Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Updraftplus Security Vulnerabilities

cve
cve

CVE-2017-16871

The UpdraftPlus plugin through 1.13.12 for WordPress allows remote PHP code execution because the plupload_action function in /wp-content/plugins/updraftplus/admin.php has a race condition before deleting a file associated with the name parameter. NOTE: the vendor reports that this does not cross.....

8.1CVSS

8.4AI Score

0.003EPSS

2017-11-17 09:29 AM
27
cve
cve

CVE-2017-16870

The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF in the updraft_ajax_handler function in /wp-content/plugins/updraftplus/admin.php via an httpget subaction. NOTE: the vendor reports that this does not cross a privilege...

8.1CVSS

8.1AI Score

0.003EPSS

2017-11-17 09:29 AM
28
cve
cve

CVE-2024-1037

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

6.1CVSS

6.4AI Score

0.002EPSS

2024-02-07 07:15 AM
18
cve
cve

CVE-2023-5982

The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instance_id on the 'updraftmethod-googledrive-auth'...

5.4CVSS

5.5AI Score

0.001EPSS

2023-11-07 09:15 PM
51
cve
cve

CVE-2023-0157

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any...

4.8CVSS

5.4AI Score

0.001EPSS

2023-04-10 02:15 PM
50
cve
cve

CVE-2023-0156

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it's settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access). The plugin...

4.9CVSS

5AI Score

0.001EPSS

2023-04-10 02:15 PM
41
2
cve
cve

CVE-2022-4346

The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email...

5.3CVSS

5.3AI Score

0.001EPSS

2023-01-23 03:15 PM
79
cve
cve

CVE-2022-4097

The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and...

5.3CVSS

5.3AI Score

0.001EPSS

2022-12-12 06:15 PM
27
cve
cve

CVE-2021-24423

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting...

4.8CVSS

4.7AI Score

0.001EPSS

2022-01-24 08:15 AM
22
cve
cve

CVE-2023-1119

The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting...

6.1CVSS

6.1AI Score

0.001EPSS

2023-07-10 04:15 PM
14
cve
cve

CVE-2023-26530

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Paul Kehrer Updraft plugin <= 0.6.1...

7.1CVSS

6AI Score

0.0005EPSS

2023-08-17 11:15 AM
16
cve
cve

CVE-2023-32960

Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting...

7.1CVSS

6.2AI Score

0.0005EPSS

2023-06-22 01:15 PM
15
cve
cve

CVE-2022-0864

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting (XSS)...

6.1CVSS

5.9AI Score

0.002EPSS

2022-04-04 04:15 PM
68
cve
cve

CVE-2022-0633

The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database...

6.5CVSS

6.5AI Score

0.002EPSS

2022-02-17 07:15 PM
174
cve
cve

CVE-2021-25089

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.69 does not sanitise and escape the updraft_restore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site...

6.1CVSS

6AI Score

0.001EPSS

2022-02-01 01:15 PM
25
cve
cve

CVE-2021-25022

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting...

6.1CVSS

6AI Score

0.001EPSS

2022-01-03 01:15 PM
32
cve
cve

CVE-2017-18593

The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cases where an attacker controls a string logged to a log...

6.1CVSS

5.9AI Score

0.001EPSS

2019-08-28 12:15 PM
32
cve
cve

CVE-2015-9360

The updraftplus plugin before 1.9.64 for WordPress has XSS via add_query_arg() and...

6.1CVSS

6AI Score

0.001EPSS

2019-08-28 12:15 PM
32