Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.16 views

Serial Numbers for WooCommerce – License Manager <= 1.7.3 - Missing Authorization

Description The WC Serial Numbers – Ultimate License Manager for Selling, Licensing & Securely Delivering Digital Content with WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.3. This...

5.1AI score
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.11 views

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor < 2.0.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping...

6.4CVSS5.8AI score0.00329EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.22 views

Stockholm Core < 2.4.2 - Authenticated (Contributor+) Local File Inclusion

Description The stockholm-core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the...

8.8CVSS7.9AI score0.00514EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.10 views

WPCS ( WordPress Custom Search ) <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The WPCS WordPress Custom Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.9AI score0.00446EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.16 views

Timber < 1.23.1 - Authenticated (Admin+) PHP Object Injection

Description The Timber plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.23.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known PO...

8CVSS7AI score0.00454EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.9 views

WebinarPress <= 1.33.19 - Cross-Site Request Forgery

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as...

7.1CVSS7AI score0.00227EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.12 views

WP SMS < 6.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The WP SMS – Messaging, SMS & MMS Notifications, 2FA & OTP for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.5.1 due to insufficient input sanitization and output...

5.9CVSS5.7AI score0.00421EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.11 views

ShortPixel Adaptive Images < 3.8.4 - Authenticated (Admin+) Server-Side Request Forgery

Description The ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.8.3 via the isourcdn function. This makes it possible for unauthenticated attackers to make web requests to...

4.4CVSS6.4AI score0.00363EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.12 views

WP etracker <= 1.0.2 - Reflected Cross-Site Scripting

Description The WP etracker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

7.1CVSS6.5AI score0.00436EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.17 views

Tutor LMS – eLearning and online course solution < 2.7.1 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion

Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutorcoursedelete' function due to missing validation on a user controlled key. Thi...

6.5CVSS6.6AI score0.00418EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.21 views

Easy Digital Downloads < 3.2.12 - Unauthenticated Sensitive Information Exposure

Description The Easy Digital Downloads – Sell Digital Files & Subscriptions eCommerce Store + Payments Made Easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.11. This makes it possible for unauthenticated attackers to extract...

7.5CVSS6.9AI score0.00635EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.15 views

Academy LMS < 1.9.26 - Unauthenticated Sensitive Information Exposure

Description The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.25. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data...

5.3CVSS6.3AI score0.00591EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.13 views

Envo Extra < 1.8.17 - Authenticated (Contributor+) Cross-Site Scripting

Description The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 1.8.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS5.8AI score0.00342EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.14 views

WP Discourse < 2.5.2 - Missing Authorization

Description The WP Discourse plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorize...

4.3CVSS6.2AI score0.00372EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.14 views

Netgsm <= 2.9.16 - Missing Authorization

Description The Netgsm plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.9.16. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...

6.3CVSS6.2AI score0.00251EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.18 views

Church Admin < 4.2.0 - Cross-Site Request Forgery

Description The Church Admin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.32. This is due to missing or incorrect nonce validation on several functions in the includes/functions.php file. This makes it possible for unauthenticated...

4.3CVSS6.6AI score0.00253EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/15 12:0 a.m.19 views

All-in-One Video Gallery < 3.7.0 - Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode

Description The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovgsearchform shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute...

8.8CVSS7.3AI score0.00618EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.11 views

Gutenberg Blocks by Kadence Blocks – Page Builder Features < 3.2.38 - Contributor+ Stored Cross-Site Scripting

Description The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Testimonial', 'Progress Bar', 'Lottie Animations', 'Row Layout', 'Google Maps', and 'Advanced Gallery' blocks in all versions up to, and...

5.4CVSS5.5AI score0.00409EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.8 views

Visual Portfolio, Photo Gallery & Post Grid < 3.3.3 - Authenticated (Author+) Stored Cross-Site Scripting via title_tag Parameter

Description The Visual Portfolio, Photo Gallery & Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘titletag’ parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS5.9AI score0.00396EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.14 views

Sydney Toolbox < 1.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via aThemes: Portfolio Widget

Description The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "aThemes: Portfolio" widget in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.8AI score0.00279EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.10 views

WPZOOM Addons for Elementor (Templates, Widgets) < 1.1.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box Widget

Description The WPZOOM Addons for Elementor Templates, Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget Image Box in all versions up to, and including, 1.1.36 due to insufficient input sanitization and output escaping on user supplied attributes...

6.4CVSS5.9AI score0.0042EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.24 views

Jetpack < 13.4 - Contributor+ Stored Cross-Site Scripting via wpvideo Shortcode

Description The plugin did not properly escape some of its shortcode attributes, allowing users with at least the contributor role to conduct Stored XSS attacks. PoC wpvideo OcobLTqC freedom=true preloadContent='"src=x onerror=alertdocument.cookie xss'...

6.4CVSS5.5AI score0.00372EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.23 views

Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Iframe Injection

Description The plugin lacks validation of URLs when adding iframes, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page. PoC 1 Create a new post 2 Add and e-Learning block and upload a zip file 3 Select the "Insert As: Iframe" option 4 Intercept the...

5.4CVSS6.6AI score0.00202EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.12 views

Alt Text AI – Automatically generate image alt text for SEO and accessibility < 1.5.0 - Authenticated (Subscriber+) SQL Injection

Description The Alt Text AI – Automatically generate image alt text for SEO and accessibility plugin for WordPress is vulnerable to generic SQL Injection via the ‘lastpostid’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack...

8.8CVSS7.6AI score0.00612EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.37 views

Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Author+ Upload to RCE

Description The plugin is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files PoC Note: This must be tested on a web server running Apache 1 Create a new post 2 Add e-Learning block to the post and upload...

6.5AI score0.00936EPSS
Exploits3References1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.11 views

Exclusive Addons for Elementor < 2.6.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget

Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Member widget in all versions up to, and including, 2.6.9.6 due to insufficient input sanitization and output escaping on user supplied 'url' attribute. This makes it...

6.4CVSS5.9AI score0.00418EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.12 views

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) < 3.5.4 - Authenticated (Contributor+) Stored Cross-site Scriping via 'Sina Particle Layer'

Description The Sina Extension for Elementor Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Particle Layer widget in all versions up to, and including,...

6.4CVSS5.9AI score0.00356EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.15 views

Import and export users and customers < 1.26.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS5.9AI score0.00286EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.14 views

Gutenberg Blocks by Kadence Blocks – Page Builder Features < 3.2.38 - Contributor+ Stored Cross-Site Scripting via Typer Effect

Description The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the typer effect in the advanced heading widget in all versions up to, and including, 3.2.37 due to insufficient input sanitization and output...

6.4CVSS5.5AI score0.00265EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.10 views

WP eMember < 10.3.9 - Reflected XSS

Description The plugin does not sanitize and escape the "fieldId" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. PoC https://www.example.com/wp-admin/admin-ajax.php?fieldId==checkname...

9.2AI score0.0044EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.19 views

Email Subscribers by Icegram Express < 5.7.20 - Missing Authorization in handle_ajax_request

Description The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handleajaxrequest function in all versions up to, and including, 5.7.19. This makes it possible f...

8.8CVSS7.3AI score0.00392EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.17 views

Image Optimization by Optimole < 3.13.0 - Author+ Stored Cross-Site Scripting via SVG Upload

Description The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allowmemetypes’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes...

6.4CVSS5.9AI score0.0042EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.12 views

Bulk Posts Editing For WordPress < 4.2.4 - Authenticated (Subscriber+) Missing Authorization

Description The Bulk Posts Editing For WordPress plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on the plugin's AJAX actions in all versions up to, and including, 4.2.3. This makes it possible for authenticated attackers, with subscrib...

4.3CVSS6.6AI score0.00296EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.15 views

Import and export users and customers < 1.26.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user agent header in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

4.4CVSS5.9AI score0.00255EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.10 views

Borderless - Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg < 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Description The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user...

6.4CVSS5.9AI score0.0041EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.11 views

FS Product Inquiry <= 1.1.1 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users PoC Have any user admin or unauthenticated open an HTML page...

8.6AI score0.00478EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.8 views

FS Product Inquiry <= 1.1.1 - Unauthenticated Stored XSS

Description The plugin does not sanitise and escape some form submissions, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks PoC 1. Add an inquiry form using the shortcode fspi-show-products-list 2. As a non-logged in visitor, enter the payload "...

8.1AI score0.00408EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.16 views

Gutenberg Blocks by Kadence Blocks < 3.2.37 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Add a Lottie Animation block to a po...

5.2AI score0.00367EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.20 views

The Events Calendar < 6.4.0.1 - Reflected XSS

Description The plugin does not properly sanitize user-submitted content when rendering some views via AJAX. PoC...

6.6AI score0.01834EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.12 views

BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment

Description The plugin contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request PoC POST /wp-admin/admin-ajax.php HTTP/2 Host: buddyboss.example.com Cookie: REDACTED User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:120.0...

6.4AI score0.0043EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.11 views

Password Protected < 2.6.7 - Missing Authorization to Sensitive Information Exposure

Description The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the API. This makes it possible for authenticated attackers, with subscrib...

4.3CVSS6.9AI score0.00354EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.24 views

Simple Ajax Chat < 20240412 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup This was partially fixed in 0240216 bu...

7.7AI score0.00333EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.10 views

Essential Addons for Elementor < 5.9.21 - Contributor+ Stored Cross-Site Scripting

Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘eaelexttoctitletag’ parameter in versions up to, and including, 5.9.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions an...

6.4CVSS5.7AI score0.00441EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/14 12:0 a.m.16 views

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) < 3.5.4 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting

Description The Sina Extension for Elementor Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via several parameters in versions up to, and including, 3.5.3 due to insufficien...

6.4CVSS6.1AI score0.00391EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/13 12:0 a.m.10 views

Simple Basic Contact Form < 20240511 - Unauthenticated Arbitrary Shortcode Execution

Description The Simple Basic Contact Form plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 20240502. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on the...

6.5CVSS7.7AI score0.00662EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/13 12:0 a.m.13 views

WP Compress – Image Optimizer [All-In-One] < 6.20.02 - Missing Authorization

Description The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with...

6.5CVSS6.3AI score0.00343EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/13 12:0 a.m.8 views

140+ Widgets | Best Addons For Elementor – FREE < 1.4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Description The 140+ Widgets | Best Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

6.4CVSS5.8AI score0.00431EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/13 12:0 a.m.15 views

WP Compress – Image Optimizer [All-In-One] < 6.20.02 - Open Redirect via css

Description The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 6.20.01. This is due to insufficient validation on the redirect url supplied via the 'css' parameter. This makes it possible for unauthenticated...

4.3CVSS6.7AI score0.00437EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/13 12:0 a.m.19 views

YITH WooCommerce Gift Cards < 4.13.0 - Missing Authorization to Unauthenticated WooCommerce Settings Update

Description The YITH WooCommerce Gift Cards plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'savemailstatus' and 'saveemailsettings' functions in all versions up to, and including, 4.12.0. This makes it possible for unauthenticated...

5.3CVSS6.7AI score0.00504EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/10 12:0 a.m.11 views

Graphina – Elementor Charts and Graphs < 1.8.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Description The Graphina – Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

6.4CVSS5.5AI score0.00598EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14602