14602 matches found
Salient Shortcodes < 1.5.4 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Description The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and...
Piotnet Addons For Elementor < 2.4.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Description The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.4.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
DethemeKit For Elementor < 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Description The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
Royal Elementor Addons and Templates < 1.3.975 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Builder Widget
Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Form Builder widget in all versions up to, and including, 1.3.974 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
Salient Core < 2.0.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Description The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectaricon' shortcode 'iconlinea' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include an...
WordPress Automatic < 3.95.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via autoplay Parameter
Description The WordPress Automatic Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘autoplay’ parameter in all versions up to, and including, 3.94.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...
Ghost < 1.5.0 - Unauthenticated Sensitive Information Exposure
Description The Ghost plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.0 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log...
Counter Up – Animated Number Counter & Milestone Showcase < 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Counter Up – Animated Number Counter & Milestone Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...
raindrops < 1.700 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The raindrops theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.600 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level...
Barcode Scanner with Inventory & Order Manager < 1.5.5 - Unauthenticated Information Exposure
Description The Barcode Scanner and Inventory manager. POS Point of Sale – scan barcodes & create orders with barcode reader. plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.4 via exported files. This makes it possible for...
SKT Addons for Elementor < 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Page Title
Description The SKT Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Page Title in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Sticky Social Link <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The Sticky Social Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Master Addons for Elementor < 2.0.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the titlehtmltag attribute in all versions up to, and including, 2.0.6.0 due to insufficient input sanitization and outpu...
Penci Soledad Data Migrator < 1.3.1 - Unauthenticated Local File Inclusion
Description The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...
Debug Info <= 1.3.10 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The Debug Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
Easy Affiliate Links < 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Easy Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, t...
AWSOM News Announcement <= 1.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The AWSOM News Announcement plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
TT Custom Post Type Creator <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The TT Custom Post Type Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Brozzme Scroll Top <= 1.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Brozzme Scroll Top plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Himalayas < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Himalayas theme for WordPress is vulnerable to Stored Cross-Site Scripting via author display names in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
Gold Addons for Elementor < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Gold Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
BlogLentor <= <=1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The BlogLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
Forty Four – 404 Plugin for WordPress <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Forty Four – 404 Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Pk Favicon Manager <=2.1 - Authenticated (Admin+) Arbitrary File Upload
Description The Pk Favicon Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files o...
Aiomatic < 1.9.4 - Missing Authorization
Description The Aiomatic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...
weDocs < 2.1.5 - Missing Authorization
Description The weDocs plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updatehelpfullness REST API endpoint in versions up to, and including, 2.1.4. This makes it possible for unauthenticated attackers to update settings...
3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin < 3.72 - Authenticated (Author+) Stored Cross-Site Scripting
Description The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.71 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
Viet Affiliate Link <=1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Viet Affiliate Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...
Content Blocks (Custom Post Widget) < 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Content Blocks Custom Post Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
WP Favorite Posts <= 1.6.8 - Cross-Site Request Forgery
Description The WP Favorite Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action vi...
Shared Files < 1.7.20 - Missing Authorization
Description The Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads & Lead Generation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.19. This makes it possible for...
AI Engine: ChatGPT Chatbot < 2.2.70 - Authenticated (Editor+) Arbitrary File Upload
Description The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.2.63. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affecte...
Configure Login Timeout <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Configure Login Timeout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
DS Site Message <= 1.14.4 - Cross-Site Request Forgery
Description The DS Site Message plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.14.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via...
WP Photo Album Plus < 8.7.01.002 - Unauthenticated Arbitrary File Upload
Description The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the import functionality and no capability check in all versions up to, and including, 8.7.01.001. This makes it possible for unauthenticated attackers to upload...
All-in-One Addons for Elementor – WidgetKit < 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
WOLF – WordPress Posts Bulk Editor and Manager Professional < 1.0.8.3 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.8.2 due to insufficient input sanitization and output escaping. This makes it possible for...
SKT Addons for Elementor < 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Block
Description The SKT Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Block in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Easy Digital Downloads < 3.2.12 - Cross-Site Request Forgery
Description The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.11. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an...
Pootle Pagebuilder – WordPress Page builder <= 5.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Pootle Pagebuilder – WordPress Page builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...
gee Search Plus, improved WordPress search <= 1.4.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The gee Search Plus, improved WordPress search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...
canvasio3D Light <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload
Description The canvasio3D Light plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on t...
Better Elementor Addons < 1.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above...
ShortPixel Adaptive Images < 3.8.4 - Cross-Site Request Forgery
Description The ShortPixel Adaptive Images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the import-settings page. This makes it possible for unauthenticated attackers to import...
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging < 4.23.9 - Reflected Cross-Site Scripting
Description The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noticeid' parameter in all versions up to, and including, 4.23.8 due to insufficient input sanitization and output escaping. This...
Cost Calculator Builder Pro < 3.1.73 - Authenticated (Subscriber+) Server-Side Request Forgery
Description Cost Calculator Builder Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to 3.1.72, via the senddemowebhook function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary...
ReviewX – Multi-criteria Rating & Reviews for WooCommerce < 1.6.28 - Missing Authorization
Description The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewxremoveguestimage function in all versions up to, and including, 1.6.27. This makes it possible for...
ShiftController Employee Shift Scheduling < 4.9.58 - Authenticated (Contributor+) PHP Object Injection
Description The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the hc3session-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or...
Featured Content Gallery <= 3.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Featured Content Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Form Maker by 10Web < 1.15.25 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it...