The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and e...
5.9AI Score
0.005EPSS
The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite ...
9.8CVSS
9.7AI Score
0.039EPSS
The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' fi...
6.5CVSS
6.5AI Score
0.002EPSS
The Coming Soon & Maintenance Mode by Colorlib WordPress plugin before 1.0.99 does not sanitize and escape some settings, allowing high privilege users such as admin to perform Stored Cross-Site Scripting when unfiltered_html is disallowed (for example in multisite setup)
4.8CVSS
4.7AI Score
0.001EPSS
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.
5.4CVSS
5.3AI Score
0.0005EPSS
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.
5.4CVSS
5.3AI Score
0.001EPSS
The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mode...
5.3CVSS
9.1AI Score
0.0004EPSS