Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/02/26 12:0 a.m.8 views

Grid Shortcodes < 1.1.1 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC GDCrow GDCcolumn size='"...

5.7AI score0.00379EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/25 12:0 a.m.24 views

WP Activity Log < 4.6.2 - Unauthenticated Stored Cross-Site Scripting

Description The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user agent header in versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

6.8CVSS5.8AI score0.00331EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/25 12:0 a.m.19 views

Elementor Addon Elements < 1.13 - Contributor+ to LFI

Description The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of arbitrary PHP...

8.8CVSS6.5AI score0.01235EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/24 12:0 a.m.22 views

ProfilePress < 4.15.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via [reg-select-role] Shortcode

Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's reg-select-role shortcode in all versions up to, and including, 4.15.0 due to...

5.5CVSS5.6AI score0.00443EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/24 12:0 a.m.16 views

ProfilePress < 4.15.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via profilepress-edit-profile Shortcode

Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 4.15.1 due to insufficient inpu...

6.4CVSS5.5AI score0.00563EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/24 12:0 a.m.20 views

Elementor Addon Elements < 1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget

Description The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'iconalign' attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS5.7AI score0.00501EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/24 12:0 a.m.13 views

Elementor Addon Elements < 1.13 - Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet

Description The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the modal popup widget's effect setting in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS5.6AI score0.005EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.19 views

WP Event Manager < 3.1.42 - Reflected Cross-Site Scripting via plugin

Description The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the plugin parameter in all versions up to, and including, 3.1.41 due to insufficient input sanitization and output escaping...

6.1CVSS6.1AI score0.00592EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.23 views

Colibri Page Builder < 1.0.260 - Arbitrary Shortcode Call via CSRF

Description The plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the cpshortcoderefresh function, allowing unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator int...

4.3CVSS7.3AI score0.00212EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.7 views

Page Builder < 1.8.3 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its Button Widget options before outputting them back in a page/post where the widget is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.4CVSS5.9AI score0.00371EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.16 views

Archivist – Custom Archive Templates < 1.7.6 - Reflected Cross-Site Scripting

Description The Archivist – Custom Archive Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcodeattributes' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS6.5AI score0.00378EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.17 views

Product Catalog Enquiry for WooCommerce by MultiVendorX < 5.0.6 - Cross-Site Request Forgery via REST API

Description The Product Catalog Enquiry for WooCommerce by MultiVendorX plugin for WordPress is vulnerable to cross-site request forgery due to an improper capability check on the 'catalogpermission' function in versions up to, and including, 5.0.5. While the REST endpoints are only initialized f...

6.6AI score0.00319EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.21 views

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Arbitrary File Upload

Description The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to...

8.8CVSS8AI score0.01497EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.9 views

Addon Library <= 1.3.76 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

Description The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and...

8.8CVSS6.6AI score0.00684EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.20 views

Change Table Prefix <= 2.0 - Cross-Site Request Forgery via change_prefix_form

Description The Change Table Prefix plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'changeprefixform' function. This makes it possible for unauthenticated attackers to toggle...

8.8CVSS6.3AI score0.00279EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.20 views

Custom Order Statuses for WooCommerce <= 1.5.2 - Cross-Site Request Forgery

Description The Custom Order Statuses for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to modif...

4.3CVSS6.6AI score0.00277EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.16 views

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS5.9AI score0.00402EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.14 views

YML for Yandex Market < 4.2.4 - Reflected Cross-Site Scripting

Description The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the feedid parameter in all versions up to, and including, 4.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

6.1CVSS6.1AI score0.00466EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.17 views

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.6AI score0.00392EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.22 views

Colibri Page Builder < 1.0.260 - Import Images, Delete Post, Save Theme Data via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the apiCall function, allowing unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request...

4.3CVSS6.6AI score0.00212EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.21 views

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Brizy – Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.4CVSS6.5AI score0.00516EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.13 views

FormFacade < 1.2.2 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.5CVSS7.7AI score0.00317EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.24 views

Heureka < 1.1.0 - Cross-Site Request Forgery

Description The plugin is vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action...

4.3CVSS4.8AI score0.00277EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.11 views

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Directory Traversal

Description The Brizy – Page Builder plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.39 via the 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files to arbitrary locations on the serv...

6.5CVSS7AI score0.00817EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.14 views

SuperFaktura WooCommerce < 1.40.4 - Authenticated (Subscriber+) Blind Server-Side Request Forgery

Description The SuperFaktura WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.40.3 via the wcsfurlcheck function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests t...

8.1CVSS6.7AI score0.00536EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/23 12:0 a.m.16 views

PeproDev Ultimate Invoice < 1.9.8 - Unauthenticated Arbitrary Invoice Access

Description The plugin is vulnerable to Sensitive Information Exposure via the 'initplugin' function. This makes it possible for unauthenticated attackers to generate PDF or ZIP files of arbitrary invoices and extract sensitive data...

7.5CVSS6.4AI score0.00453EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/22 12:0 a.m.20 views

Admin side data storage for Contact Form 7 plugin <= 1.1.1 - Missing Authorization to Unauthenticated Read Status Update

Description The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ztdcfcfchangestatus function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attacker...

5.3CVSS6.6AI score0.00386EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/22 12:0 a.m.14 views

Admin side data storage for Contact Form 7 <= 1.1.1 - Cross-Site Request Forgery

Description The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the settings update function. This makes it possible for unauthenticated...

4.3CVSS6.4AI score0.00198EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/22 12:0 a.m.24 views

Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio <= 3.6.4 - Authenticated (Contributor+) PHP Object Injection

Description The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the playpodcastdata post meta. This makes it possible for...

8.8CVSS7.4AI score0.0099EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/22 12:0 a.m.13 views

Colibri WP < 1.0.101 - Cross-Site Request Forgery to Limited Plugin Installation

Description The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwpinstallplugin function. This makes it possible for unauthenticated attackers to install...

4.3CVSS6.3AI score0.00212EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/22 12:0 a.m.14 views

Admin side data storage for Contact Form 7 <= 1.1.1 - Missing Authorization to Unauthenticated Bookmark Status Alteration

Description The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ztdcfcfchangebookmark function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated...

5.3CVSS6.7AI score0.00375EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/22 12:0 a.m.16 views

Admin side data storage for Contact Form 7 <= 1.1.1 - Authenticated (Admin+) SQL Injection

Description The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'form-id' parameter in all versions up to, and including, 1.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

7.2CVSS7.2AI score0.00562EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/22 12:0 a.m.19 views

Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio <= 3.6.4 - Missing Authorization

Description The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticat...

6.3CVSS6.7AI score0.00362EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/22 12:0 a.m.14 views

Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio <= 3.6.4 - Cross-Site Request Forgery

Description The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for...

4.3CVSS6.3AI score0.00232EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.9 views

Maintenance Page < 1.0.9 - Security Mechanism Bypass via REST API

Description The Maintenance Page plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 1.0.8 via the REST API. This makes it possible for unauthenticated attackers to view post titles and content when the site is in maintenance mode...

5.3CVSS6.9AI score0.0053EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.19 views

Jobs for WordPress < 2.7.4 - Contributor+ Stored XSS

Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC 1. As a Contributor, navigate to "Add new position" 2. On the page to create a post, in the "Working Hours" add: 3...

5.1AI score0.00457EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.14 views

Beaver Builder < 2.7.4.3 - Reflected XSS

Description The plugin is vulnerable to DOM-Based Reflected Cross-Site Scripting via a 'playground.wordpress.net' parameter due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully...

6.1CVSS6.3AI score0.00592EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.24 views

Sassy Social Share < 3.3.57 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.4CVSS6.1AI score0.00474EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.12 views

Beaver Builder < 2.7.4.3 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the image URL parameter due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a us...

6.4CVSS5.8AI score0.00406EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.22 views

Widget for Social Page Feeds < 6.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Create a new Facebook like...

7.2AI score0.00396EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.11 views

Event Tickets and Registration < 5.8.2 - Missing Authorization

Description The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access a...

4CVSS6.7AI score0.00396EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.16 views

Maintenance Page < 1.0.9 - Missing Authorization to Sensitive Information Exposure

Description The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribedownload function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with...

5.3CVSS6.4AI score0.00445EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.13 views

Beaver Builder < 2.7.4.3 - Contributor+ Stored XSS via Icon Widget

Description The plugin is vulnerable to Stored Cross-Site Scripting via the Icon Widget 'flbuilderdatanodepreviewlink' and 'flbuilderdatasettingslinktarget' parameters due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor-level access and...

5.4CVSS5.8AI score0.00399EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.15 views

Tutor LMS < 2.6.1 - Student+ HTML Injection via Q&A

Description The plugin is vulnerable to HTML Injection due to insufficient sanitization of HTML input in the Q functionality, allowing authenticated attackers, with Student access and above, to inject arbitrary HTML onto a site, though it does not allow Cross-Site Scripting...

5.4CVSS6.5AI score0.00506EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.19 views

YARPP < 5.30.10 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.4CVSS5.4AI score0.00516EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.16 views

Beaver Builder < 2.7.4.3 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the button link parameter due to insufficient input sanitization and output escaping, allowing authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a us...

6.4CVSS5.8AI score0.00505EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/21 12:0 a.m.17 views

Academy LMS – eLearning and online course solution for WordPress < 1.9.20 - Authenticated (Subscriber+) Privilege Escalation

Description The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saveduserinfo function. This makes it...

8.8CVSS7.1AI score0.00756EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/20 12:0 a.m.15 views

Community by PeepSo < 6.2.7.1 - Unauthenticated Sensitive Information Disclosure via Log file

Description The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.7.0. This makes it possible for unauthenticated attackers to extract sensitive data from log...

5.3CVSS6.6AI score0.00443EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/20 12:0 a.m.13 views

Advanced Social Feeds Widget & Shortcode <= 1.7 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC When creating a new widget, insert...

7.2AI score0.00379EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2024/02/20 12:0 a.m.17 views

Cwicly < 1.4.0.3 - Authenticated (Contributor+) Remote Code Execution

Description The Cwicly plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.0.2. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server...

6.5CVSS7.6AI score0.00748EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14603