Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.20 views

Tutor LMS – eLearning and online course solution < 2.6.2 - Cross-Site Request Forgery to Plugin Deactivation and Data Erase

Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erasetutordata function. This makes it possible for...

4.3CVSS6.6AI score0.0022EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.24 views

Easy Social Feed < 6.5.5 - Cross-Site Request Forgery

Description The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the savegroupslist function. This makes it possible...

4.3CVSS6.6AI score0.00241EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.18 views

weForms < 1.6.22 - Unauthenticated Stored Cross-Site Scripting via Referer

Description The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

7.2CVSS6.2AI score0.00591EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.10 views

Video Conferencing with Zoom < 4.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoomrecordingsbymeeting' shortcode in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes...

6.4CVSS5.7AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.18 views

Bulgarisation for WooCommerce < 3.0.15 - Missing Authorization

Description The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in all versions up to, and including, 3.0.14. This makes it possible for unauthenticated and authenticated attackers, with subscriber-level...

7.5CVSS6.6AI score0.01155EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.11 views

Shariff Wrapper < 4.6.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes like 'infotext'. This makes it...

6.4CVSS5.5AI score0.00505EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.23 views

Revolut Gateway for WooCommerce < 4.9.8 - Missing Authorization

Description The Revolut Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the wcrevolutclearrecords and wcrevolutonboardapplepaydomain functions in versions up to, and including, 4.9.7. This makes it possible for...

6.7AI score0.00601EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.23 views

Easy Social Feed – Social Photos Gallery – Post Feed – Like Box < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'efblikebox' shortcode in all versions up to, and including, 6.5.4 due to insufficient input sanitization and output escaping on user...

6.4CVSS5.6AI score0.00402EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.12 views

Shariff Wrapper < 4.6.10 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'secondarycolor' and...

6.4CVSS5.9AI score0.00392EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.8 views

CWW Companion < 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The CWW Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Module2 widget in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00313EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.21 views

Easy Social Feed < 6.5.5 - Cross-Site Request Forgery

Description The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the esfinstasaveaccesstoken and...

5.4CVSS6.3AI score0.00241EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/12 12:0 a.m.22 views

Team Circle Image Slider With Lightbox < 1.0.1 - Image Data Update via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the circlethumbnailsliderwithlightboximagemanagementfunc function. This makes it possible for unauthenticated attackers to edit image data which can be used to inject malicious...

5.3CVSS6.5AI score0.00202EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.19 views

Mollie Forms < 2.6.4 - Missing Authorization

Description The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, t...

4.3CVSS6.5AI score0.00455EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.15 views

LadiApp <= 4.4 - Cross-Site Request Forgery via ladiflow_save_hook()

Description The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflowsavehook function in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to update the 'ladiflowhookconfigs' option via a forge...

4.3CVSS6.4AI score0.0021EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.17 views

LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Missing Authorization on publish_lp()

Description The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publishlp function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level...

5.4CVSS6.2AI score0.00317EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.15 views

Hubbub Lite < 1.33.1 - Unauthenticated Password Protected Posts Access

Description The plugin does not ensure that user have access to password protected post before displaying its content in a meta tag. PoC When the "Disable Open Graph Meta Tags" settings of the plugin is disabled, view the source of a password protected post and note its content being disclosed in...

6.6AI score0.00516EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.19 views

WooCommerce Product Filter < 1.4.4 - Filter Deletion via CSRF

Description The plugin does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs PoC Make a logged in admin open the URL below to make them delete the filter with the slug...

6.6AI score0.00237EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.12 views

LadiApp <= 4.4 - Cross-Site Request Forgery via save_config()

Description The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the saveconfig function in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to update the 'ladipageconfig' option via a forged request...

4.3CVSS6.4AI score0.0021EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.14 views

Site Reviews < 6.11.7 - Authenticated(Subscriber+) Stored Cross-Site Scripting via display name

Description The Site Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user display name in all versions up to, and including, 6.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber...

6.4CVSS5.7AI score0.00551EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.15 views

WooCommerce Product Filter < 1.4.4 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below the filter with the slug test1 needs to...

5.8AI score0.00402EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.20 views

LadiApp <= 4.4 - Missing Authorization via save_config()

Description The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveconfig function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update t...

4.3CVSS6.4AI score0.00343EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.15 views

LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Cross-Site Request Forgery via publish_lp()

Description The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publishlp function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to change the LadiPage key a key...

4.3CVSS5.2AI score0.00208EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.19 views

WooCommerce Product Filter < 1.4.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC As and admin, create a...

4.9AI score0.0042EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.17 views

News Announcement Scroll < 9.1.0 - Authenticated (Contributor+) SQL Injection via Shortcode

Description The News Announcement Scroll plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

8.8CVSS7.2AI score0.00773EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.9 views

LadiApp <= 4.4 - Missing Authorization via ladiflow_save_hook()

Description The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ladiflowsavehook function in versions up to, and including, 4.3. This makes it possible for authenticated attackers with subscriber-level access and above to...

4.3CVSS4.6AI score0.0034EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.18 views

Tutor LMS – eLearning and online course solution < 2.6.2 - Authenticated (Subscriber+) SQL Injection

Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the questionid parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...

8.8CVSS7.3AI score0.03135EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.20 views

Auto Affiliate Links < 6.4.3.1 - Missing Authorization via aalAddLink

Description The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. This makes it possible for authenticated attackers, with subscriber access or...

4.3CVSS6.6AI score0.00533EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.15 views

Newsletter2Go <= 4.0.13 - Authenticated(Subscriber+) Stored Cross-Site Scripting via style

Description The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 4.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber...

6.4CVSS5.8AI score0.00304EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.17 views

LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Cross-Site Request Forgery via init_endpoint

Description The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the initendpoint function hooked via 'init' in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to modify a variety of settings, via a...

4.3CVSS5.3AI score0.00275EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.16 views

Mollie Forms < 2.6.4 - Missing Authorization to Arbitrary Post Duplication

Description The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or highe...

4.3CVSS6.6AI score0.00341EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/11 12:0 a.m.12 views

f(x) Private Site <= 1.2.1 - Sensitive Information Exposure

Description The fx Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the API. This makes it possible for unauthenticated attackers to obtain page and post contents of a site protected with this plugin...

5.3CVSS6.5AI score0.00468EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.14 views

LiveChat WooCommerce < 2.2.17 - Cross-Site Request Forgery

Description The WordPress Live Chat Plugin for WooCommerce – LiveChat plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.16. This is due to missing or incorrect nonce validation on several functions in the...

6.6AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.14 views

EventPrime – Events Calendar, Bookings and Tickets < 3.4.3 - Missing Authorization to Arbitrary Post Overwrite

Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savefrontendeventsubmission function in all versions up to, and including, 3.4.2. This makes it possible for...

6.5CVSS6.7AI score0.0041EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.18 views

Swift SMTP < 5.0.7 - Cross-Site Request Forgery

Description The Swift SMTP formerly Welcome Email Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.6. This is due to missing or incorrect nonce validation on the ajaxhandler function. This makes it possible for unauthenticated...

6.6AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.13 views

OneClick Chat to Order < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The OneClick Chat to Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.9AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.12 views

Download Monitor < 4.9.5 - Authenticated (Admin+) SQL Injection

Description The Download Monitor plugin for WordPress is vulnerable to SQL Injection via the 'limit' parameter in all versions up to 4.9.5 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

7.5AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.25 views

Orbit Fox by ThemeIsle < 2.10.33 - Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget

Description The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form widget in all versions up to, and including, 2.10.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS5.8AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.12 views

Metform Elementor Contact Form Builder < 3.8.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.9AI score0.00501EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.16 views

HT Easy GA4 – Google Analytics WordPress Plugin < 1.2.0 - Missing Authorization to Unauthenticated GA4 Email Update

Description The HT Easy GA4 – Google Analytics WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the login function in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to upda...

5.3CVSS6.1AI score0.00611EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.15 views

EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the calendareventsdelete function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers...

6.5CVSS6.6AI score0.00324EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.22 views

EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Unauthenticated Stored Cross-Site Scripting

Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'offlinestatus' parameter in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.5CVSS6AI score0.00374EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.16 views

LiveChat Elementor < 1.0.14 - Cross-Site Request Forgery

Description The WordPress Live Chat Plugin for Elementor – LiveChat plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.13. This is due to missing or incorrect nonce validation via several functions in the...

6.6AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.13 views

GD Rating System < 3.5.1 - Unauthenticated Stored Cross-Site Scripting via IP

Description The GD Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via IP Address values in all versions up to, and including, 3.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

6.2AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.13 views

EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending

Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the epsendattendeesemail function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attacker...

4.3CVSS6.5AI score0.00321EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.16 views

Football pool < 2.11.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.11.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

5.9AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.28 views

Ultimate Member < 2.8.4 - Unauthenticated Stored Cross-Site Scripting

Description The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input...

7.2CVSS6.2AI score0.26666EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.11 views

EventPrime – Events Calendar, Bookings and Tickets < 3.4.3 - Unauthenticated Booking Payment Bypass

Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for...

5.3CVSS6.8AI score0.00258EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/08 12:0 a.m.11 views

Blocksy < 2.0.27 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes like 'className' and 'radius'. This makes it possibl...

6.4CVSS5.7AI score0.0032EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/07 12:0 a.m.15 views

Premium Addons PRO < 2.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Mouse Cursor Module

Description The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Mouse Cursor module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.8AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/07 12:0 a.m.19 views

Premium Addons PRO < 2.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Messenger Chat Widget

Description The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premiumfbchatappid' parameter of the Messenger Chat Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS5.8AI score0.00413EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14603