Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.9 views

Joli FAQ SEO – WordPress FAQ Plugin < 1.3.3 - Cross-Site Request Forgery

Description The Joli FAQ SEO – WordPress FAQ Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to chan...

4.3CVSS6.6AI score0.00215EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.20 views

Print-O-Matic <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Print-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

6.5CVSS5.9AI score0.00314EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.18 views

PB MailCrypt <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The PB MailCrypt plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

6.5CVSS5.9AI score0.00305EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.13 views

SEOPress < 7.7 - Information Exposure

Description The SEOPress – On-site SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.6.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data...

5.3CVSS6.7AI score0.0051EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.20 views

Rank Math SEO with AI Best SEO Tools < 1.0.218 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textAlign’ parameter in versions up to, and including, 1.0.217 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.5AI score0.00429EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.15 views

Directorist < 7.9.0 - Missing Authorization

Description The Directorist – WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.8.6. This makes it possible for unauthenticated attacker...

5.3CVSS6.9AI score0.00363EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.14 views

Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) < 3.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via pagingType Parameter

Description The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More Gutenberg Blocks and Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pagingType’ parameter in all versions up to, and including, 3.7.1 due to insufficient input sanitizati...

6.4CVSS5.9AI score0.00353EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.16 views

Download Alt Text AI < 1.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Alt Text AI – Automatically generate image alt text for SEO and accessibility plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it...

5.9CVSS5.7AI score0.00362EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.17 views

Popup box < 4.1.3 - Cross-Site Request Forgery

Description The Popup box plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged...

7.1CVSS6.4AI score0.00184EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.13 views

DecaLog < 3.9.1 - Authenticated (Admin+) SQL injection

Description The DecaLog plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.9.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, wit...

7.6CVSS7.3AI score0.00612EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.18 views

Min and Max Purchase for WooCommerce <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Min and Max Purchase for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.5CVSS5.9AI score0.00334EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.18 views

Blocksy < 2.0.43 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in versions up to, and including, 2.0.42 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS5.6AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.19 views

Robo Gallery < 3.2.19 - Unauthenticated Information Exposure

Description The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.18. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data...

5.3CVSS6.7AI score0.0047EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.22 views

Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery < 1.5.4 - Missing Authorization

Description The Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajaxvideogallery function in versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, wi...

4.3CVSS6.5AI score0.00394EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.14 views

Sunshine Photo Cart: Free Client Photo Galleries for Photographers < 3.1.2 - Unauthenticated PHP Object Injection

Description The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP...

9.8CVSS7.4AI score0.00465EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.14 views

Simple Image Popup <= 2.4.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Simple Image Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.9AI score0.00382EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.16 views

Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel (Free to install) < 3.9.0 - Authenticated (Subscriber+) SQL Injection

Description The Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel Free to install plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient...

8.5CVSS7.3AI score0.00521EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.19 views

The Plus Addons for Elementor < 5.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's element attributes in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00544EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.21 views

Perfect Pullquotes <= 1.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Perfect Pullquotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.5CVSS5.9AI score0.00411EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.12 views

Hercules Core < 6.5 - Authenticated (Subscriber+) PHP Object Injection

Description The Hercules Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4 via deserialization of untrusted input. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known P...

9.9CVSS7.2AI score0.00698EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.14 views

Beaver Builder – WordPress Page Builder < 2.8.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the linktarget parameter in all versions up to, and including, 2.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00419EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.30 views

WP Migrate Pro < 2.6.11 - Unauthenticated PHP Object Injection

Description The WP Migrate Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.10 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerab...

10CVSS7.4AI score0.00683EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.20 views

Login Logout Register Menu <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Login Logout Register Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and abov...

6.5CVSS5.9AI score0.00314EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.16 views

Freesia Empire < 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Freesia Empire theme for WordPress is vulnerable to Stored Cross-Site Scripting via post author display names in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

6.5CVSS5.6AI score0.00403EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.13 views

Easy Google Maps < 1.11.12 - Cross-Site Request Forgery

Description The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.11.11. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform unauthorized...

8.8CVSS6.4AI score0.00227EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.18 views

BuddyPress < 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in versions up to, and including, 12.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level...

6.4CVSS5.5AI score0.00439EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.23 views

WTI Like Post <= 1.4.6 - IP Spoofing

Description The WTI Like Post plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 1.4.6 due to insufficient IP address validation and/or use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated...

5.3CVSS6.6AI score0.00414EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.12 views

Favicon Rotator < 1.2.11 - Reflected Cross-Site Scripting

Description The Favicon Rotator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pag...

7.1CVSS6.3AI score0.00375EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/07 12:0 a.m.12 views

Photos and Files Contest Gallery < 21.3.5 - Authenticated (Contributor+) SQL Injection

Description The Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Competition Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 21.3.4 due to insufficient escaping on the user supplied parameter and...

9.9CVSS7.1AI score0.00631EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.16 views

KKProgressbar2 Free <= 1.1.4.2 - Progress Bar Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks PoC Make a logged in admin open an HTML file containing where is a valid ID:...

6.3AI score0.00324EPSS
Exploits3
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.11 views

Image Hover Effects - Elementor Addon < 1.4.2 - Authenticated(Contributor+) DOM-based Stored Cross-Site Scripting via Image Hover Effects Widget

Description The Image Hover Effects – Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Hover Effects Widget in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes...

6.4CVSS5.7AI score0.00328EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.13 views

Mihdan: Yandex Turbo Feed < 1.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Mihdan: Yandex Turbo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.6.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.9AI score0.00353EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.16 views

Ditty < 3.1.36 - Author+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

5.4AI score0.00399EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.11 views

KKProgressbar2 Free <= 1.1.4.2 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack PoC Make a logged in admin open an HTML file containing: XSS will trigger on the...

5.5AI score0.002EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.14 views

hostel < 1.1.5.4 - Cross-Site Request Forgery

Description The Hostel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5.3. This is due to missing or incorrect nonce validation when managing rooms. This makes it possible for unauthenticated attackers to create and delete rooms via a...

4.3CVSS6.7AI score0.00215EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.25 views

Startklar Elementor Addons < 1.7.14 - Unauthenticated Arbitrary File Upload

Description The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process' function in the 'startklarDropZoneUploadProcess' class in versions up to, and including, 1.7.13. This makes it possible for...

9.8CVSS8.3AI score0.01444EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.13 views

KKProgressbar2 Free <= 1.1.4.2 - Admin+ SQL Injection

Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks PoC 1. Send a POST request to /wp-admin/admin.php?page=kkpb-add-project with the BODY action=edit-project=sleep5 2. Observe the delay in...

7.2AI score0.00547EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.43 views

Contact Form by WPForms – Drag & Drop Form Builder for WordPress < 1.8.8.2 - Unauthenticated Price Manipulation

Description The Contact Form by WPForms – Drag & Drop Form Builder for WordPress is vulnerable to price manipulation. This is due to a lack of controls on several product parameters, making it possible for unauthenticated attackers to manipulate prices, product information, and quantities for...

5.3CVSS7AI score0.00679EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.8 views

Startklar Elementor Addons < 1.7.14 - Unauthenticated Arbitrary File Deletion

Description The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.7.13. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated...

9.1CVSS8.1AI score0.01522EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.11 views

Business Card <= 1.0.0 - Category Edit via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks PoC Make a logged in admin open an HTML document containing:...

6.3AI score0.00209EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.16 views

Business Card <= 1.0.0 - Card Edit via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF attacks PoC Make a logged in admin open an HTML document containing where is a valid ID:...

6.3AI score0.0025EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.19 views

ClickCease Click Fraud Protection < 3.2.5 - Improper Authorization to sensitive information exposure via get_settings

Description The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the getsettings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access a...

4.3CVSS6.5AI score0.00367EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.21 views

Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) < 1.1.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Effect Widget

Description The Magical Addons For Elementor Header Footer Builder, Free Elementor Widgets, Elementor Templates Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's text effect widget in all versions up to, and including, 1.1.37 due to insufficient input...

6.4CVSS5.9AI score0.00272EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.21 views

Business Card <= 1.0.0 - Arbitrary Card Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks PoC Make a logged in admin open an HTML document containing where is a valid ID:...

6.3AI score0.00276EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/06 12:0 a.m.12 views

Business Card <= 1.0.0 - Category Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF attacks PoC Make a logged in admin open an HTML document containing:...

6.3AI score0.00185EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.21 views

YITH WooCommerce Compare < 2.38.0 - Cross-Site Request Forgery

Description The YITH WooCommerce Compare is vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to add/remove things from a product compare via a forged request granted they can...

4.3CVSS6.9AI score0.00204EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.21 views

Leaky Paywall < 4.20.9 - Missing Authorization to Price Manipulation

Description The Leaky Paywall plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 4.20.8. This is due to the plugin allowing the price field to be user supplied. This makes it possible for unauthenticated attackers to alter the price of memberships...

7.5CVSS7.1AI score0.00466EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.13 views

Appointment Hour Booking < 1.4.57 - Captcha Bypass

Description The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.4.56. This makes it possible for unauthenticated attackers to bypass the Captcha Verification...

5.3CVSS7.1AI score0.00351EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.18 views

WP Travel Engine < 5.8.1 - Unauthenticated Price Manipulation

Description The WP Travel Engine – Best Travel Booking WordPress Plugin plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 5.8.0. This is due to the plugin not properly validating a price. This makes it possible for unauthenticated attackers to manipula...

7.5CVSS7AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/03 12:0 a.m.16 views

WP Shortcodes Plugin — Shortcodes Ultimate < 7.1.3 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS6AI score0.00572EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14602