Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2024/06/18 12:0 a.m.18 views

Cooked – Recipe Management <= Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Cooked – Recipe Management recipe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipesettingsposttitle parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows...

5.4CVSS5.8AI score0.00426EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/18 12:0 a.m.18 views

Music Store - WordPress eCommerce < 1.1.14 - Authenticated (Admin+) SQL Injection

Description The Music Store – WordPress eCommerce plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.1.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

7.2AI score0.00519EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/18 12:0 a.m.14 views

MJ Update History <= 1.0.4 - Missing Authorization

Description The MJ Update History plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an...

4.3CVSS6.4AI score0.00372EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/17 12:0 a.m.12 views

Business Directory Plugin < 6.4.4 - Authenticated (Author+) CSV Injection

Description The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported...

8CVSS7.5AI score0.00492EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/17 12:0 a.m.14 views

Photo Gallery by 10Web < 1.8.22 - Multiple Reflected XSS

Description The plugin is vulnerable to Reflected Cross-Site Scripting via the 'imageid', 'currenturl', 'imageurl' and 'thumburl' parameters due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th...

5.4CVSS6.4AI score0.00412EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/17 12:0 a.m.20 views

Master Slider – Responsive Touch Slider <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode

Description The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mslayer' shortcode in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on the 'cssid' user supplied...

7.1CVSS5.7AI score0.00327EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/17 12:0 a.m.20 views

Tickera < 3.5.2.9 - Missing Authorization to Authenticated (Susbcriber+) Ticket Deletion

Description The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tcdldeletetickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with...

4.3CVSS6.7AI score0.0028EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/17 12:0 a.m.20 views

PDF Viewer for Elementor <= 2.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via render

Description The PDF Viewer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the render function in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.7AI score0.00329EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/17 12:0 a.m.11 views

Scheduling Plugin – Online Booking for WordPress <= 3.5.10 - Missing Authorization to Unauthenticated Service Disconnection

Description The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsbdisconnectsettings' function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated...

6.5CVSS6.6AI score0.00359EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/17 12:0 a.m.12 views

Ibtana - WordPress Website Builder <= 1.2.3.3 - Unauthenticated reCAPTCHA Settings Update

Description The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ibtanavisualeditorregisterajaxjsonendpont' function in all versions up to, and including, 1.2.3.3. This makes it possible for...

5.3CVSS6.7AI score0.0046EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.17 views

WP Go Maps (formerly WP Google Maps) < 9.0.39 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator,...

6.4CVSS6AI score0.00367EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.23 views

Newspaper < 12.6.6 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Meta

Description The Newspaper theme for WordPress is vulnerable to Stored Cross-Site Scripting via attachment meta in the archive page in all versions up to, and including, 12.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.5CVSS4.9AI score0.00279EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.11 views

YITH WooCommerce Product Add-Ons < 4.9.3 - Unauthenticated Content Injection

Description The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to Content Injection in all versions up to, and including, 4.9.2. This is due to the plugin not properly validating a field that can be updated. This makes it possible for unauthenticated attackers to inject...

5.3CVSS7.1AI score0.00329EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.13 views

Infographic Maker iList < 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Title Update

Description The AI Infographic Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the qcldopenaititlegeneratedesc AJAX action in all versions up to, and including, 4.7.4. This makes it possible for authenticated attackers, with...

4.3CVSS6.6AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.14 views

Download Manager < 3.2.90 - Improper Authorization via protectMediaLibrary

Description The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download...

7.5CVSS6.8AI score0.00454EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.13 views

Woody code snippets – Insert Header Footer Code, AdSense Ads < 2.5.1 -Authenticated (Contributor+) Remote Code Execution

Description The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insertphp' shortcode. This is due to the plugin not restricting the usage of the functionality to high leve...

9.9CVSS7.6AI score0.02778EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.9 views

Stratum – Elementor Widgets < 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

Description The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘labelyears’ attribute within the Countdown widget in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible f...

6.4CVSS5.8AI score0.00326EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.17 views

tagDiv Composer < 4.9 - Authenticated (Contributor+) Local File Inclusion via Shortcode

Description The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'tdblocktitle' shortcode 'blocktemplateid' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to...

8.8CVSS7.9AI score0.00657EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.21 views

Easy WP SMTP by SendLayer < 2.3.1 - Exposure of Sensitive Information via the UI

Description The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This make...

2.7CVSS6.2AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.20 views

Elementor Header & Footer Builder < 1.6.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Title Widget

Description The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url attribute within the plugin's Site Title widget in all versions up to, and including, 1.6.35 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS5.7AI score0.00401EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.13 views

ElementsKit Elementor addons and Templates Library < 3.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Motion Text and Table Widgets

Description The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Motion Text and Table widgets in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

6.4CVSS5.8AI score0.00263EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.17 views

tagDiv Composer < 4.9 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Meta

Description The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.5CVSS5.9AI score0.00279EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.13 views

Jeg Elementor Kit < 2.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via JKit - Tabs and JKit - Accordion Widgets

Description The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sggeneraltoggletabenable and sgaccordionstyle attributes within the plugin's JKit - Tabs and JKit - Accordion widget, respectively, in all versions up to, and including, 2.6.5 due to...

6.4CVSS5.8AI score0.00401EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.17 views

WooCommerce - Social Login < 2.6.3 - Unauthenticated PHP Object Injection

Description The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'wooslgverify' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a P...

9.8CVSS7.4AI score0.00697EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.11 views

PPOM for WooCommerce < 32.0.21 - Unauthenticated Content Injection Vulnerability

Description The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to Content Injection in all versions up to, and including, 32.0.20. This is due to the plugin not properly validating a field that can be updated. This makes it possible for unauthenticated attackers to...

5.3CVSS7.1AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.13 views

Shariff Wrapper < 4.6.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.13 due to insufficient input sanitization and output escaping on user supplied attributes such as 'borderradius',...

6.4CVSS5.8AI score0.00308EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.13 views

Under Construction / Maintenance Mode from Acurax <= 2.6 - Unauthenticated IP Spoofing

Description The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.6 due to insufficient IP address validation and/or use of user-supplied HTTP headers as a primary method for IP retrieval. This makes...

5.3CVSS6.8AI score0.00297EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.18 views

Video Gallery – YouTube Playlist, Channel Gallery by YotuWP <= 1.3.13 - Authenticated (Contributor+) Arbitrary File Inclusion via Shortcode

Description The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to...

8.8CVSS7.9AI score0.00638EPSS
Exploits1References1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.11 views

Restaurant Menu and Food Ordering < 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS5.7AI score0.00274EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.9 views

FooEvents for WooCommerce < 1.19.21 - Improper Authorization to (Contributor+) Arbitrary File Upload

Description The FooEvents for WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability setting on the 'displayticketthemespage' function in versions up to, and including, 1.19.20. This makes it possible for authenticated attackers with...

7.1CVSS7.6AI score0.00506EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.8 views

Video Gallery – YouTube Playlist, Channel Gallery by YotuWP <= 1.3.13 - Unauthenticated Local File Inclusion

Description The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary fil...

9.8CVSS8.2AI score0.0077EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.17 views

Popup Builder – Create highly converting, mobile friendly marketing popups < 4.3.2 - Missing Authorization and Nonce Exposure

Description The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a...

8.1CVSS6.7AI score0.00471EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.10 views

Contact Form Builder, Contact Widget <= 2.1.7 - Authentication Request Bypass

Description The Contact Form Builder, Contact Widget plugin for WordPress is vulnerable to protection bypass in all versions up to, and including, 2.1.7. This is due to the plugin not properly restricting authentication attempts. This makes it possible for unauthenticated attackers to perform an...

5.3CVSS7.1AI score0.00372EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.15 views

WooCommerce - Social Login < 2.6.3 - Email Verification due to Insufficient Randomness

Description The WooCommerce - Social Login plugin for WordPress is vulnerable to Email Verification in all versions up to, and including, 2.6.2 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification...

6.5CVSS6.8AI score0.00313EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.11 views

Collapse-O-Matic <= 1.8.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Collapse-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'expand' and 'expandsub' shortcode in all versions up to, and including, 1.8.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS5.9AI score0.00342EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/14 12:0 a.m.16 views

Popup Builder < 4.3.2 - Missing Authorization in Multiple AJAX Actions

Description The Popup Builder plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on all AJAX actions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform multiple unauthorize...

7.4CVSS5.8AI score0.00271EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.12 views

Database Cleaner < 1.0.6 - Authenticated (Admin+) Arbitrary File Read

Description The Database Cleaner: Clean, Optimize & Repair plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.5 via the getlogs function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server,...

4.9CVSS6.7AI score0.00559EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.14 views

Recurring PayPal Donations < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Recurring PayPal Donations plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.5CVSS5.8AI score0.00254EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.18 views

LatePoint Plugin < 4.9.9.1 - Missing Authorization and Sensitive Information Exposure via IDOR

Description The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'startorusesessionforcustomer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated...

9.1CVSS6.6AI score0.00623EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.18 views

Simple Sitemap < 3.5.14 - Cross-Site Request Forgery via admin_notices

Description The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'adminnotices' hook found in class-settings.php. This makes ...

4.3CVSS6.3AI score0.00198EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.9 views

Active Products Tables for WooCommerce. Use constructor to create tables < 1.0.6.4 - Reflected Cross-Site Scripting

Description The Active Products Tables for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.0.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS6.3AI score0.00288EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.15 views

MegaMenu < 2.3.13 - Unauthenticated Local File Inclusion

Description The stm-megamenu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files...

9.8CVSS7.9AI score0.00542EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.14 views

WPMobile.App — Android and iOS Mobile Application < 11.42 - Reflected Cross-Site Scripting

Description The WPMobile.App — Android and iOS Mobile Application plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 11.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.1CVSS6.1AI score0.00668EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.21 views

WP Docs < 2.1.4 - Reflected Cross-Site Scripting

Description The WP Docs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

7.1CVSS6.3AI score0.00327EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.10 views

Auto Coupons for WooCommerce < 3.0.15 - Reflected Cross-Site Scripting

Description The Auto Coupons for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.0.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.1CVSS6.3AI score0.00288EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.12 views

WP STAGING PRO - Backup Duplicator & Migration < 5.6.1 - Cross-Site Request Forgery to Limited Local File Inclusion

Description The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin -...

8.8CVSS6.3AI score0.0028EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.13 views

YITH Custom Login < 1.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The YITH Custom Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...

5.9CVSS5.7AI score0.00281EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.14 views

FooGallery < 2.4.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Custom URL

Description The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.7AI score0.00471EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.12 views

GiveWP – Donation Plugin and Fundraising Platform < 3.12.1 - Reflected Cross-Site Scripting

Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.12.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.1CVSS6.3AI score0.0033EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/13 12:0 a.m.12 views

Stellissimo Text Box <= 1.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Stellissimo Text Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.7AI score0.00276EPSS
Exploits0References1
Total number of security vulnerabilities14602