in users perform such actions via CSRF attacks...

6.5CVSS6.3AI score0.00237EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•13 views

Amazon JS <= 0.10 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC amazonjs asin='XSS' imgsize='"...

6.8CVSS5AI score0.00635EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•18 views

Quick Event Manager < 9.7.5 - Registration Deletion/Update via CSRF

The plugin does not have CSRF checks when deleting and updating registrations, which could allow attackers to make logged in users perform such actions via CSRF attacks...

5.4CVSS5.6AI score0.00234EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•17 views

Pods < 2.9.11 - Pods Deletion via CSRF

The plugin does not have CSRF checks when deleting pods, which could allow attackers to make logged in admins perform such action via a CSRF attack...

8.8CVSS8.2AI score0.00264EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•16 views

Very Simple Google Maps < 2.9 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00393EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•20 views

WP Time Slots Booking Form < 1.1.82 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•19 views

User Registration < 2.3.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•16 views

Category Specific RSS feed Subscription < 2.2 - Settings Update via CSRF

The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged in admins perform such action via a CSRF attack...

8.8CVSS8.2AI score0.00271EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/20 12:0 a.m.•14 views

Image Hover Effects For WPBakery Page Builder < 5.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00383EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•20 views

GiveWP < 2.24.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC givemultiformgoal image='"...

5.4CVSS5AI score0.00555EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•13 views

Camera slideshow <= 1.4.0.1 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.7AI score0.00406EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•16 views

M Chart < 1.10 - Contributor+ Stored XSS

The plugin does not sanitize and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS5.1AI score0.00383EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•12 views

GPT3 AI Content Writer < 1.4.38 - Subscriber+ Arbitrary Post Content Update

The plugin does not perform any kind of nonce or privilege checks before letting logged-in users modify arbitrary posts. PoC fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded', , body:...

5.4CVSS5.3AI score0.00512EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•15 views

Amr Shortcode Any Widget <= 4.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC 1. Insert...

5.4CVSS5AI score0.00477EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•21 views

3com Asesor de Cookies <= 3.4.3 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS4.7AI score0.00392EPSS
Exploits0
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•18 views

WP eBay Product Feeds < 3.4 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•13 views

Interactive Polish Map < 1.2.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•26 views

YARPP - Yet Another Related Posts Plugin < 5.30.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC v 5.30.3 yarpp template="'...

6.8CVSS4.9AI score0.00707EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•13 views

Nice PayPal Button Lite <= 1.3.5 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS8.3AI score0.00264EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
•added 2023/01/19 12:0 a.m.•31 views

Mapwiz <= 1.0.1 - Admin+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC POST /wp-admin/admin.php?page=myplug/muyplg.php HTTP/1.1...

7.2CVSS7.5AI score0.00957EPSS
Exploits2References1Affected Software1
Total number of security vulnerabilities14603