Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.10 views

Slideshow Gallery LITE < 1.8.2 - Authenticated (Contributor+) SQL Injection

Description The Slideshow Gallery LITE plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up to, and including, 1.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This mak...

8.1CVSS7.2AI score0.00486EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.18 views

PowerPack Pro for Elementor < 2.10.18 - Authenticated (Contributor+) Privilege Escalation

Description The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a default role for a registration form. This makes it possible for...

8.8CVSS6.7AI score0.00431EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.11 views

Event Tickets with Ticket Scanner < 2.3.2 - Reflected Cross-Site Scripting

Description The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

7.1CVSS6.3AI score0.00288EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.8 views

WordPress Header Builder Plugin – Pearl < 1.3.8 - Missing Authorization to Unauthenticated Arbitrary Site Options Deletion

Description The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stmhbdelete function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated...

6.5CVSS6.7AI score0.00373EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.12 views

Events Manager – Calendar, Bookings, Tickets, and more! < 6.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via event, location, and event_category Shortcodes

Description The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'event', 'location', and 'eventcategory' shortcodes in all versions up to, and including, 6.4.7.3 due to insufficient input sanitization and...

6.4CVSS5.8AI score0.00291EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.13 views

Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via cfs[post_content]

Description The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfspostcontent' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.8AI score0.00336EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.13 views

Themesflat Addons For Elementor <= 2.1.1 - Contributor+ Stored XSS via Widget Titles

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's widget's titles due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

6.4CVSS5.8AI score0.00345EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.16 views

SiteOrigin Widgets Bundle < 1.62.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via SiteOrigin Blog Widget

Description The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SiteOrigin Blog Widget in all versions up to, and including, 1.61.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.8AI score0.00298EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.10 views

Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content <= 0.6.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.6.8 due to insufficient input sanitization and output escaping...

5.9CVSS5.7AI score0.00279EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.10 views

Gutenberg 12.9.0 - 18.0.0 - Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Description The Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in versions 12.9.0 to 18.0.0 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level...

6AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.16 views

WP Flow Plus < 5.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The WP Flow Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.5CVSS5.8AI score0.00254EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.11 views

CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More < 4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Description The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 du...

6.4CVSS5.8AI score0.00355EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.19 views

Save as PDF Plugin by Pdfcrowd < 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Save as PDF Plugin by Pdfcrowd plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

6.5CVSS5.7AI score0.00295EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.15 views

Rank Math SEO < 1.0.219 - Authenticated Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow users with access to the General Settings by default admin, however such access can be given to lower roles via the Role Manager feature of the plugin to perform Stored Cross-Site Scripting attacks even wh...

5.6AI score0.00391EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.16 views

WPS Hide Login < 1.9.16 - Login Page Disclosure

Description The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login pa...

5.3CVSS6.8AI score0.01235EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.27 views

Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.8.24 - Authenticated (Contributor+) Path Traversal via esc_dir Function

Description The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the escdir function. This makes it possible for authenticated attackers to cut and paste copy the contents of arbitrary file...

8.8CVSS6.6AI score0.00727EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.11 views

WP-Recall <= 16.26.6 - Cross-Site Request Forgery

Description The WP-Recall plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 16.26.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a...

5.4CVSS6.4AI score0.0018EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.26 views

Checkout Field Editor for WooCommerce (Pro) < 3.6.3 - Unauthenticated Arbitrary File Deletion

Description The Checkout Field Editor for WooCommerce Pro plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 3.6.2. This is due to the plugin not properly validating a file or it's path prior to deleting it. This makes it possible for unauthenticat...

9.1CVSS7.5AI score0.0059EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.14 views

EazyDocs < 2.5.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC The PoC will be displayed on June...

5.9AI score0.00397EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.12 views

Futurio Extra < 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Text Block Widget

Description The Futurio Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘headersize’ attribute within the Advanced Text Block widget in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.8AI score0.00314EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.14 views

Simple COD Fees for WooCommerce <= 2.0.2 - Missing Authorization

Description The Simple COD Fees for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

8.8CVSS6.4AI score0.00351EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.13 views

BuddyPress < 12.5.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘displayname’ parameter in versions up to, and including, 12.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-lev...

6.4CVSS5.7AI score0.00322EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.15 views

Dokan Pro < 3.11.0 - Unauthenticated SQL Injection

Description The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

10CVSS7.4AI score0.56209EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.11 views

FileOrganizer < 1.0.8 - Sensitive Information Exposure via Directory Listing

Description The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 via the 'fileorganizerajaxhandler' function. This makes it possible for unauthenticated attackers to extract sensitiv...

7.5CVSS6.6AI score0.00522EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.12 views

WP Translate <= 5.3.0 - Missing Authorization

Description The WP Translate – WordPress Translation Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.3.0. This makes it possible for unauthenticated attackers to perform an unauthorized action...

5.4CVSS6.7AI score0.00387EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.12 views

Emergency Password Reset < 9.0 - Cross-Site Request Forgery

Description The Emergency Password Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0. This is due to missing or incorrect nonce validation in the index.php file. This makes it possible for unauthenticated attackers to update the plugin's...

6.1AI score0.00127EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.12 views

KiviCare <= 3.6.2 - Authenticated (Patient+) Insecure Direct Object Reference

Description The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.6.2 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

8.8CVSS6.5AI score0.00336EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.12 views

Frontend Registration – Contact Form 7 <= 5.1 - Authenticated (Editor+) Privilege Escalation

Description The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the 'cf7frr' post meta. This makes it possible for authenticated attackers, with editor-level access and above...

7.2CVSS6.8AI score0.00466EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.10 views

WP EasyCart < 5.6.0 - Missing Authorization

Description The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.5.19. This makes it possible for unauthenticated attackers to perform an unauthorized action...

5.3CVSS6.7AI score0.00381EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.16 views

Elementor Addon Elements < 1.13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Widget

Description The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

5.4CVSS5.7AI score0.00322EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.16 views

Upload Fields for WPForms <= 1.0.2 - Missing Authorization

Description The Upload Fields for WPForms – Drag and Drop Multiple File Upload, Image Upload, and Google Drive Upload for WPForms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.2. This makes it...

9.8CVSS6.7AI score0.00365EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.11 views

Advanced Contact form 7 DB <= 2.0.2 - Sensitive Information Exposure

Description The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data...

5.3CVSS6.7AI score0.00439EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.13 views

MelaPress Login Security < 1.3.1 - Authenticated (Admin+) Remote File Inclusion

Description The MelaPress Login Security plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.3.0 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary...

7.2CVSS7.7AI score0.00558EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.31 views

YITH WooCommerce Wishlist < 3.33.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 3.33.0 exclusive due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9CVSS5.7AI score0.00261EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.16 views

TablePress – Tables in WordPress made easy < 2.3.2 - Authenticated (Author+) Server-Side Request Forgery via DNS Rebind

Description The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3 via the getfilestoimport function. This makes it possible for authenticated attackers, with author-level access and above, to make...

6.4CVSS6.3AI score0.00368EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.7 views

Sitetweet <= 0.2 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack PoC The PoC will be displayed on June 25, 2024, to give users the time to update...

5.6AI score0.00345EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.14 views

Premium Addons for Elementor < 4.10.34 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Description The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via several parameters in all versions up to, and including, 4.10.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

5.4CVSS5.8AI score0.00364EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.13 views

Responsive < 5.0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Responsive theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 5.0.3.1 exclusive due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level...

6.5CVSS5.8AI score0.00261EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.12 views

Insert Post Ads <= 1.3.2 - Missing Authorization

Description The Insert Post Ads plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to perform an unauthorized action...

5.3CVSS6.7AI score0.00381EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.17 views

Download Manager < 3.2.87 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting

Description The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.4CVSS5.7AI score0.00334EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.16 views

Download Manager < 3.2.94 - Authenticated (Author+) Stored Cross-Site Scripting via Multiple Shortcodes

Description The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wpdmuserdashboard, wpdmpackage, wpdmpackages, wpdmsearchresult, and wpdmtag shortcodes in all versions up to, and including, 3.2.92 due to insufficient input sanitization and output escaping...

6.4CVSS5.8AI score0.00416EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.7 views

WPvivid Backup for MainWP < 0.9.34 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.9.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

5.9AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.14 views

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.9.24 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customjs’ parameter in all versions up to, and including, 5.9.23 due to insufficient input sanitization and...

6.4CVSS5.8AI score0.00434EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/10 12:0 a.m.13 views

Advanced Contact form 7 DB <= 2.0.2 - Missing Authorization to Unauthenticated Information Disclosure

Description The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vszcf7exporttoexcel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download the entry...

5.3CVSS6.7AI score0.00482EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/06/10 12:0 a.m.13 views

WordPress Online Booking and Scheduling Plugin – Bookly < 23.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Color Profile Parameter

Description The WordPress Online Booking and Scheduling Plugin – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Color Profile parameter in all versions up to, and including, 23.2 due to insufficient input sanitization and output escaping. This makes it possible f...

6.4CVSS5.7AI score0.0031EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/10 12:0 a.m.11 views

Custom Field Template < 2.6.2 - Authenticated(Constibutor+) Stored Cross-Site Scripting via Custom Field Name

Description The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom field name column in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied custom fields. This makes it...

6.4CVSS5.7AI score0.00263EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/10 12:0 a.m.14 views

Custom Field Template < 2.6.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Description The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cpt' shortcode in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied post meta. This makes it possible for...

6.4CVSS5.7AI score0.00257EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/10 12:0 a.m.15 views

Custom Field Template < 2.6.2 - Authenticated (Admin+) Stored Cross-Site Scritping

Description The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.8CVSS5.7AI score0.00247EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/10 12:0 a.m.17 views

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor < 3.8.9 - Unauthenticated Sensitive Information Exposure

Description The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handlefile' function. This can allow unauthenticated attackers to extract sensitive data,...

7.5CVSS6.8AI score0.00548EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/10 12:0 a.m.10 views

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) < 2.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via WL Product Horizontal Filter Widget

Description The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution formerly WooLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WL: Product Horizontal Filter widget in all versions up to, and including, 2.9.0 due t...

6.4CVSS5.8AI score0.00376EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14602