Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.18 views

NPS computy < 2.7.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Settings NPS Monitoring"...

7.7AI score0.0051EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.12 views

Media Library Assistant < 3.14 - Authenticated (Contributor+) SQL Injection via Shortcode

Description The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 3.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes i...

7.7CVSS7.2AI score0.00486EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.14 views

Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control

Description The plugin does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions PoC While logged as a subscriber, paste the following in your browser's console: fetch'/wp-admin/admin-ajax.php',...

6.4AI score0.00534EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.12 views

Advance Search <= 1.1.6 - Shortcode Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks PoC Make a logged in admin open the following HTML replace FORMID with a valid ID: The security field isn't validated and the shortcode is...

6.4AI score0.00335EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.13 views

Ultimate Noindex Nofollow Tool II < 1.3.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Settings Ultimate...

5.4AI score0.00266EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.13 views

Top Bar < 3.0.5 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Top Bar" in WP Admin 2...

4.9AI score0.00441EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.23 views

BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support & Instant Answer For Elementor & Gutenberg < 3.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support & Instant Answer For Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.4.2 due to insufficient inp...

6.4CVSS5.6AI score0.00353EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.13 views

Smart Forms < 2.6.94 - Edit Entries via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as editing entries, and we consider it a medium risk. PoC CSRF PoC...

6.5AI score0.00226EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.29 views

WooCommerce < 8.6 - Contributor+ Private/Draft Products Access

Description The plugin does not prevent users with at least the contributor role from leaking products they shouldn't have access to. e.g. private, draft and trashed products PoC 1. ADMIN: Install WooCommerce 2. ADMIN: Add products of various visibility and statuses including Publish, Draft,...

6.2AI score0.0068EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/25 12:0 a.m.18 views

Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure

Description The plugin does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts. PoC 1. ADMIN: Install Meta Box 2. ADMIN: Add Meta Box fields through code or the premium add-on...

6.8AI score0.00501EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/23 12:0 a.m.15 views

Shortcodes Ultimate < 7.0.5 - Contributor+ Stored XSS

Description The plugin does not properly escape some of its shortcodes attributes before they are echoed back to users, making it possible for users with the contributor role to conduct Stored XSS attacks. PoC sunote notecolor='123"onmouseover="alert/XSS/"' textcolor='1' radius='1' class='1'...

5.6AI score0.00403EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.16 views

Video Conferencing with Zoom < 4.4.6 - Sensitive Information Exposure

Description The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the getassignhostid AJAX action. This makes it possible for authenticated attackers, with subscriber access or higher, to enumerate...

4.3CVSS6.2AI score0.00462EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.19 views

Blocksy Companion < 2.0.32 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.5CVSS6AI score0.00346EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.12 views

BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages < 3.4.21 - Authenticated (Subscriber+) PHP Object Injection in get_simple_request

Description The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the getsimplerequest function. This makes it possible...

8.8CVSS7.1AI score0.00821EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.20 views

Tourfic < 2.11.19 - Authenticated (Subscriber+) PHP Object Injection

Description The Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.17 via deserialization of untrusted input . This makes it possible for...

8.8CVSS7.3AI score0.00632EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.21 views

Better Search < 3.3.1 - Unauthenticated Stored Cross-Site Scripting

Description The Better Search – Relevant search results for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping. This makes it possible for...

7.1CVSS6.1AI score0.00354EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.18 views

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor < 3.9.13 - Authenticated (Contributor+) Stored Cross-site Scripting via 'embedpress_doc_custom_color'

Description The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the EmbedPress document widget in all versions up to, and including, 3.9.12 d...

5.4CVSS5.8AI score0.00343EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.17 views

Olive One Click Demo Import < 1.1.2 - Missing Authorization

Description The Olive One Click Demo Import plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability checking on several rest routes in versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to perform unauthorize...

9.8CVSS6.8AI score0.00584EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.15 views

Passwordless Login < 1.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The Passwordless Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

6.5CVSS5.8AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.15 views

PDF Embedder < 4.7.1 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.5CVSS6.1AI score0.00294EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.25 views

Restrict User Access – Membership Plugin with Force < 2.6 - Reflected Cross-Site Scripting

Description The Restrict User Access – Membership Plugin with Force plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS6.5AI score0.00622EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.17 views

Tourfic < 2.11.8 - Reflected Cross-Site Scripting

Description The Tourfic plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.11.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

7.1CVSS6.5AI score0.00622EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.9 views

Lightweight Accordion < 1.5.17 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.5.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.5AI score0.00429EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.13 views

Custom WooCommerce Checkout Fields Editor < 1.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the savewcfeoptions function in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.8AI score0.0043EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.13 views

Move Addons for Elementor < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Move Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's infobox and button widget in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.7AI score0.00343EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.14 views

Tourfic < 2.11.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Tourfic plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

6.5CVSS5.9AI score0.00343EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.19 views

Page Builder: Pagelayer – Drag and Drop website builder < 1.8.5 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS5.8AI score0.00429EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.23 views

MJM Clinic < 1.1.23 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The MJM Clinic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

5.9CVSS5.7AI score0.00339EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.24 views

Tourfic < 2.11.16 - Authenticated (Subscriber+) Arbitrary File Upload

Description The Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.11.15. This makes it possible for...

9.9CVSS7.9AI score0.00669EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.15 views

Gutenberg Blocks by Kadence Blocks – Page Builder Features < 3.2.26 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS5.8AI score0.00531EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.22 views

Automation By Autonami < 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Automation By Autonami plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...

6.5CVSS5.8AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.16 views

Rank Math SEO with AI SEO Tools < 1.0.215 - Contributor+ Stored XSS

Description The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.7AI score0.0034EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.17 views

Page Builder by SiteOrigin < 2.29.7 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS5.9AI score0.0043EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.24 views

WP Media folder < 5.7.3 - Authenticated (Subscriber+) Arbitrary File Upload

Description The WP Media folder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary...

6.5CVSS7.7AI score0.00643EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.19 views

WP Coder < 3.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting

Description The WP Coder – Powerful HTML, CSS, JS and PHP Injection plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

5.9CVSS6.1AI score0.00316EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.16 views

EmbedPress < 3.9.13 - Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Attribute

Description The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the EmbedPress widget 'embedpressprotwitchtheme ' attribute in all versions u...

6.4CVSS5.7AI score0.00343EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.25 views

MyCurator Content Curation < 3.77 - Reflected Cross-Site Scripting

Description The MyCurator Content Curation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'topic' parameter in all versions up to, and including, 3.76 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.1CVSS6.3AI score0.00354EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.14 views

Page Builder Gutenberg Blocks – CoBlocks < 3.1.7 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

6.4CVSS5.9AI score0.00323EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.12 views

SEOPress – On-site SEO < 7.6 - Author+ Stored Cross-Site Scripting

Description The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary we...

6.4CVSS5.6AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.16 views

Tracking Code Manager < 2.1.0 -Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS6AI score0.00319EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.23 views

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.23 - Sensitive Information Exposure

Description The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extrac...

7.5CVSS6.4AI score0.00699EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.15 views

WooCommerce Clover Payment Gateway < 1.3.2 - Missing Authorization via callback_handler

Description The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callbackhandler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark...

5.3CVSS6.4AI score0.00641EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/22 12:0 a.m.19 views

Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing < 3.6.4 - Plugin Settings Update via CSRF

Description The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin is vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin'...

4.3CVSS6.5AI score0.0021EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/21 12:0 a.m.19 views

Memberpress < 1.11.27 - Reflected Cross-Site Scripting via message and error

Description The Memberpress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘message’ and 'error' parameters in all versions up to, and including, 1.11.26 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers ...

6.1CVSS6.2AI score0.00499EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/21 12:0 a.m.13 views

LiquidPoll – Polls, Surveys, NPS and Feedback Reviews < 3.3.77 - Information Exposure

Description The LiquidPoll – Polls, Surveys, NPS and Feedback Reviews plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.76 via the pollerlist shortcode. This makes it possible for authenticated attackers, with contributor-level access a...

4.3CVSS6.3AI score0.00398EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/21 12:0 a.m.31 views

Advanced Access Manager < 6.9.21 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS6AI score0.00375EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/21 12:0 a.m.13 views

Getwid – Gutenberg Blocks < 2.0.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Block Content

Description The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block content in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.7AI score0.00399EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/21 12:0 a.m.15 views

AI Post Generator < 3.4 - Subscriber+ Posts Read/Creation/Deletion

Description The plugin is vulnerable to unauthorized access, modification or deletion of posts due to a missing capability check on functions hooked by AJAX actions. This makes it possible for authenticated attackers, with subscriber access or higher, to view all posts generated with this plugin...

6.3CVSS9.2AI score0.0052EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/21 12:0 a.m.24 views

Download Manager < 3.2.85 - Contributor+ Stored XSS

Description The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that...

6.5CVSS6AI score0.00337EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/21 12:0 a.m.13 views

Network Summary <= 2.0.11 - Unauthenticated SQL Injection

Description The Network Summary plugin for WordPress is vulnerable to SQL Injection via the 'category' parameter in all versions up to, and including, 2.0.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

9.8CVSS7.4AI score0.00692EPSS
Exploits0References1
Total number of security vulnerabilities14603