Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.11 views

Colibri Page Builder < 1.0.272 - Contributor+ Stored Cross-Site Scripting via the plugin's 'colibri_breadcrumb_element' shortcode

Description The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibribreadcrumbelement' shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS5.9AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.16 views

Frontend Admin by DynamiApps < 3.19.5 - Improper Missing Encryption Exception Handling to Form Manipulation

Description The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'feaencrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms...

9.8CVSS7AI score0.00815EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.15 views

GeoDirectory – WordPress Business Directory Plugin, or Classified Directory < 2.3.49 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'gd_single_tabs' Shortcode

Description The GeoDirectory – WordPress Business Directory Plugin, or Classified Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gdsingletabs' shortcode in all versions up to, and including, 2.3.48 due to insufficient input sanitization and output...

6.4CVSS5.9AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.19 views

PostX < 4.0.2 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC 1. Create a new Post and add "Ultimate...

8.2AI score0.00416EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.15 views

Colibri Page Builder < 1.0.272 - Contributor+ Stored Cross-Site Scripting

Description The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri-gallery-slideshow' shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This...

5.4CVSS5.9AI score0.00449EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.12 views

Exclusive Addons for Elementor < 2.6.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Expired Title

Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Countdown Expired Title in all versions up to, and including, 2.6.9.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

6.4CVSS6.5AI score0.00475EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.12 views

Social Sharing Plugin – Social Warfare < 4.4.6.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Social Sharing Plugin – Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialWarfare' shortcode in all versions up to, and including, 4.4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes...

6.4CVSS5.8AI score0.0042EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.18 views

Database for Contact Form 7, WPforms, Elementor forms < 1.3.9 - Unauthenticated Stored Cross-Site Scripting

Description The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.2CVSS6.2AI score0.00636EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.13 views

Ultimate 410 Gone Status Code < 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Ultimate 410 Gone Status Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 410 entries in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.1AI score0.00465EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.14 views

Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! < 2.1.3 - Missing Authorization to Subscriber+ Arbitrary Post Creation

Description The Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! plugin for WordPress is vulnerable to unauthorized post creation due to a missing capability check on the elesparecreatepost function hooked via AJ...

4.3CVSS6.8AI score0.00371EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.7 views

Royal Elementor Addons and Templates < 1.3.972 - Contributor+ Stored Cross-Site Scripting via HTML Tags

Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid & Advanced Text widget HTML tags in all versions up to, and including, 1.3.96 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS5.8AI score0.00434EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.12 views

WordPress Backup & Migration < 1.4.9 - Missing Authorization to Directory Traversal

Description The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpmgdppopulatepopup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber...

4.3CVSS6.7AI score0.00491EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.10 views

Royal Elementor Addons and Templates < 1.3.972 - Contributor+ Stored Cross-Site Scripting via Advanced Accordion Title Tags

Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Accordion widget in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes li...

6.4CVSS5.9AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.14 views

RegistrationMagic < 5.2.6.0 - Cross-Site Request Forgery

Description The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5.9. This is due to missing or incorrect nonce validation on the...

4CVSS6.5AI score0.00402EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.16 views

Royal Elementor Addons and Templates < 1.3.95 - Unauthenticated Limited File Upload

Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to limited file uploads due to missing file type validation in the 'filevalidity' function in all versions up to, and including, 1.3.94. This makes it possible for unauthenticated attackers to upload dangerous...

9.8CVSS7.5AI score0.01147EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/22 12:0 a.m.18 views

Royal Elementor Addons and Templates < 1.3.972 - Contributor+ Stored Cross-Site Scripting via Flip Carousel, Flip Box, Post Grid, and Taxonomy List Widget Attributes

Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flip Carousel, Flip Box, Post Grid, and Taxonomy List widgets in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output...

6.4CVSS5.9AI score0.00594EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/20 12:0 a.m.14 views

Icon Widget < 1.4.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Description The Icon Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS5.9AI score0.0042EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.21 views

ShopLentor < 2.8.2 - Contributor+ Template Reset

Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'woolentortemplatestore' function. This makes it possible for authenticated attackers, with contributor access and above to access the nonce used to access this function and set a...

4.3CVSS6.4AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.12 views

Happy Addons for Elementor < 3.10.5 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Image Stack Group, Photo Stack, & Horizontal Timeline widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00548EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.14 views

SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer < 3.10.3 - Missing Authorization

Description The SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer plugin for WordPress is vulnerable to unauthorized ld+json description injection due to a missing capability check on the savesettings function in all versions up to, and including, 3.10.2. This makes it possible for...

5.3CVSS7.2AI score0.00565EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.14 views

reCAPTCHA Jetpack <= 0.2.2 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. PoC This requires Jetpack to be installed and to have a page/post with a Jetpack Contact...

5.5AI score0.00269EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.17 views

reCAPTCHA Jetpack <= 0.2.2 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC Have an admin open an HTML page containing:...

6.3AI score0.00381EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.10 views

VikBooking < 1.6.8 - Insecure Direct Object References

Description The plugin allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the plugin's they shouldn't be allowed to. PoC https://example.com/wp-admin/admin.php?option=comvikbooking=config...

6.4AI score0.0061EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.22 views

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Description The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the formsaveaction function in all versions up to, and including, 3.1.5. This makes it possib...

8.8CVSS6.9AI score0.00938EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.15 views

Happy Addons for Elementor < 3.10.6 - Contributor+ Stored XSS via HTML Tags

Description The plugin is vulnerable to Stored Cross-Site Scripting via HTML tags in widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web...

6.4CVSS5.9AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.13 views

ShopLentor < 2.8.2 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishsuitebutton' shortcode due to insufficient input sanitization and output escaping on user supplied attributes like 'buttonclass'. This makes it possible for authenticated attackers with contributor-level and...

6.4CVSS5.9AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.12 views

MaxGalleria < 6.4.3 - Missing Authorization

Description The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the addmedialibraryimagestogallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or...

4.3CVSS6.9AI score0.00609EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.19 views

Essential Addons for Elementor Pro < 5.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_html_tag'

Description The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Counter widget in all versions up to, and including, 5.8.11 due to insufficient input sanitization and output escaping on user supplied attributes such as...

6.4CVSS5.9AI score0.00333EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.7 views

hCaptcha for WordPress < 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via cf7-hcaptcha Shortcode

Description The hCaptcha for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cf7-hcaptcha shortcode in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

6.4CVSS5.8AI score0.00333EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/19 12:0 a.m.19 views

VikBooking < 1.6.8 - Broken Access Control

Description The plugin's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting categories for example despite initial settings prohibitin...

6.5AI score0.0028EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.42 views

Click to Chat – HoliThemes < 4.0 - Contributor+ LFI

Description The plugin is vulnerable to Local File Inclusion, allowing authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensiti...

8.8CVSS7.6AI score0.01691EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.28 views

LearnPress – WordPress LMS Plugin < 4.2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id value in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.15 views

Advanced Page Visit Counter <= 8.0.6 - Authenticated (Administrator+) SQL Injection

Description The Advanced Page Visit Counter plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 8.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticate...

7.6CVSS7.5AI score0.00515EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.18 views

BWL Advanced FAQ Manager < 2.0.4 - Authenticated (Administrator+) SQL Injection

Description The BWL Advanced FAQ Manager plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

7.6CVSS7.2AI score0.01307EPSS
Exploits3References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.11 views

Easy Custom Auto Excerpt < 2.5.0 - Sensitive Information Exposure

Description The Easy Custom Auto Excerpt plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.12. This makes it possible for unauthenticated attackers to obtain excerpts of password-protected posts...

5.3CVSS6.6AI score0.00573EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.12 views

Freshdesk (official) < 2.4.0 - Open Redirect

Description The plugin is vulnerable to Open Redirect due to insufficient validation on a redirect url. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action...

4.7CVSS5.7AI score0.00381EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.16 views

Add Custom CSS and JS <= 1.20 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack PoC Make an author or above role open the following HTML:...

5.6AI score0.00212EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.13 views

Wappointment < 2.6.1 - Admin+ SSRF

Description The plugin is vulnerable to Server-Side Request Forgery, allowing authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal servic...

4.4CVSS5.7AI score0.00292EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.10 views

BA Book Everything < 1.6.5 - Authenticated (Contributor+) SQL Injection

Description The BA Book Everything plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

8.8CVSS7.2AI score0.00577EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.13 views

Customer Reviews for WooCommerce < 5.48.0 - Reflected Cross-Site Scripting via 's'

Description The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

6.1CVSS6.3AI score0.00374EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.16 views

Import Users from CSV < 1.3 - Authenticated (Admin+) PHP Object Injection

Description The Import Users from CSV plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object...

7.2CVSS7.1AI score0.00384EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.19 views

Essential Blocks < 4.5.10 - Contributor+ DOM-Based XSS via Social Icons Block

Description The plugin is vulnerable to Stored Cross-Site Scripting via the "Social Icons" block due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary...

5.4CVSS5.8AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.16 views

Find Duplicates <= 1.4.6 - Authenticated (Subscriber+) SQL Injection

Description The Find Duplicates plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers,...

8.8CVSS7.2AI score0.00577EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.15 views

Media Library Folders < 8.2.1 - Reflected Cross-Site Scripting via 's'

Description The Media Library Folders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 8.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS6.3AI score0.00385EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.20 views

ElementsKit Pro < 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ekit_btn_id'

Description The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Creative Button widget in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.8AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.16 views

ActiveCampaign < 8.1.15 - Authenticated (Administrator+) Server-Side Request Forgery

Description The ActiveCampaign – Forms, Site Tracking, Live Chat plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 8.1.14 via the api3. This makes it possible for authenticated attackers, with administrator-level access and above, to make web...

9.8CVSS6.5AI score0.00351EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.15 views

CBX Bookmark & Favorite < 1.7.21 - Admin+ SQLi

Description The plugin is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL...

7.6CVSS7.5AI score0.00515EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.13 views

Citadela Listing <= 5.18.1 - Cross-Site Request Forgery

Description The Citadela Listing plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.18.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action vi...

5.4CVSS6.6AI score0.00209EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.20 views

Poll Maker – Best WordPress Poll Plugin < 5.1.9 - Missing Authorization to Unauthenticated Email Enumeration

Description The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ayspollcreateauthor function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to...

5.3CVSS6.5AI score0.00584EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/18 12:0 a.m.15 views

User Activity Log Pro <= 2.3.4 - Authenticated (Subscriber+) SQL Injection

Description The User Activity Log Pro plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

8.5CVSS7.2AI score0.00517EPSS
Exploits0References1
Total number of security vulnerabilities14603