Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.20 views

Contact Form Widget < 1.4.0 - Sensitive Information Exposure

Description The Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.9. This makes it possible for unauthenticated attackers to extract sensitive user or...

5.3CVSS6.9AI score0.00344EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.11 views

Integration for Contact Form 7 and Salesforce <= <=1.3.9 - Cross-Site Request Forgery

Description The Integration for Contact Form 7 and Salesforce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, =1.3.9. This is due to missing or incorrect nonce validation on the settingspage function. This makes it possible for unauthenticated...

4.3CVSS6.4AI score0.0018EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.14 views

Popup More Popups < 2.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Popup – Popup More Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.7AI score0.00248EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.20 views

Copymatic – AI Content Writer & Generator < 1.7 - Unauthenticated Arbitrary File Upload

Description The Copymatic – AI Content Writer & Generator plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code...

10CVSS8AI score0.01622EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.19 views

ChaosTheory < 1.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The ChaosTheory theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject...

6.5CVSS5.6AI score0.00253EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.17 views

Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg < 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. This makes it...

6.5CVSS5.8AI score0.00257EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.14 views

Master Slider – Responsive Touch Slider < 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'msslideinfo' shortcode in all versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied 'tagname'...

6.4CVSS5.8AI score0.00322EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.16 views

Move Addons for Elementor < 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Description The Move Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.8AI score0.0035EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.16 views

DethemeKit For Elementor < 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and abov...

6.5CVSS5.9AI score0.0026EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.16 views

WP Fundraising Donation and Crowdfunding Platform < 1.7.0 - Missing Authorization

Description The WP Fundraising Donation and Crowdfunding Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions surrounding donation modification in versions up to, and including, 1.6.4. This makes it possible for...

5.3CVSS6.6AI score0.00401EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.11 views

Elegant Blocks <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Elegant Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

6.5CVSS5.5AI score0.00248EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.16 views

YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress < 3.4.0 - Missing Authorization to Arbitrary Post/Page Creation

Description The YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emdformbuilderlitesubmitform function in all versions up to, and including, 3.3.6. This...

5.3CVSS5.2AI score0.00326EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.15 views

Popup Builder < 1.1.30 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to injec...

5.9CVSS5.9AI score0.00259EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.16 views

Radio Player < 2.0.74 - Missing Authorization

Description The Radio Player plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the renderplayer function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to render arbitrary radio players...

5.3CVSS6.8AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.24 views

Fastly < 1.2.26 - Missing Authorization via AJAX actions

Description The Fastly plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the plugin's AJAX actions in versions up to, and including, 1.2.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

5.3CVSS6.1AI score0.00364EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.15 views

WP Table Builder – WordPress Table Plugin < 1.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button element in all versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.7AI score0.00329EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.13 views

Magazine Blocks < 1.3.7 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title markup parameter in all versions up to, and including, 1.3.6 due to insufficient...

5.9CVSS6AI score0.0026EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.15 views

Tagembed <= 5.8 - Missing Authorization

Description The Tagembed plugin for WordPress is vulnerable to unauthorized access of functionality in versions up to, and including, 5.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to invoke such functionality. The security impact is low...

5.4CVSS5.7AI score0.00386EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.13 views

Landing Page Builder < 1.5.1.9 - Reflected Cross-Site Scripting via pageType

Description The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the pageType parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and...

7.1CVSS6.3AI score0.00301EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.13 views

iframe < 5.1 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user...

6.5CVSS5.8AI score0.0026EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.17 views

Integration for Contact Form 7 HubSpot <=1.3.1 - Cross-Site Request Forgery

Description The Integration for Contact Form 7 HubSpot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the settingspage function. This makes it possible for unauthenticated attackers ...

4.3CVSS6.4AI score0.00191EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.15 views

Picture Gallery < 1.5.12 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Picture Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject...

6.5CVSS5.7AI score0.00254EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.21 views

Popup Maker WP <= 1.2.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The Popup Maker WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to injec...

6.5CVSS5.9AI score0.00256EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.13 views

ImageMagick Sharpen Resized Images <= 1.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The ImageMagick Sharpen Resized Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.4AI score0.00259EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.19 views

Order Export & Order Import for WooCommerce < 2.5.0 - Authenticated (Administrator+) PHP Object Injection

Description The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.9 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Administrator-level access and above,...

4.4CVSS7.4AI score0.00244EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.10 views

Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks < 2.2.81 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output...

6.4CVSS5.8AI score0.00274EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.19 views

Uber Menu < 3.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

Description The UberMenu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ubermenu-col, ubermenumobileclosebutton, ubermenutoggle, ubermenu-search shortcodes in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on...

6.4CVSS5.8AI score0.00267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.10 views

Salon booking system < 10.0 - Unauthenticated Arbitrary File Deletion

Description The Salon booking system plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 9.8. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers t...

9.1CVSS9.6AI score0.01236EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/20 12:0 a.m.15 views

Builder for WooCommerce reviews shortcodes – ReviewShort < 1.01.6 - Missing Authorization

Description The Builder for WooCommerce reviews shortcodes – ReviewShort plugin for WordPress is vulnerable to unauthorized access of functionality in versions up to, and including, 1.01.5. This makes it possible for unauthenticated attackers to make use of this functionality intended for higher...

5.3CVSS6.7AI score0.00367EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/19 12:0 a.m.20 views

Clearfy Cache <= 2.2.1 - Cross-Site Request Forgery

Description The Clearfy Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request...

4.3CVSS6.4AI score0.00188EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/19 12:0 a.m.17 views

Fast Custom Social Share by CodeBard <= 1.1.2 - Cross-Site Request Forgery

Description The Fast Custom Social Share by CodeBard plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions...

4.3CVSS6.4AI score0.00175EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/19 12:0 a.m.12 views

Extend Themes <= (Multiple Versions) - Cross-Site Request Forgery

Description Several Extend Themes themes for WordPress are vulnerable to Cross-Site Request Forgery in multiple versions. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they ca...

6.4AI score0.00117EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/19 12:0 a.m.15 views

EmpowerWP < 1.0.22 - Cross-Site Request Forgery to Notice Dismissal

Description The EmpowerWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.21. This is due to missing or incorrect nonce validation on the empoweradminajaxwelcomenoticedismiss function. This makes it possible for unauthenticated attackers to...

4.3CVSS6.3AI score0.0018EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.17 views

Rank Math SEO with AI Best SEO Tools < 1.0.219-beta - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in versions up to, and including, 1.0.218 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS5.8AI score0.00371EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.12 views

Logo Slider < 4.0.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC 1. Using a contributor account, add a Logo Slider using the...

8.2AI score0.00295EPSS
Exploits1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.14 views

Elementor Header & Footer Builder < 1.6.29 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hfesvgmimetypes’ function in versions up to, and including, 1.6.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.8AI score0.00357EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.24 views

WP Job Manager < 2.3.0 - Unauthenticated Information Exposure

Description The WP Job Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data...

5.3CVSS6.3AI score0.00584EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.12 views

One Click Demo Import < 3.2.1 - Authenticated (Admin+) PHP Object Injection

Description The One Click Demo Import plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Objec...

7.2CVSS6.8AI score0.00499EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.19 views

ArForms < 6.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add or edit an existing form an...

7.8AI score0.00351EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.15 views

Salient Shortcodes < 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Salient Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'icon' shortcode in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.7AI score0.00267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.10 views

WP Backpack <= 2.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

4.9AI score0.00333EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.11 views

Elementor Header & Footer Builder < 1.6.27 - Authenticated (Author+) HTML Injection

Description The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to...

5.4CVSS7AI score0.00377EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.45 views

Unyson < 2.7.31 - Cross-Site Request Forgery

Description The Unyson plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.30. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action...

5.4CVSS6.1AI score0.00249EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.16 views

Happy Addons for Elementor Authenticated (Contributor+) Stored-XSS < 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Event Calendar Widget

Description The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Event Calendar widget in all versions up to, and including, 3.10.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.8AI score0.00324EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.18 views

Happy Addons for Elementor < 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Stack Group Widget

Description The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Group widget in all versions up to, and including, 3.10.7 due to insufficient input sanitization and output escaping on user supplied 'tooltipposition' attribute. This...

6.4CVSS5.8AI score0.00329EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.49 views

Yoast SEO < 22.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘displayname’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.8AI score0.0063EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.11 views

Dynamics 365 Integration < 1.3.18 - Unauthenticated Sensitive Information Exposure

Description The Dynamics 365 Integration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.17 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained i...

5.3CVSS6AI score0.00584EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.19 views

Testimonial Carousel For Elementor < 10.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'showlinetext ' and 'slidebuttonhoveranimation' parameters in versions up to, and including, 10.1.1 due to insufficient input sanitization and output escaping. This makes i...

6.5CVSS5.9AI score0.00413EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.15 views

ArForms < 6.6 - Unauthenticated RCE

Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form PoC 1. Create a form with an upload input 2. As an unauthenticated user, upload an image file and intercept the request. 3...

9.5AI score0.03345EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/17 12:0 a.m.10 views

WP Stacker <= 1.8.5 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack PoC Make an admin open an HTML document containing:...

5.4AI score0.00199EPSS
Exploits2
Total number of security vulnerabilities14602