High
CVE-2019-25215
The ARI-Adminer plugin for WordPress is vulnerable to authorization bypass due to a lack of file access controls in nearly every file of the plugin in versions up to, and including, 1.1.14. This make…
Tag: WordPress
All CVEs associated with "WordPress". Page 62/152 • 18159 CVEs.
Subscribe CVEs: RSS for “WordPress” · RSS (High+Critical only)
About “WordPress”
A curated feed of “WordPress”-related CVEs appears below. We currently track 18159 CVEs for this tag (all time). In the last 365 days, 4097 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).
In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2024-10-16
High
CVE-2019-25214
The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for…
Critical
CVE-2019-25213
The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media paramet…
Critical
CVE-2018-25105
The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible…
High
CVE-2017-20192
The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'after_html' in versions before 2.05.03 due to…
High
CVE-2016-15041
The MainWP Dashboard – The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mwp_setup_purchase_username’ parameter…
Critical
CVE-2016-15040
The Kento Post View Counter plugin for WordPress is vulnerable to SQL Injection via the 'kento_pvc_geo' parameter in versions up to, and including, 2.8 due to insufficient escaping on the user suppli…
High
CVE-2012-10018
The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Server-Side Request Forgery in versions up to, and including 6.1, 1.0 respectively. This makes it possible for attackers to forger…
Medium
CVE-2024-9937
The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.6.1 due to insufficient input sanitiz…
Medium
CVE-2024-9888
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget redirect URL in all versions up to, and including, 1.2.8…
Medium
CVE-2024-9873
The Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in posts, comments,…
Medium
CVE-2024-9891
The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugi…
Medium
CVE-2024-9652
The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization a…
Medium
CVE-2024-9649
The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7.4. This is due to missing or inc…
Medium
CVE-2024-9647
The Kama SpamBlock plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST values in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output…
Critical
CVE-2024-9634
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input fr…
Medium
CVE-2024-9521
The SEO Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on use…
High
CVE-2024-9305
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_passwo…
Critical
CVE-2024-9105
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimat…
Medium
CVE-2024-9104
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated v…
Medium
CVE-2024-8787
The Smart Online Order for Clover plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in al…
Medium
CVE-2024-8541
The Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of a…
2024-10-15
Medium
CVE-2024-9895
The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's moo_receipt_link shortcode in all versions up to, and including, 1.5.7 due to insu…
High
CVE-2024-9837
The The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowi…
Medium
CVE-2024-9944
The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted orde…
Medium
CVE-2024-9820
The WP 2FA with Telegram plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 3.0. This is due to the two-factor code being stored in a cookie, whi…
High
CVE-2024-9687
The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the 'v…
Medium
CVE-2024-6757
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 3.23.5 via the get_image_alt funct…
High
CVE-2024-9548
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the resource parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization…
Medium
CVE-2024-9546
The WPIDE – File Manager & Code Editor plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.9. This is due to the plugin utilizing the PHP-Parser libra…
2024-10-12
Medium
CVE-2024-8902
The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.8 via the render_column function in modules/data-table/wid…
High
CVE-2024-8757
The WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder plugin for WordPress is…
Medium
CVE-2024-9696
The Rescue Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rescue_tab' shortcode in all versions up to, and including, 2.8 due to insufficient input san…
Medium
CVE-2024-9595
The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2 due to insuffic…
Medium
CVE-2024-8915
The Category Icon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output…
Medium
CVE-2024-8760
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to…
Medium
CVE-2024-9756
The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in ver…
Medium
CVE-2024-9704
The Social Sharing (by Danny) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dvk_social_sharing' shortcode in all versions up to, and including, 1.3.7 due to insu…
Critical
CVE-2024-9047
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated at…
Medium
CVE-2024-9824
The ImagePress – Image Gallery plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'ip_delete_post' and 'ip_update_post_title' fu…
Medium
CVE-2024-9778
The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on th…
Medium
CVE-2024-9776
The ImagePress – Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.2 due to insufficient input sanitization…
Medium
CVE-2024-9670
The 2D Tag Cloud plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 6.0…
Medium
CVE-2024-9656
The Mynx Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.27.8 due to insufficient input sanitization and ou…
Medium
CVE-2024-9187
The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This ma…
Medium
CVE-2024-7489
The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form color parameters in all versions up to, and including, 2…
Medium
CVE-2024-9860
The Bridge Core plugin for WordPress is vulnerable to unauthorized modification of data or loss of data due to a missing capability check on the 'import_action' and 'install_plugin_per_demo' function…
High
CVE-2024-9821
The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all vers…
Medium
CVE-2024-9592
The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the…
2024-10-11
Critical
CVE-2024-9707
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all…
Medium
CVE-2024-9616
The BlockMeister – Block Pattern Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions u…
Medium
CVE-2024-9611
The Increase upload file size & Maximum Execution Time limit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the U…
Medium
CVE-2024-9610
The Language Switcher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including…
Medium
CVE-2024-9587
The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_linkz' function in versions up to, and including, 1.1.8. This makes…
Medium
CVE-2024-9586
The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_auth' and 'check_logout' functions in versions up to, and includin…
Medium
CVE-2024-9543
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode in all versions up to, and including, 11.9.18 due to…
Medium
CVE-2024-9538
The ShopLentor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.8 via the 'render' function in includes/addons/wl_faq.php. This makes it…
Medium
CVE-2024-9507
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read in all versions u…
Medium
CVE-2024-9436
The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without…
Medium
CVE-2024-9346
The Embed videos and respect privacy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'v' parameter in all versions up to, and including, 1.2 due to insufficient input san…
Critical
CVE-2024-9234
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_an…
Medium
CVE-2024-9232
The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in a…
Medium
CVE-2024-9221
The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.21.10…
Medium
CVE-2024-9211
The FULL – Cliente plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up t…
Medium
CVE-2024-9051
The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpupg-grid-with-filters shortcode in all versions up to, and including, 3.9.3 due to insuf…
Medium
CVE-2024-8913
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and i…
Medium
CVE-2024-7514
The WordPress Comments Import & Export plugin for WordPress is vulnerable to to arbitrary file read due to insufficient file path validation during the comments import process, in versions up to, and…
Critical
CVE-2024-9822
The Pedalo Connector plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.5. This is due to insufficient restriction on the 'login_admin_user' function. T…
2024-10-10
Critical
CVE-2024-9796
The WP-Advanced-Search WordPress plugin before 3.3.9.2 does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
High
CVE-2024-9156
The TI WooCommerce Wishlist WordPress plugin through 2.8.2 is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin…
Medium
CVE-2024-9520
The UserPlus plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.…
Medium
CVE-2024-9074
The Advanced Blocks Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and o…
Medium
CVE-2024-9067
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability…
High
CVE-2024-9022
The TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.4.0 due to insufficie…
Medium
CVE-2024-8477
The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87.…
Medium
CVE-2024-9685
The Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nftb_test_action' function in versions up to, and inclu…
High
CVE-2024-9581
The Shortcodes AnyWhere plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.1. This is due to the software allowing users to execute an actio…
High
CVE-2024-9522
The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'aj…
High
CVE-2024-9519
The UserPlus plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'save_metabox_form' function in versions up to, and including, 2.0. Thi…
Critical
CVE-2024-9518
The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile'…
Medium
CVE-2024-9457
The WP Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output esc…
Medium
CVE-2024-9377
The Products, Order & Customers Export for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate esca…
Medium
CVE-2024-9205
The Maximum Products per User for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versi…
Medium
CVE-2024-9072
The GDPR-Extensions-com – Consent Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input…
Medium
CVE-2024-9066
The Marketing and SEO Booster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.9.10 due to insufficient input sanitizatio…
Medium
CVE-2024-9065
The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all versions up to, and in…
Medium
CVE-2024-9064
The Elementor Inline SVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.0 due to insufficient input sanitization and…
Medium
CVE-2024-9057
The Curator.io: Show all your social media posts in a beautiful feed. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘feed_id’ attribute in all versions up to, and includin…
Medium
CVE-2024-8987
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youzify_media sho…
Medium
CVE-2024-8729
The Easy Social Share Buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and i…
Medium
CVE-2024-8513
The QA Analytics – Web Analytics Tool with Heatmaps & Session Replay Across All Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the…
2024-10-09
High
CVE-2024-9575
Local File Inclusion vulnerability in pretix Widget WordPress plugin pretix-widget on Windows allows PHP Local File Inclusion. This issue affects pretix Widget WordPress plugin: from 1.0.0 through 1.…
Medium
CVE-2024-9451
The Embed PDF Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' and 'width' parameters in all versions up to, and including, 2.4.4 due to insufficient input sa…
Medium
CVE-2024-9449
The Auto iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output e…
Medium
CVE-2024-5968
The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored C…
Medium
CVE-2024-7963
The CMSMasters Content Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's multiple shortcodes in all versions up to, and including, 1.8.8 due to insufficient…
2024-10-08
Medium
CVE-2024-8482
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 1.3.982 due to insufficient in…
Medium
CVE-2024-8431
The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajaxGetGalleryJson() function in all…
Medium
CVE-2024-9207
The BuddyPress Docs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and includin…
Medium
CVE-2024-8488
The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Survey fields in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output esca…
Medium
CVE-2024-8629
The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in…
Medium
CVE-2024-8433
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter in all versions up to, and includ…
Critical
CVE-2024-8943
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the boo…
Critical
CVE-2024-8911
The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplie…
Medium
CVE-2022-4534
The Limit Login Attempts (Spam Protection) plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.3. This is due to insufficient restrictions on where the IP Ad…
Medium
CVE-2024-8964
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.2.9 due to insufficient inpu…
Medium
CVE-2024-9292
The Bridge Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 3.2.0 due to insufficient input sanitization and output…
Medium
CVE-2024-9021
In the process of testing the Relevanssi WordPress plugin before 4.23.1, a vulnerability was found that allows you to implement Stored XSS on behalf of the Contributor+ by embedding malicious script…
Medium
CVE-2024-8983
Custom Twitter Feeds WordPress plugin before 2.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attac…
2024-10-06
High
CVE-2024-47327
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eyal Fitoussi GEO my WordPress geo-my-wp allows Reflected XSS.This issue affects GEO my WordPress…
Medium
CVE-2024-47368
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress premium-blocks-for-gutenberg allows Stored…
2024-10-05
High
CVE-2024-47386
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended wpextended allows Reflected XSS.This iss…
High
CVE-2024-47638
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allo…
High
CVE-2024-44018
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in istmoplugins Instant Chat Floating Button for WordPress Websites instant-chat-wp allows PHP Local File…
High
CVE-2024-9314
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.228 via deserialization of untrusted inp…
Medium
CVE-2024-9161
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'update_metadata' f…
Medium
CVE-2024-9417
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to limited file uploads due to a misconfigured file type validation in the 'handleUpload' function in all versions up to, a…
Medium
CVE-2024-8486
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions…
Medium
CVE-2024-8743
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.…
Medium
CVE-2024-9528
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields in all versions up to…