VYPR

Web Directory Free

by WordPress

Source repositories

CVEs (9)

  • CVE-2025-28904CriMar 25, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shamalli Web Directory Free web-directory-free allows Blind SQL Injection.This issue affects Web Directory Free: from n/a through <= 1.7.6.

  • CVE-2023-2201HigJun 2, 2023
    risk 0.50cvss 8.8epss 0.01

    The Web Directory Free for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 1.6.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2025-39567HigApr 17, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamalli Web Directory Free web-directory-free allows Reflected XSS.This issue affects Web Directory Free: from n/a through <= 1.7.8.

  • CVE-2025-30908HigApr 3, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Shamalli Web Directory Free web-directory-free allows Stored XSS.This issue affects Web Directory Free: from n/a through <= 1.7.6.

  • CVE-2024-47379HigOct 5, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamalli Web Directory Free web-directory-free allows Reflected XSS.This issue affects Web Directory Free: from n/a through <= 1.7.3.

  • CVE-2025-69018MedDec 30, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamalli Web Directory Free web-directory-free allows DOM-Based XSS.This issue affects Web Directory Free: from n/a through <= 1.7.12.

  • CVE-2024-3673Aug 30, 2024
    risk 0.07cvss epss 0.06

    The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.

  • CVE-2024-3552Jun 13, 2024
    risk 0.07cvss epss 0.67

    The Web Directory Free WordPress plugin before 1.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.

  • CVE-2024-3669Jul 30, 2024
    risk 0.00cvss epss 0.00

    The Web Directory Free WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin