Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.14 views

Customer Reviews for WooCommerce < 5.47.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending

Description The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the sendtestemail function in all versions up to, and including, 5.46.0. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS6.6AI score0.00431EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.15 views

Login With Ajax < 4.2 - Cross-Site Request Forgery to Notice Dismissal

Description The Login With Ajax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on the dismissadminnotice function. This makes it possible for unauthenticated attackers to dismiss notices...

4.3CVSS6.4AI score0.002EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.16 views

NextMove Lite < 2.18.2 - Cross-Site Request Forgery

Description The NextMove Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.1. This is due to missing or incorrect nonce validation on the xladdoninstallation function. This makes it possible for unauthenticated attackers to install addons...

4.3CVSS6.6AI score0.00676EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.18 views

ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.4 - Missing Authorization

Description The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pmuploadcoverimage function in all versions up to, and including, 5.8.3. This makes it possible for...

4.3CVSS6.4AI score0.00454EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.15 views

Shortcodes and extra features for Phlox theme <= 2.15.5 - Contributor+ Stored XSS via aux_timeline Shortcode

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's auxtimeline shortcode due to insufficient input sanitization and output escaping on user supplied attributes such as thumbmode and datetype. This makes it possible for authenticated attackers with contributor-lev...

6.4CVSS5.8AI score0.00404EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.16 views

EleForms – All In One Form Integration including DB for Elementor < 2.9.9.8 - Unauthenticated Stored Cross-Site Scripting

Description The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.9.9.7 due to insufficient input sanitization and output escaping. This makes it possib...

7.2CVSS5.9AI score0.00374EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.12 views

USPS Shipping for WooCommerce – Live Rates < 1.9.3 - Cross-Site Request Forgery

Description The USPS Shipping for WooCommerce – Live Rates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attacker...

4.3CVSS6.6AI score0.00188EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.10 views

FileBird < 5.6.4 - Author+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the folder name parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary web scripts in pages that will execut...

6.4CVSS5.7AI score0.00343EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.19 views

BEAR <= 1.1.4.1 & WOLF <= 1.0.8.1 - Cross-Site Request Forgery to Notice Dismissal

Description Multiple plugins and/or themes for WordPress are vulnerable to Cross-Site Request Forgery in various versions. This is due to missing or incorrect nonce validation on the admininit hook. This makes it possible for unauthenticated attackers to dismiss notices via a forged request grant...

8.8CVSS6.6AI score0.00224EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.21 views

WP Login and Logout Redirect < 2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The WP Login and Logout Redirect plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.7AI score0.00319EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.19 views

Shortcodes and extra features for Phlox theme <= 2.15.5 - Contributor+ Stored XSS via title_tag

Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘titletag’ due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level and above permissions to inject arbitrary web scripts in pages that will...

6.4CVSS5.7AI score0.00414EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.15 views

Calendarista Basic Edition < 3.0.3 - Cross-Site Request Forgery

Description The Calendarista Basic Edition plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.2. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform...

4.3CVSS6.5AI score0.00232EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.12 views

Restrict Content < 3.2.9 - Missing Authorization

Description The Restrict Content plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the updateoptingetstatus function in versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to update opt in status...

5.3CVSS6.8AI score0.00359EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.13 views

Popup by Supsystic < 1.10.28 - Missing Authorization

Description The Popup by Supsystic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.27. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an...

4.3CVSS6.5AI score0.00365EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.16 views

Save as Image < 3.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Save as Image Plugin by Pdfcrowd plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.7AI score0.00319EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.15 views

Dashboard To-Do List < 1.3.2 - Cross-Site Request Forgery via ardtdw_widgetupdate()

Description The Dashboard To-Do List plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ardtdwwidgetupdatefunction. This makes it possible for unauthenticated attackers to update...

4.3CVSS4.3AI score0.00203EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.20 views

BA Book Everything < 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'all-items' shortcode in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping on user supplied attributes such as 'classes'. This...

6.4CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.13 views

Search Keyword Redirect <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Search Keyword Redirect plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.9AI score0.00319EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/16 12:0 a.m.19 views

Top Bar < 3.0.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Top Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

5.9CVSS5.7AI score0.00355EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.44 views

Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.15 - Unauthenticated SQL Injection

Description The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IGESSubscribersQuery' class in all versions up to, and including, 5.7.14 due to insufficie...

9.8CVSS7.1AI score0.80596EPSS
Exploits4References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.15 views

MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "MF Gig Calendar...

5.4AI score0.00425EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.17 views

Exclusive Addons for Elementor < 2.6.9.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Post Grid

Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid Widget in all versions up to, and including, 2.6.9.2 due to insufficient input sanitization and output escaping on user supplied tags. This makes it possible for...

6.4CVSS5.7AI score0.00434EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.18 views

Real Media Library < 4.11.12 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Real Media Library: Media Library Folder & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image title and alt text in all versions up to, and including, 4.22.11 due to insufficient input sanitization and output escaping. This makes it possib...

6.4CVSS5.7AI score0.00404EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.17 views

Country State City Dropdown CF7 < 2.7.2 - Missing Authorization

Description The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tccscapatchsettings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with...

4.3CVSS6.4AI score0.00445EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.12 views

Tainacan Interface < 2.7.2 - Reflected Cross-Site Scripting

Description The archive-tainacan-collection theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in version 2.7.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

6.1CVSS6.4AI score0.00818EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.16 views

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.2.0 - Missing Authorization to Unauthenticated Media Deletion

Description The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the profilepicremove function in versions up to, and including, 3.1.5. This makes it...

6.5CVSS6.5AI score0.0091EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.18 views

Crelly Slider <= 1.4.5 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Crelly Slider" 2. Add a...

5.4AI score0.00425EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.10 views

LiveJournal Shortcode <= 1.1.1 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Add this shortcode to a page...

5.7AI score
Exploits1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.13 views

Fancy Product Designer < 6.1.81 - Admin+ Cross Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to:...

5.4AI score0.00584EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.12 views

Delete Custom Fields <= 0.3.1 - Cross-Site Request Forgery to Post Meta Deletion

Description The Delete Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.1. This is due to missing or incorrect nonce validation on the ajaxdeletefield function. This makes it possible for unauthenticated attackers to delete...

6.1CVSS6.4AI score0.00183EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.14 views

Enhanced Media Library < 2.8.10 - Authenticated (Author+) Stored Cross-Site Scripting

Description The Enhanced Media Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via media upload functionality in all versions up to, and including, 2.8.9 due to the plugin allowing 'dfxp' files to be uploaded. This makes it possible for authenticated attackers, with...

5.4CVSS5.8AI score0.00388EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.13 views

2Checkout Payment Gateway for WooCommerce <= 6.2 - Missing Authorization via sniff_ins

Description The 2Checkout Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sniffins function in all versions up to, and including, 6.2. This makes it possible for unauthenticated attackers to make...

5.3CVSS6.6AI score0.00397EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/15 12:0 a.m.15 views

MF Gig Calendar <= 1.2.1 - Arbitrary Event Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack PoC Make a contributor or higher user open a link where is a valid event:...

6.6AI score0.00317EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.21 views

Advanced Order Export For WooCommerce < 3.4.5 - Shop Manager+ Remote Code Execution

Description The plugin is vulnerable to Remote Code Execution in all versions up to, and including, 3.4.4. This makes it possible for authenticated attackers, with shop manager-level access and above, to execute code on the server...

9.1CVSS7.9AI score0.00691EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.41 views

Post Views Counter < 1.4.5 - Cross-Site Request Forgery via save_bulk_post_views()

Description The plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the savebulkpostviews function. This makes it possible for unauthenticated attackers to save bulk post views via a forged request...

4.3CVSS6.7AI score0.002EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.14 views

EventPrime < 3.3.5 - Unauthenticated Booking Price Manipulation

Description The plugin is vulnerable to booking price manipulations due to insufficient validation and control of booking prices in versions up to, and including, 3.3.4. This makes it possible for unauthenticated attackers to make bookings with lower prices...

9.8CVSS7.1AI score0.00472EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.16 views

WPC Smart Quick View for WooCommerce < 4.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

4.4CVSS5.7AI score0.0033EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.20 views

WPZOOM Social Feed Widget & Block < 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Instagram Image Deletion

Description The WPZOOM Social Feed Widget & Block plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpzoominstagramcleardata function in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with...

4.3CVSS6.5AI score0.00465EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.18 views

Element Pack Elementor Addons < 5.6.0 - Sensitive Information Exposure via element_pack_ajax_search

Description The Element Pack Elementor Addons Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.5.6 via the elementpackajaxsearch function. This makes it possible for...

7.5CVSS7AI score0.00492EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.19 views

Gutenverse < 1.9.1 - Contributor+ Stored XSS

Description The plugin does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the below cod...

6AI score0.00442EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.32 views

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.23 - Unauthenticated Arbitrary File Upload

Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for...

9.8CVSS6.7AI score0.05747EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.13 views

s2Member < 240325 - Limited Privilege Escalation

Description The plugin is vulnerable to limited privilege escalation in versions up to, and including, 240315. This is due to insufficient controls during user registration. This makes it possible for unauthenticated attackers to register with higher than the default permissions...

7.5CVSS9.5AI score0.00417EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.17 views

Captcha by BestWebSoft < 5.2.1 - Captcha Bypass

Description The plugin is vulnerable to CAPTCHA Bypass in versions up to, and including, 5.2.0. This makes it possible for unauthenticated attackers to bypass the Captcha Verification...

5.3CVSS7.1AI score0.00377EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.17 views

Demo My WordPress < 1.1.0 - Unauthenticated Privilege Escalation

Description The Demo My WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.9.1. This is due to insufficient verification on privilege assignment. This makes it possible for unauthenticated attackers to gain elevated access to a vulnerabl...

9.8CVSS7.5AI score0.00501EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.19 views

Responsive Lightbox < 2.4.7 - Information Disclosure

Description The plugin is vulnerable to unauthorized access due to a missing capability check on the galleryattributes function in versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with contributor-level access and above, to view post content they shouldn't...

8.8CVSS6.7AI score0.00356EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.65 views

WooCommerce < 8.6.0 - Cross-Site Request Forgery

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

4.3CVSS7.1AI score0.00231EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.16 views

Essential Blocks for Gutenberg < 4.5.4 - Contributor+ Stored Cross-Site Scripting

Description The plugin is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in...

6.5CVSS5.9AI score0.00385EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.11 views

Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC To replicate this vulnerability,...

4.9AI score0.00472EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.20 views

eRoom – Zoom Meetings & Webinar < 1.4.19 - Missing Authorization to Information Exposure

Description The eRoom – Zoom Meetings & Webinars plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.18 via the searchposts function. This makes it possible for authenticated attackers, with subscriber access and higher, to obtain post...

4.3CVSS6.2AI score0.00534EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/12 12:0 a.m.16 views

Premium Addons for Elementor < 4.10.23 - Authenticated (Contributor+) Sensitive Information Exposure

Description The Premium Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.22. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive user or configuration...

6.5CVSS6.7AI score0.00498EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14603