Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.11 views

Really Simple SSL < 8.0.0 - Admin+ Server-Side Request Forgery

Description The Really Simple SSL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.2.3. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating...

5.5CVSS9.2AI score0.0033EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.11 views

SP Project & Document Manager <= 4.71 - Authenticated (Author+) SQL Injeciton

Description The SP Project & Document Manager plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 4.71 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This make...

7.6CVSS9.4AI score0.00486EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.16 views

Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF

Description The plugin does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack PoC Make an admin open a link where is a valid user: http://example.com/wp-admin/admin.php?page=wpnewslettershowlocalrecord=delete=...

6.4AI score0.00254EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.13 views

Navigation menu as Dropdown Widget < 1.3.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Navigation menu as Dropdown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.9AI score0.00342EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.13 views

ARForms Form Builder < 1.6.5 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion

Description The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arfliteremovepreviewdata' function in all versions up to, and including, 1.6.4. This makes it...

7.1CVSS6.7AI score0.00428EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.18 views

eCommerce Product Catalog Plugin for WordPress < 3.3.33 - Reflected Cross-Site Scripting

Description The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.3.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...

7.1CVSS8.5AI score0.00371EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.21 views

Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress < 2.0.74 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure

Description The Radio Player plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.73. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive...

5.4CVSS6.6AI score0.0035EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.14 views

Simple Registration for WooCommerce <= 1.5.6 - Unauthenticated Privilege Escalation

Description The Simple Registration for WooCommerce plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated users to elevate their privileges to that of an administrator...

9.8CVSS9.6AI score0.00501EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.15 views

WP File Download Light <= 1.3.3 - Authenticated (Editor+) Stored Cross-Site Scripting

Description The WP File Download Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...

6.5CVSS7.8AI score0.00339EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.14 views

WP Club Manager < 2.2.12 - Authenticated (Player+) Stored Cross-Site Scripting

Description The WP Club Manager – WordPress Sports Club Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.2.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.5CVSS7.8AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.13 views

GuCherry Blog <= 1.1.8 - Reflected Cross-Site Scripting

Description The GuCherry Blog theme for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

7.1CVSS6.5AI score0.00354EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.15 views

Simple Testimonials Showcase <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Simple Testimonials Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

6.5CVSS7.8AI score0.0032EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.10 views

WP SMTP 1.2 - 1.2.6 - Authenticated (Admin+) SQL Injection

Description The WP SMTP plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in versions 1.2 to 1.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

7.2CVSS7.5AI score0.00452EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.17 views

Master Slider – Responsive Touch Slider < 3.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.5CVSS7.8AI score0.00317EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.21 views

Premium Addons for Elementor < 4.10.29 - Contributor+ Stored Cross-Site Scripting

Description The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post ticker widget in all versions up to, and including, 4.10.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.9AI score0.00444EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.17 views

Ditty – Responsive News Tickers, Sliders, and Lists < 3.1.32 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Ditty plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.1.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access...

6.5CVSS7.8AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.16 views

WP-Members Membership Plugin < 3.4.9.4 - Unprotected Storage of Potentially Sensitive Files

Description The WP-Members Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.4.9.3 due to the plugin uploading user supplied files to a publicly accessible directory in wp-content without any restrictions. This makes it possible f...

5.3CVSS6.8AI score0.00496EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.16 views

Blocksy < 2.0.40 - Contributor+ Stored Cross-Site Scripting

Description The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the className parameter in the About Me block in all versions up to, and including, 2.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS4.7AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.17 views

WP Cost Estimation & Payment Forms Builder < 10.1.76 - Reflected Cross-Site Scripting

Description The WP Cost Estimation & Payment Forms Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 10.1.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS8.5AI score0.00354EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.16 views

VikBooking Hotel Booking Engine & PMS < 1.6.8 - Reflected Cross-Site Scripting

Description The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

7.1CVSS8.5AI score0.00394EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.19 views

Testimonial Slider < 2.3.8 - Admin+ Stored Cross-Site Scripting

Description The Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.5AI score0.00442EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.12 views

Login with phone number < 1.7.17 - Unauthorized Account Password Change to Privilege Escalation

Description The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.16. This is due to the plugin not properly verifying the identity of a user who is trying to reset a password. This makes it possible for authenticated...

8.8CVSS9.5AI score0.00461EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.28 views

Zynith SEO <= 7.4.9 - Unauthenticated Stored Cross-Site Scripting

Description The Zynith SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

8.6CVSS8AI score0.00463EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.23 views

HUSKY – Products Filter for WooCommerce (formerly WOOF) < 1.3.5.3 - Subscriber+ Remote Code Execution

Description The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server...

8.8CVSS9.6AI score0.00699EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.17 views

Newsletter Popup <= 1.2 - List Deletion via CSRF

Description The plugin does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack PoC Make an admin open a URL where is a valid id: http://example.com4/wp-admin/admin.php?page=wpnewslettershowitems=trash=...

6.4AI score0.00347EPSS
Exploits3
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.14 views

Yoga Schedule Momoyoga < 2.8.0 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that wi...

6.5CVSS5.8AI score0.00312EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.9 views

Tax Rate Upload <= 2.4.5 - Reflected Cross-Site Scripting

Description The Tax Rate Upload plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in page...

7.1CVSS6.4AI score0.00354EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.16 views

What's New Generator <= 2.0.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The What's New Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS7.8AI score0.00338EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.11 views

Radio Player < 2.0.74 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Radio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.73 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to injec...

6.5CVSS5.9AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/25 12:0 a.m.14 views

Newsletter Popup <= 1.2 - Unauthenticated Stored XSS

Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins PoC 1. Make sure there is a newsletter configured with the setting "Email Service Save to local database" 2. When not logged in,...

5.8AI score0.00386EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.14 views

Kattene < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Kattene plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level...

6.5CVSS7.8AI score0.00312EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.14 views

Mega Elements < 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Mega Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.5CVSS5.9AI score0.00317EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.10 views

Restaurant Menu – Food Ordering System – Table Reservation < 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping on user supplied...

6.5CVSS5.9AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.18 views

Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More < 13.3.2 - Sensitive Information Exposure via Log Files

Description The Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 13.3.1 via log files. This makes it possible for...

5.3CVSS6.6AI score0.00443EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.10 views

Cornerstone < 0.8.1 - Reflected Cross-Site Scripting via PHP_SELF

Description The Cornerstone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th...

7.1CVSS6.5AI score0.00333EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.14 views

WP Helper Premium < 4.6.0 - Reflected Cross-Site Scripting

Description The WP Helper Premium plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to 4.6.0 exclusive due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th...

7.1CVSS6.5AI score0.00394EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.13 views

WP Stripe Checkout < 1.2.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The WP Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.2.41 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.5CVSS5.9AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.39 views

Forminator < 1.29.0 - Unauthenticated Arbitrary File Upload

Description The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.28.1. This makes it possible for unauthenticated attackers to upload arbitrary fil...

8AI score0.00708EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.10 views

RSS Feed Widget < 2.9.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The RSS Feed Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

5.9CVSS5.9AI score0.00338EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.12 views

Base64 Encoder/Decoder <= 0.9.2 - Settings Reset via CSRF

Description The plugin does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack PoC Make a logged in admin open an HTML file containing the following:...

6.3AI score0.00202EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.15 views

HL Twitter <= 2014.1.18 - Admin+ Stored XSS via Widget

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. In the widget area, add the...

5.4AI score0.00331EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.15 views

HL Twitter <= 2014.1.18 - Unlink Twitter Account via CSRF

Description The plugin does not have CSRF check when unlinking twitter accounts, which could allow attackers to make logged in admins perform such actions via a CSRF attack PoC Make an admin open an HTML file containing: The Twitter connection will be removed API tokens reset to ''...

6.3AI score0.00211EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.13 views

Classified Listing – Classified ads & Business Directory Plugin < 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion

Description The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtclfbgalleryimagedelete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for...

5.3CVSS6.8AI score0.00362EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.16 views

PDF Invoices & Packing Slips for WooCommerce < 3.8.1 - Unauthenticated Stored Cross-Site Scripting

Description The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

7.2CVSS6.2AI score0.0057EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.18 views

PDF Invoices & Packing Slips for WooCommerce < 3.8.1 - Unauthenticated Server-Side Request Forgery

Description The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.8.0 via the transform function. This can allow unauthenticated attackers to make web requests to arbitrary locations originating from...

7.2CVSS7.1AI score0.00403EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.14 views

Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More < 3.7.1 - Contributor+ Stored Cross-Site Scripting via Widget Post Overlay

Description The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More Gutenberg Blocks and Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input...

6.4CVSS5.9AI score0.00353EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.27 views

Popup Box – Best WordPress Popup Plugin < 4.3.7 - Missing Authorization to Information Exposure

Description The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ayspbcreateauthor AJAX action in all versions up to, and including, 4.3.6. This makes it possible for unauthenticated attackers to...

5.3CVSS6.9AI score0.00623EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.17 views

Void Elementor WHMCS Elements For Elementor Page Builder < 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Void Elementor WHMCS Elements For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.5CVSS5.9AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.9 views

PropertyHive < 2.0.13 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

Description The PropertyHive plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deletekeydate function in all versions up to, and including, 2.0.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

4.3CVSS6.8AI score0.00619EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/24 12:0 a.m.18 views

TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds < 1.5.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

Description The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping...

5.9CVSS5.8AI score0.00335EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14603