Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.16 views

All In One WP Security < 5.2.7 - Cross-Site Request Forgery to IP Blocking

Description The All-In-One Security AIOS – Security and Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.6. This is due to missing or incorrect nonce validation on the render404detection function. This makes it possible for...

4.3CVSS6.6AI score0.00212EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

CRM Perks Forms < 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to...

6.5CVSS5.8AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.20 views

Wholesale For WooCommerce < 2.3.1 - Unauthenticated Information Exposure

Description The woocommerce-wholesale-pricing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.0. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data...

5.3CVSS6.7AI score0.00446EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.13 views

Themify Event Post < 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Themify Event Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.7AI score0.00359EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.23 views

ProfileGrid < 5.7.9 - Authenticated (Subscriber+) SQL Injection

Description The ProfileGrid plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, wit...

8.8CVSS7.3AI score0.32049EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.35 views

Molongui < 4.7.8 - Authenticated (Author+) Insecure Direct Object Reference

Description The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.7.7 due to missing validation on a user controlled key. This makes it possible for authenticated...

2.7CVSS6.7AI score0.00436EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.26 views

Webinar and Video Conference with Jitsi Meet < 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Webinar and Video Conference with Jitsi Meet plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.5CVSS5.8AI score0.0036EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

Social Icons Widget & Block by WPZOOM < 4.2.16 - Missing Authorization

Description The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the zoomajaxsetpointertransient function in versions up to, and including, 4.2.15. This makes it possible for authenticated attackers, with...

8.8CVSS6.7AI score0.01517EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.14 views

WooCommerce Bookings Calendar <= 1.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The WooCommerce Bookings Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access an...

6.5CVSS5.8AI score0.0034EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.15 views

ElementsKit Elementor addons < 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

Description The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.9AI score0.00346EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.16 views

CMP – Coming Soon & Maintenance < 4.1.11 - Authenticated (Admin+) Server-Side Request Forgery

Description The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.10. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests...

5.5CVSS6.5AI score0.0035EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.26 views

Media Library Folders < 8.1.8 - Authenticated (Author+) SQL Injection

Description The Media Library Folders plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 8.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

8.8CVSS7.3AI score0.00577EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.13 views

LearnPress – WordPress LMS Plugin < 4.0.1 - Cross-Site Request Forgery to Privilege Escalation

Description The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.0. This is due to missing or incorrect nonce validation on the filterusers functions. This makes it possible for unauthenticated attackers t...

8.8CVSS6.4AI score0.00273EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.22 views

Tumult Hype Animations < 1.9.12 - Cross-Site Request Forgery to Cross-Site Scripting

Description The Tumult Hype Animations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.11. This is due to missing or incorrect nonce validation on the hypeanimationsupdatecontainer function. This makes it possible for unauthenticated...

4.3CVSS6AI score0.00186EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

CRM Perks Forms < 1.1.5 - Unauthenticated SQL Injection

Description The CRM Perks Forms plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacker...

10CVSS7.5AI score0.02267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

Woocommerce Social Media Share Buttons <= 1.3.0 - Cross-Site Request Forgery to Cross-Site Scripting

Description The Woocommerce Social Media Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to...

7.1CVSS6.5AI score0.00184EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

The Plus Blocks for Block Editor | Gutenberg < 3.2.6 - Reflected Cross-Site Scripting

Description The The Plus Blocks for Block Editor | Gutenberg plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS6.3AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.10 views

Watu Quiz < 3.4.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'watu-basic-chart' shortcode in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.7AI score0.0048EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.13 views

Yoo Slider < 2.2.0 - Reflected Cross-Site Scripting

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS7AI score0.00395EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.17 views

Gutenberg Blocks by Kadence Blocks < 3.2.18 - Authenticated(Editor+) Stored Cross-Site Scripting via Contact Form Message Settings

Description The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versions up to and including 3.2.17 due to insufficient input sanitization and output escaping. This makes it...

4.8CVSS6AI score0.00686EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.11 views

Spectra – WordPress Gutenberg Blocks < 2.10.4 - Authenticated(Contributor+) Cross-Site Scripting via Custom CSS

Description The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS metabox in all versions up to and including 2.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00572EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.13 views

Classified Listing – Classified ads & Business Directory Plugin < 3.0.5 - Missing Authorization

Description The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the rtclimportlocation rtclimportcategory functions in all versions up to, and including, 3.0.4. Th...

6.5CVSS6.4AI score0.00552EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.20 views

Nelio Content < 3.2.1 - Authenticated (Contributor+) Server-Side Request Forgery

Description The Nelio Content – Best Editorial Calendar & Social Media Scheduling plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with contributor-level access and above, to make web...

4.9CVSS6.7AI score0.0027EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.11 views

PageLayer < 1.8.2 - Missing Authorization

Description The PageLayer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the pagelayertrashpost function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to...

8.8CVSS6.3AI score0.00417EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.20 views

WP Advanced Search <= 1.1.6 - Admin+ SQL Injection

Description The plugin does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations. PoC 1. Log in as an administrator 2. Visit...

7.6AI score0.00422EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.12 views

Sticky Anything <= 2.1.5 - Unauthenticated Stored Cross-Site Scripting

Description The Sticky Anything plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

7.1CVSS6AI score0.00334EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.14 views

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) < 2.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via WL Universal Product Layout

Description The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution formerly WooLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slitems parameter in the WL Special Day Offer Widget in all versions up to, and including, 2.8....

6.4CVSS5.9AI score0.00451EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.23 views

WP-CRM System < 3.2.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The WordPress CRM Plugin – WP-CRM System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

5.9CVSS5.7AI score0.00359EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.25 views

WP Responsive Tabs horizontal vertical and accordion Tabs < 1.1.18 - Authenticated (Contributor+) SQL Injection

Description The WP Responsive Tabs horizontal vertical and accordion Tabs plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This mak...

8.8CVSS7.3AI score0.00577EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.18 views

Element Pack Elementor Addons < 5.5.4 - Authenticated (Contributor+) SQL Injection

Description The Element Pack Elementor Addons plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

8.8CVSS7.2AI score0.00577EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.23 views

Finale Lite < 2.18.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation

Description The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in all versions up to, and including, 2.18.0. This makes it possible for authenticated attackers, with...

8.8CVSS6.5AI score0.01038EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.11 views

Gutenberg Blocks by Kadence Blocks – Page Builder Features < 3.2.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and CountUp Widget

Description The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown and CountUp Widget in all versions up to, and including, 3.2.31 due to insufficient input sanitization and output escaping on user supplie...

6.4CVSS5.9AI score0.00343EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.11 views

Classified Listing < 3.0.5 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account

Description The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtclupdateuseraccount' function. This makes it...

8.8CVSS6.6AI score0.00456EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.20 views

Falang multilanguage < 1.3.48 - Authenticated (Administrator+) SQL Injection

Description The Falang multilanguage plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.3.47 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

7.6CVSS7.3AI score0.00574EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.15 views

WordPress Page Builder – Zion Builder < 3.6.10 - Authenticated (Editor+) Stored Cross-Site Scripting

Description The WordPress Page Builder – Zion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 3.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.8AI score0.00359EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.17 views

Zotpress < 7.3.8 - Authenticated (Contributor+) SQL Injection

Description The Zotpress plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 7.3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with...

8.8CVSS7.3AI score0.00594EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.24 views

WordPress Announcement & Notification Banner Plugin – Bulletin < 3.9.0 - Authenticated (Administrator+) SQL Injection

Description The WordPress Announcement & Notification Banner Plugin – Bulletin plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.8.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

7.6CVSS7.2AI score0.00574EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.19 views

WP Cost Estimation & Payment Forms Builder < 10.1.76 - Authenticated (Contributor+) SQL Injection

Description The WP Cost Estimation & Payment Forms Builder plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 10.1.75 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

8.5CVSS7.5AI score0.00488EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.22 views

Essential Blocks for Gutenberg < 4.4.10 - Missing Authorization

Description The Essential Blocks for Gutenberg plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with contributor-level access and above, to perform unauthorized...

8.8CVSS6.7AI score0.00409EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.18 views

WooCommerce Multilingual & Multicurrency < 5.3.5 - Missing Authorization

Description The WooCommerce Multilingual & Multicurrency plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an...

8.8CVSS6.7AI score0.00351EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.17 views

Tax Rate Upload <= 2.4.5 - Reflected Cross-Site Scripting

Description The Tax Rate Upload plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in page...

7.1CVSS6.5AI score0.00184EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.14 views

underConstruction < 1.22 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The underConstruction plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-leve...

5.9CVSS5.7AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.17 views

Weekly Class Schedule <= 3.19 - Reflected Cross-Site Scripting

Description The Weekly Class Schedule plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pag...

7.1CVSS6.3AI score0.00354EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.15 views

Builderall Builder for WordPress < 2.0.2 - Unauthenticated Server-Side Request Forgery

Description The Builderall Builder for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.1. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application whi...

4.9CVSS6.6AI score0.00254EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.23 views

LearnPress < 4.2.6.4 - Authenticated(LP Instructor+) Stored Cross-Site Scripting

Description The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Course, Lesson, and Quiz title and content in all versions up to, and including, 4.2.6.3 due to insufficient input sanitization and output escaping. This makes it possible f...

4.8CVSS5.7AI score0.00426EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

ProfileGrid < 5.7.9 - Unauthenticated SQL Injection

Description The ProfileGrid plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to...

9.8CVSS7.5AI score0.02267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.18 views

AGCA – Custom Dashboard & Login Page < 7.2.2 - Admin+ Stored XSS via Image URL

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Navigate AGCA, and select the...

4.9AI score0.00548EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.25 views

Filter Custom Fields & Taxonomies Light <= 1.05 - Authenticated (Contributor+) PHP Object Injection

Description The Filter Custom Fields & Taxonomies Light plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.05 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to...

7.4AI score0.00552EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.21 views

WP Travel Engine < 5.8.0 - Unauthenticated SQL Injection

Description The WP Travel Engine plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacke...

9.8CVSS7.8AI score0.02267EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/04/04 12:0 a.m.13 views

Jeg Elementor Kit < 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial

Description The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget Attributes in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wit...

6.4CVSS5.8AI score0.00323EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14603