Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.13 views

Slash Admin < 3.8.2 - Cross-Site Request Forgery

Description The Slash Admin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a...

7.1CVSS6.6AI score0.00184EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.13 views

Academy LMS < 1.9.17 - Missing Authorization

Description The Academy LMS plugin for WordPress is vulnerable to unauthorized access due to insufficient validation on the enrollcourse function in versions up to, and including, 1.9.16. This makes it possible for authenticated attackers, with subscriber-level access and above, to enroll in paid...

8.8CVSS6.8AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.15 views

Sendinblue for WooCommerce < 4.0.18 - Authenticated (Editor+) Arbitrary File Download and Deletion

Description The Brevo for WooCommerce plugin for WordPress is vulnerable to arbitrary file download and deletion in all versions up to, and including, 4.0.17. This is due to the plugin not properly validating file names in the getfilecontents and deleteattachment functions. This makes it possible...

8.5CVSS6.9AI score0.00647EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.15 views

Admin Page Spider < 3.32 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.4CVSS4.3AI score0.00436EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.11 views

Data Tables Generator by Supsystic < 1.10.32 - Missing Authorization

Description The Data Tables Generator by Supsystic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.31. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

4.3CVSS6.7AI score0.00372EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.12 views

Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy < 2.1.2 - Unauthenticated Arbitrary Content Deletion

Description The SharkDropship and Affiliate for AliExpress, eBay, Amazon, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the theSharkalibayremoveProductFromShop function in all versions up to, and including, 2.1.1. This makes it possible...

7.5CVSS7.1AI score0.00759EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.16 views

MailerLite – Signup forms (official) < 1.7.7 - Missing Authorization

Description The MailerLite – Signup forms official plugin for WordPress is vulnerable to unauthorized plugin setting changes due to a missing capability check on the toggleRolesAndPermissions and editAllowedRolesAndPermissions functions in all versions up to, and including, 1.7.6. This makes it...

5.3CVSS6.7AI score0.00504EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.19 views

Contest Gallery < 21.3.5 - Authenticated (Author+) Arbitrary File Deletion

Description The Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Competition Plugin for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on a function in all versions up to, and including, 21.3.4. This...

8.5CVSS6.7AI score0.00612EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.23 views

Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API

Description The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page...

5.3CVSS6.8AI score0.00448EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.85 views

BuddyForms < 2.8.9 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery

Description The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions UGC plugin for WordPress is vulnerable to Arbitrary File Read and Server-Side Request Forgery in all versions up to, and including, 2.8.8. This makes it possible for...

8.6CVSS7.1AI score0.00583EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.12 views

Woo Total Sales <= 3.1.4 - Missing Authorization to Unauthenticated Sales Report Retrieval

Description The Woo Total Sales plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getordersarchive function in all versions up to, and including, 3.1.4. This makes it possible for unauthenticated attackers to retrieve sales reports for the...

5.3CVSS6.8AI score0.00457EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.13 views

WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.1 - Missing Authorization

Description The WordPress Meta Data and Taxonomies Filter MDTF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajxsetsequence function in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with...

8.8CVSS6.7AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.14 views

Advanced Local Pickup for WooCommerce < 1.6.2 - Missing Authorization to Notice Dismissal

Description The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the adminnoticesforalppro function in versions up to, and including, 1.6.1. This makes it possible for unauthenticated attackers to...

5.3CVSS6.9AI score0.00295EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.20 views

VK Block Patterns < 1.31.1.1 - Missing Authorization

Description The VK Block Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vbpclearpatternscache function in versions up to, and including, 1.31.0. This makes it possible for unauthenticated attackers to clear the patterns...

5.3CVSS6.9AI score0.00381EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.19 views

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.11.1 - Cross-Site Request Forgery to Notice Dismissal

Description The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.11.0. This is due to missing or incorrect nonce validation on the...

4.3CVSS6.6AI score0.002EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.271 views

All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic < 4.6.1.1 - Contributor+ Stored Cross-Site Scripting via Shortcode

Description The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.7AI score0.00457EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.20 views

Headline Analyzer < 1.3.4 - Cross-Site Request Forgery

Description The Headline Analyzer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on several REST API endpoints. This makes it possible for unauthenticated attackers to perform sever...

4.3CVSS6.7AI score0.002EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.16 views

Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor <= 4.4.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This...

4.4CVSS5.8AI score0.00462EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.21 views

AppPresser < 4.3.1 - Missing Authorization

Description The AppPresser plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggleloggingcallback function in versions up to, and including, 4.3.0. This makes it possible for unauthenticated attackers to enable and disable logging...

6.5CVSS6.9AI score0.00456EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.14 views

InstaWP Connect < 0.1.0.25 - Missing Authorization

Description The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in versions up to, and including, 0.1.0.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform sever...

8.8CVSS6.7AI score0.00333EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.13 views

Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication

Description The Different Menu in Different Pages – Control Menu Visibility All in One plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax function in all versions up to, and including, 2.3.2. This makes it possible for authenticated attackers,...

4.3CVSS6.5AI score0.0056EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.10 views

The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) < 2.0.8.4 - Reflected Cross-Site Scripting

Description The The Pack Elementor addons Header Footer & WooCommerce Builder, Template Library plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.0.8.3 due to insufficient input sanitization and output escaping. This makes it possible for...

7.1CVSS6.5AI score0.00252EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.16 views

Easy Property Listings < 3.5.4 - Missing Authorization via epl_update_listing_coordinates()

Description The Easy Property Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eplupdatelistingcoordinates function in versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to update...

9.8CVSS7AI score0.00365EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.11 views

MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.3.9 - Missing Authorization

Description The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on several functions in versions up to, and including, 3.3.8. This makes it possible for...

6.3CVSS6.3AI score0.00384EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.21 views

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup < 4.0.31 - Open Redirect

Description The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.0.30. This is due to insufficient validation on the redirect url supplied via the redirectto...

6.1CVSS6.8AI score0.00526EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.12 views

Calendar <= 1.3.14 - Authenticated (Contributor+) SQL Injection via Shortcode

Description The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

8.8CVSS7.3AI score0.00613EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.18 views

WP Media Category Management < 2.3.0 - Reflected Cross-Site Scripting

Description The WP Media Category Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.1CVSS6.5AI score0.00395EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.10 views

Login with phone number < 1.6.94 - Missing Authorization

Description The Login with phone number plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on a function in versions up to, and including, 1.6.93. This makes it possible for unauthenticated attackers to perform an unauthorized action...

7AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.11 views

Seers | GDPR & CCPA Cookie Consent & Compliance < 8.1.1 - Cross-Site Request Forgery

Description The Seers | GDPR & CCPA Cookie Consent & Compliance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.1.0. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated...

7.1CVSS6.7AI score0.00184EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.21 views

Qi Addons For Elementor < 1.7.1 - Contributor+ Stored XSS

Description The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget's attributes due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to...

6.4CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.19 views

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup < 4.0.29 - Missing Authorization

Description The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.0.28. This makes it possible for...

9.1CVSS6.7AI score0.00568EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.9 views

Mhr Post Ticker < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Mhr Post Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Header Title value in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS5.7AI score0.00462EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.14 views

Conversational Forms for ChatBot < 1.2.0 - Unauthenticated Arbitrary File Download

Description The ChatBot Conversational Forms plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to download arbitrary files from the server which may contain sensitive information...

7AI score0.0043EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.17 views

WooCommerce Shipping Label < 2.3.9 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

Description The WooCommerce Shipping Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop...

5.9CVSS5.9AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.11 views

Image Slider < 1.1.127 - Authenticated (Editor+) Stored Cross-Site Scripting

Description The Image Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 1.1.125 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions a...

5.9CVSS5.9AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.10 views

Google Doc Embedder <= 2.6.4 - Authenticated (Contributor+) Blind Server Side Request Forgery

Description The Google Doc Embedder plugin for WordPress is vulnerable to Server Side Request Forgery via the 'gview' shortcode in versions up to, and including, 2.6.4. This can allow authenticated attackers with contributor-level permissions or above to make web requests to arbitrary locations...

6.4CVSS6.7AI score0.00316EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.13 views

AnnounceKit <= 2.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The AnnounceKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS5.7AI score0.00365EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.12 views

Elementor ImageBox <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Elementor ImageBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image box widget in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

6.4CVSS5.8AI score0.00466EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.14 views

Social Snap < 1.3.6 - Missing Authorization

Description The Social Snap plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init function in versions up to, and including, 1.3.5. This makes it possible for unauthenticated attackers to modify the plugin's settings...

6.5CVSS6.9AI score0.00355EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.13 views

SVS Pricing Tables <= 1.0.4 - Cross-Site Request Forgery to Pricing Table Edit/Creation

Description The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the savePricingTable function. This makes it possible for unauthenticated attackers to create an...

4.3CVSS6.4AI score0.00211EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.11 views

AA Cash Calculator <= 1.0 - Reflected Cross-Site Scripting via invoice

Description The AA Cash Calculator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘invoice’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS6.3AI score0.00374EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.13 views

SchedulePress < 5.0.9 - Missing Authorization

Description The SchedulePress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.0.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized...

6.5CVSS6.7AI score0.00604EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.11 views

Event Monster <= 1.3.8 - Contributor+ PHP Object Injection via Custom Meta

Description The plugin is vulnerable to PHP Object Injection via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable...

7.5CVSS7.8AI score0.0085EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.17 views

Easy Restaurant Table Booking <= 1.0.0 - Cross-Site Request Forgery

Description The Easy Restaurant Table Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the...

4.3CVSS6.5AI score0.00272EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/29 12:0 a.m.16 views

CookieHub < 1.1.1 - Missing Authorization

Description The CookieHub plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updatedomaincode and updateadvancedsettings functions in versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with...

4.3CVSS6.7AI score0.00277EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/26 12:0 a.m.13 views

Header Footer Code Manager Pro < 1.0.17 - Reflected Cross-Site Scripting via message

Description The Header Footer Code Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the message parameter in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

6.1CVSS6.1AI score0.00504EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/26 12:0 a.m.13 views

BackUpWordPress < 3.14 - Admin+ Directory Traversal

Description The BackUpWordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.13 via the hmbkpdirectorybrowse parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to traverse directories outsi...

2.7CVSS4.5AI score0.0065EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/26 12:0 a.m.14 views

Nextgen Gallery < 3.59.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC 1. Add the "NextGEN Media RSS" Widget to the blog Appearance Widgets 2. Change the...

8.5AI score0.0039EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/26 12:0 a.m.9 views

Getwid – Gutenberg Blocks < 2.0.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'Countdown'

Description The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block in all versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

6.4CVSS5.8AI score0.00535EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/26 12:0 a.m.17 views

Contact Form 7 Database Addon – CFDB7 < 1.2.7 - Unauthenticated Sensitive Information Exposure

Description The Contact Form 7 Database Addon – CFDB7 plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.6.8 via the cfdb7beforesendmail function. This can allow unauthenticated attackers to extract sensitive data, such as Personally...

5.3CVSS6.8AI score0.00738EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14602