Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.19 views

Custom field finder < 0.4 - Authenticated (Author+) PHP Object Injection

Description The Custom field finder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.3 via deserialization of untrusted input. This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. No known...

5.4CVSS7.4AI score0.00313EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.12 views

WP Recipe Maker < 9.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode

Description The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.16 views

Advanced Post List <= 0.5.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Advanced Post List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.5.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.9AI score0.00362EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.18 views

3D FlipBook < 1.15.5 - Authenticated (Author+) Stored Cross-Site Scritping via Bookmark URL

Description The 3D FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Bookmark URL field in all versions up to, and including, 1.15.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level...

6.4CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.22 views

XStore Core <= 5.3.5 - Reflected Cross-Site Scripting

Description The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

7.1CVSS6.5AI score0.00421EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.18 views

Piotnet Addons For Elementor Pro <= 7.1.17 - Reflected Cross-Site Scripting

Description The Piotnet Addons For Elementor Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 7.1.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.1CVSS6.5AI score0.00356EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.13 views

Sticky Anything <= 2.1.5 - Missing Authorization

Description The Sticky Anything plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to perform an unauthorized action that can lead to Stored...

7.1CVSS6.6AI score0.00185EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/05/01 12:0 a.m.14 views

IDonate <= 1.9.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to...

4.9AI score0.00518EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.9 views

Embed Google Photos album < 2.2.1 - Authenticated (Contributor+) Server-Side Request Forgery

Description The Embed Google Photos album plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.0 via the Pavexembedgooglephotosalbum class. This makes it possible for authenticated attackers, with contributor-level access and above, to make w...

4.9CVSS6.7AI score0.00295EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.14 views

ARforms < 6.4.1 - Reflected Cross-Site Scripting

Description The ARforms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 6.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

7.1CVSS6.5AI score0.00357EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.10 views

WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Authenticated (Contributor+) SQL Injection

Description The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 16.26.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

8.5CVSS7.5AI score0.00601EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.18 views

Tabellen von faustball.com < 2.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Tabellen von faustball.com plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS5.7AI score0.00406EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.15 views

Cost Calculator Builder Pro < 3.1.68 - Unauthenticated Cross-Site Scripting via SVG Upload

Description The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG upload feature in all versions up to, and including, 3.1.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.2CVSS6.1AI score0.00576EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.16 views

Social Icons Widget & Block < 4.2.18 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. As an administrator,...

5.4AI score0.00391EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.13 views

Culqi < 3.0.15 - Authenticated (Subscriber+) Server-Side Request Forgery

Description The Culqi plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.14 via the getmerchants function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locatio...

4.9CVSS6.7AI score0.00254EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.27 views

WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Unauthenticated SQL Injection

Description The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 16.26.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

9.3CVSS7.8AI score0.05851EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.13 views

Multiple Plugins by tychesoftwares <= (Various Versions) - Missing Authorization to Notice Dismissal

Description Multiple plugins for WordPress by tychesoftwares are vulnerable to unauthorized modification of data due to a missing capability check on the tsadminnotices function in various versions. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

4.3CVSS6.2AI score0.00346EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.16 views

Podlove Podcast Publisher < 4.0.15 - Cross-Site Request Forgery

Description The Podlove Podcast Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.14. This is due to missing or incorrect nonce validation on the jobcreate and jobdelete functions. This makes it possible for unauthenticated...

7.5CVSS6.6AI score0.00393EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.15 views

Podlove Podcast Publisher < 4.0.12 - Authenticated (Contributor+) Server-Side Request Forgery

Description The Podlove Podcast Publisher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.11 via the fetchurlmeta function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests...

5.4CVSS6.7AI score0.00381EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.14 views

ARForms < 6.4.1 - Missing Authorization to Arbitrary Plugin Activation/Deactivation

Description The ARforms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate and...

8.8CVSS6.8AI score0.00382EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.11 views

ARforms < 6.4.1 - Authenticated (Subscriber+) SQL Injection

Description The ARforms plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

8.5CVSS7.5AI score0.00565EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.20 views

Frontend Dashboard < 2.2.4 -

Description The Frontend Dashboard plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to extract sensitive data...

7.5CVSS6.9AI score0.0068EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.10 views

Sailthru Triggermail <= 1.1 - Reflected XSS

Description The plugin does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open:...

8.4AI score0.00367EPSS
Exploits3
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.17 views

Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks < 2.2.79 - Unauthenticated Sensitive Information Exposure

Description The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.78. This makes it possible for unauthenticated attackers to extract...

7.5CVSS6.9AI score0.0068EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.20 views

Slider Revolution < 6.7.8 - Authenticated (Author+) Stored Cross-Site Scripting via htmltag Parameter

Description The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmltag’ parameter in all versions up to, and including, 6.7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject...

6.4CVSS5.7AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.15 views

Email Customizer for WooCommerce | Drag and Drop Email Templates Builder < 2.6.1 - Information Exposure

Description The Email Customizer for WooCommerce | Drag and Drop Email Templates Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.0 via the preparepreview function. This makes it possible for unauthenticated attackers to previe...

7.5CVSS7AI score0.0068EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.15 views

WordPress Header Builder Plugin – Pearl < 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stmhb' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This mak...

6.4CVSS5.8AI score0.00493EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.10 views

Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add New Survey 2. Choose any...

4.9AI score0.00422EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.15 views

ARForms < 6.4.1 - Missing Authorization to Arbitrary Option Deletion

Description The ARforms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrar...

7.1CVSS6.8AI score0.00335EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.11 views

Sailthru Triggermail <= 1.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...

7.7AI score0.00388EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.21 views

VikRentCar Car Rental Management System < 1.3.3 - Information Exposure

Description The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.2 due to publicly accessible PDF files. This makes it possible for unauthenticated attackers to extract potentially sensitive...

5.9CVSS6.7AI score0.00554EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.15 views

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid < 7.7.0 - Missing Authorization

Description The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it...

4.3CVSS6.5AI score0.0056EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.16 views

Barcode Scanner with Inventory & Order Manager < 1.5.5 - Authenticated (Subscriber+) SQL Injection

Description The Barcode Scanner and Inventory manager. POS Point of Sale – scan barcodes & create orders with barcode reader. plugin for WordPress is vulnerable to blind SQL Injection via the ‘currentIds’ parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the us...

8.8CVSS7.4AI score0.00613EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.17 views

ARForms < 6.4.1 - Missing Authorization to Arbitrary File Deletion

Description The ARforms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrar...

8.1CVSS6.8AI score0.00577EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.10 views

StreamWeasels Twitch Integration < 1.8.0 - Unauthenticated Sensitive Information Exposure

Description The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.8 via the sw-twitch-embed shortcode. This makes it possible for unauthenticated attackers to view potentially sensitive information...

5.3CVSS6.9AI score0.00547EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/30 12:0 a.m.24 views

FV Flowplayer Video Player < 7.5.45.7212 - Authenticated (Subscriber+) Server-side Request Forgery

Description The FV Flowplayer Video Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.5.43.7212. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations...

4.9CVSS6.7AI score0.00254EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.19 views

Royal Elementor Kit < 1.0.117 - Cross-Site Request Forgery to Notice Dismissal

Description The Royal Elementor Kit theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.116. This is due to missing or incorrect nonce validation on the dismissedhandler function. This makes it possible for unauthenticated attackers to dismiss...

4.3CVSS6.6AI score0.002EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.15 views

Accessibility Widget < 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Accessibility Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.5CVSS5.9AI score0.00319EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.16 views

Import and export users and customers < 1.26.3 - Authenticated (Admin+) PHP Object Injection

Description The Import and export users and customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.26.2 via deserialization of untrusted input in the import.php file. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS7.4AI score0.00373EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.20 views

List Custom Taxonomy Widget < 4.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The List Custom Taxonomy Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.9AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.15 views

Reviews Plus < 1.3.5 - Missing Authorization to Notice Dismissal

Description The Reviews Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhiderevstranslationnotice function in versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS6.7AI score0.00337EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.14 views

Advanced Testimonial Carousel for Elementor < 3.0.1 - Missing Authorization

Description The Advanced Testimonial Carousel for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the handleAjaxCalls function in versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with subscriber-leve...

4.3CVSS6.7AI score0.00277EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.13 views

All-in-one Like Widget < 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The All-in-one Like Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.9AI score0.00345EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.18 views

WP-Lister Lite for eBay < 3.6.0 - Authenticated (Shop Manager+) Arbitrary File Upload

Description The WP-Lister Lite for eBay plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 3.6.0 exclusive. This makes it possible for authenticated attackers, with shop manager-level access and above, to upload arbitrary files o...

9.1CVSS8AI score0.00799EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.10 views

ZD YouTube FLV Player <= 1.2.6 - Server-Side Request Forgery

Description The ZD YouTube FLV Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.6 via the $GET'image' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the...

8.3CVSS6.8AI score0.00436EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.17 views

LeadConnector < 1.8 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Description The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lcpublicapiproxy function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts...

6.5CVSS6.8AI score0.00587EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.24 views

Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) < 5.2.4 - Missing Authorization

Description The Analytify – Google Analytics Dashboard For WordPress GA4 analytics made easy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage. This makes it possible for authenticated attackers,...

5.4CVSS6AI score0.00293EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.9 views

Fancy Elementor Flipbox <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Elementor Flipbox Widget

Description The Fancy Elementor Flipbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Fancy Elementor Flipbox widget in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.8AI score0.00428EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.12 views

Where Did You Hear About Us Checkout Field for WooCommerce < 1.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

Description The Where Did You Hear About Us Checkout Field for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via order meta in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for...

5.5CVSS5.8AI score0.00419EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.10 views

ShortPixel Critical CSS < 1.0.3 - Missing Authorization

Description The ShortPixel Critical CSS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several function sin versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

7.6CVSS6.7AI score0.00431EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14603