Lucene search
+L
WpvulndbRecent

14603 matches found

wpvulndb
wpvulndb
added 2023/01/13 12:0 a.m.21 views

eExamhall <= 4.0 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

6.5CVSS6.3AI score0.00234EPSS
Exploits0Affected Software1
wpvulndb
wpvulndb
added 2023/01/13 12:0 a.m.20 views

WP Better Emails <= 0.4 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS4.8AI score0.00392EPSS
Exploits0Affected Software1
wpvulndb
wpvulndb
added 2023/01/13 12:0 a.m.17 views

Happyforms < 1.22.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Exploit Additional CSS classes for "Forms" Gutenbe...

5.4CVSS1.2AI score0.00496EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/13 12:0 a.m.21 views

WP-OliveCart <= 1.1.3 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.8AI score0.00392EPSS
Exploits0Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.22 views

jQuery T(-) Countdown Widget < 2.3.24 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC tminus t='2100-01-01' width='"...

5.4CVSS2.8AI score0.00562EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.27 views

Tutor LMS < 2.0.10 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the resetkey and userid parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC...

6.1CVSS0.7AI score0.01347EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.30 views

Easy Digital Downloads 3.1.0.2 & 3.1.0.3 - Unauthenticated SQLi

The plugin does not properly sanitise and escape the s parameter before using it in a SQL statement via the edddownloadsearch AJAX action , leading to a SQL injection exploitable by unauthenticated users PoC curl...

9.8CVSS1.7AI score0.11172EPSS
Exploits2References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.37 views

Html5 Audio Player < 2.1.12 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC h5apinlineplayer src="invalid'...

5.4CVSS2.8AI score0.00573EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.27 views

Login with Phone Number < 1.4.2 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the ID parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC https://example.com/wp-admin/admin-ajax.php?action=lwpforgotpassword=...

8.8CVSS0.7AI score0.57123EPSS
Exploits2References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.52 views

Paid Membership Pro < 2.9.8 - Unauthenticated SQLi

The plugin does not properly sanitise and escape the code parameter before using it in a SQL statement via the /pmpro/v1/order REST route, leading to a SQL injection exploitable by unauthenticated users PoC curl...

9.8CVSS0.8AI score0.9246EPSS
Exploits6References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.15 views

Simple Membership WP < 1.8 - Admin+ SQLi

The plugin does not properly sanitise and escape the orderby parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...

7.2CVSS1.8AI score0.0088EPSS
Exploits0Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.19 views

Quick Event Manager < 9.7.5 - Reflected Cross-Site

The plugin does not sanitise and escape the category parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC https://example.com/wp-admin/admin-ajax.php?action=qemajaxcalendar=alert1...

6.1CVSS0.8AI score0.01179EPSS
Exploits2References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.23 views

Giveaways and Contests by RafflePress < 1.11.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC rafflepress id='1' minheight="'; alert1...

5.4CVSS3.3AI score0.00573EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.16 views

Annual Archive < 1.6.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC archives tag='ul onmouseover="alert1"'...

5.4CVSS2.6AI score0.00573EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.16 views

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) < 3.12.7 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC mapsmarker lot='1' lat='1' mapwidth='" onmouseover="alert1"'...

5.4CVSS3.9AI score0.00562EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/12 12:0 a.m.20 views

WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Note:...

5.4CVSS1.6AI score0.00649EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.26 views

ResponsiveVoice Text To Speech < 1.7.7 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC responsivevoicebutton voice='"; alert1;...

5.4CVSS2.3AI score0.00623EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.12 views

WP Show Posts < 1.1.4 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC 1. Add a...

5.4CVSS1.6AI score0.00695EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.23 views

EAN for WooCommerce < 4.4.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC algwceanproductimage productid='1'...

5.4CVSS2.6AI score0.00573EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.14 views

GamiPress – Vimeo integration < 1.0.9 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC gamipressvimeo url='https://vimeo.com/"...

5.4CVSS1AI score0.00695EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.14 views

Gallery Factory Lite <= 2.0.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Note: First, you need to add an Album...

5.4CVSS2.5AI score0.00695EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.23 views

Naver Map <= 1.1.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC naver-map y='" onmouseover="alert1"...

5.4CVSS2.6AI score0.0051EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.20 views

WOOF - Products Filter for WooCommerce < 1.3.2 - Admin+ PHP Object Injection

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC 1. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

7.2CVSS3.1AI score0.01313EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.23 views

WC Vendors Marketplace < 2.4.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC wcvrecentproducts columns='1"...

5.4CVSS3.1AI score0.00685EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.17 views

Breadcrumb < 1.5.33 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...

5.4CVSS3.1AI score0.00588EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.17 views

Flexible Captcha <= 4.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC FCcaptchafields width='"...

5.4CVSS2.9AI score0.00613EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.17 views

WordPrezi < 0.9 - Contributor+ Strored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC prezi url="https://prezi.com/'...

5.4CVSS5.1AI score0.00695EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.33 views

Cloak Front End Email < 1.9.2 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC email name='" onmouseover="alert1"...

5.4CVSS2.6AI score0.00649EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.33 views

Hide My WP < 6.2.9 - Unauthenticated SQLi

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For:...

9.8CVSS1.2AI score0.03824EPSS
Exploits5Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.20 views

Vimeo Video Autoplay Automute <= 1.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC vimeo clipid="1" color="'...

5.4CVSS2.9AI score0.0055EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/11 12:0 a.m.18 views

Send PDF for Contact Form 7 < 0.9.9.2 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...

5.4CVSS1.2AI score0.00562EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.17 views

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Deactivation

The plugin does not have authorisation and CSRF checks when deactivating plugins, which could allow any authenticated user, such as subscriber to perform such action...

6.5CVSS3.3AI score0.00798EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.19 views

Royal Elementor Addons < 1.3.60 - Subscriber+ Template Condition Update

The plugin does not have authorisation and CSRF checks when updating the template conditions, which could allow any authenticated user, such as subscriber to perform such action...

6.5CVSS2.5AI score0.00603EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.13 views

Royal Elementor Addons < 1.3.60 - Reflected XSS

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

6.1CVSS1.4AI score0.00728EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.21 views

Clean Login < 1.13.7 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Note: 1...

5.4CVSS1.5AI score0.00573EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.18 views

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Import Deletion

The plugin does not have authorisation and CSRF checks when deleting imported content, which could allow any authenticated user, such as subscriber to perform such action...

8.1CVSS2.9AI score0.00945EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.28 views

PPWP – WordPress Password Protect Page < 1.8.6 - Contributor+ Stored XSS in Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...

5.4CVSS1.7AI score0.00649EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.25 views

Royal Elementor Addons < 1.3.60 - Menu Template Creation via CSRF

The plugin does not have CSRF check when creating menu templates, which could allow attackers to make a logged in admin perform such action via a CSRF attack...

6.5CVSS4.7AI score0.00348EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.20 views

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Activation

The plugin does not have authorisation and CSRF checks when activating templates, which could allow any authenticated user, such as subscriber to perform such action...

4.3CVSS3.2AI score0.00603EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.20 views

WP-ShowHide < 1.05 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...

5.4CVSS3.4AI score0.00573EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.49 views

PDF.js Viewer < 2.1.8 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC pdfjs-viewer viewerheight='"...

5.4CVSS3.6AI score0.00562EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.9 views

User Meta Manager <= 3.4.9 - CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

7.1CVSS6.7AI score0.00406EPSS
Exploits0Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.20 views

Easy Testimonials < 3.9.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC 1. Insert...

5.4CVSS2.8AI score0.00649EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.17 views

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Activation

The plugin does not have authorisation and CSRF checks when activating plugins, which could allow any authenticated user, such as subscriber to perform such action...

8.8CVSS3.3AI score0.00754EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.22 views

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Import

The plugin does not have authorisation and CSRF checks when importing templates, which could allow any authenticated user, such as subscriber to perform such action...

8.1CVSS2.8AI score0.00792EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.15 views

Strong Testimonials < 3.0.3 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit:...

5.4CVSS3.2AI score0.00649EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.25 views

Royal Elementor Addons < 1.3.60 - Subscriber+ Mega Menu Settings Update

The plugin does not have authorisation and CSRF checks when updating the mega menu settings, which could allow any authenticated user, such as subscriber to perform such action...

4.3CVSS3AI score0.00688EPSS
Exploits2References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.21 views

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Theme Activation

The plugin does not have authorisation and CSRF checks when activating themes, which could allow any authenticated user, such as subscriber to perform such action...

8.8CVSS3.3AI score0.00818EPSS
Exploits1References1Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.24 views

Post Category Image With Grid and Slider < 1.4.8 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...

5.4CVSS2.5AI score0.00685EPSS
Exploits2Affected Software1
wpvulndb
wpvulndb
added 2023/01/10 12:0 a.m.21 views

Event Manager and Tickets Selling Plugin for WooCommerce < 3.8.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC 1. Add an event in the plugin with a city meta as: " onmouseover="alert1" 2. On...

5.4CVSS0.5AI score0.00477EPSS
Exploits2Affected Software1
Total number of security vulnerabilities14603