VYPR

Vendor CVEs

WordPress

All CVEs

33,183 total · sorted by risk
  • CVE-2024-25913CriFeb 26, 2024
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2.

  • CVE-2024-25100CriFeb 12, 2024
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program allows Object Injection.This issue affects Coupon Referral Program: from n/a before 1.8.4.

  • CVE-2023-52221CriJan 24, 2024
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in UkrSolution Barcode Scanner and Inventory manager.This issue affects Barcode Scanner and Inventory manager: from n/a through 1.5.1.

  • CVE-2021-4434CriJan 17, 2024
    risk 0.65cvss 10.0epss 0.02

    The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows attackers to execute code on the server.

  • CVE-2023-52225CriJan 8, 2024
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This issue affects Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics: from n/a through 3.1.

  • CVE-2023-52218CriJan 8, 2024
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Anton Bond Woocommerce Tranzila Payment Gateway.This issue affects Woocommerce Tranzila Payment Gateway: from n/a through 1.0.8.

  • CVE-2022-46839CriJan 5, 2024
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.

  • CVE-2023-52181CriDec 31, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1.

  • CVE-2023-51475CriDec 29, 2023
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in IOSS WP MLM SOFTWARE PLUGIN.This issue affects WP MLM SOFTWARE PLUGIN: from n/a through 4.0.

  • CVE-2023-51473CriDec 29, 2023
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in Pixelemu TerraClassifieds – Simple Classifieds Plugin.This issue affects TerraClassifieds – Simple Classifieds Plugin: from n/a through 2.0.3.

  • CVE-2023-51468CriDec 29, 2023
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.10.1.

  • CVE-2023-51419CriDec 29, 2023
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in Bertha.Ai BERTHA AI. Your AI co-pilot for WordPress and Chrome.This issue affects BERTHA AI. Your AI co-pilot for WordPress and Chrome: from n/a through 1.11.10.7.

  • CVE-2023-51411CriDec 29, 2023
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in Shabti Kaplan Frontend Admin by DynamiApps.This issue affects Frontend Admin by DynamiApps: from n/a through 3.18.3.

  • CVE-2023-51505CriDec 29, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in realmag777 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store.This issue affects Active Products Tables for WooCommerce. Professional products tables for WooCommerce store : from n/a…

  • CVE-2023-25054CriDec 29, 2023
    risk 0.65cvss 10.0epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in David F. Carr RSVPMaker.This issue affects RSVPMaker: from n/a through 10.6.6.

  • CVE-2023-49778CriDec 21, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6.

  • CVE-2023-29384CriDec 20, 2023
    risk 0.65cvss 10.0epss 0.01

    Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.0.

  • CVE-2023-49773CriDec 20, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Tim Brattberg BCorp Shortcodes.This issue affects BCorp Shortcodes: from n/a through 0.23.

  • CVE-2023-49772CriDec 20, 2023
    risk 0.65cvss 10.0epss 0.01

    Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0.

  • CVE-2023-4922CriNov 27, 2023
    risk 0.65cvss 9.8epss 0.16

    The WPB Show Core WordPress plugin through 2.2 is vulnerable to a local file inclusion via the `path` parameter.

  • CVE-2023-25960CriNov 3, 2023
    risk 0.65cvss 10.0epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zendrop Zendrop – Global Dropshipping zendrop-dropshipping-and-fulfillment allows SQL Injection.This issue affects Zendrop – Global Dropshipping: from n/a through 1.0.0.

  • CVE-2023-3460CriJul 4, 2023
    risk 0.65cvss 9.8epss 0.72

    The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

  • CVE-2022-45808CriJan 26, 2023
    risk 0.65cvss 9.9epss 0.04

    SQL Injection vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.

  • CVE-2023-23489CriJan 20, 2023
    risk 0.65cvss 9.8epss 0.11

    The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action.

  • CVE-2022-4120CriDec 26, 2022
    risk 0.65cvss 9.8epss 0.18

    The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog…

  • CVE-2022-44588CriDec 15, 2022
    risk 0.65cvss 9.9epss 0.02

    Unauth. SQL Injection vulnerability in Cryptocurrency Widgets Pack Plugin <=1.8.1 on WordPress.

  • CVE-2022-3921CriDec 12, 2022
    risk 0.65cvss 9.8epss 0.21

    The Listingo WordPress theme before 3.2.7 does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE

  • CVE-2022-3900CriDec 12, 2022
    risk 0.65cvss 9.8epss 0.19

    The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.

  • CVE-2022-45359CriDec 6, 2022
    risk 0.65cvss 9.8epss 0.14

    Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.

  • CVE-2022-45822CriDec 5, 2022
    risk 0.65cvss 10.0epss 0.01

    Unauth. SQL Injection (SQLi) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress.

  • CVE-2022-42497CriNov 18, 2022
    risk 0.65cvss 10.0epss 0.01

    Arbitrary Code Execution vulnerability in Api2Cart Bridge Connector plugin <= 1.1.0 on WordPress.

  • CVE-2022-2314CriAug 15, 2022
    risk 0.65cvss 9.8epss 0.12

    The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.

  • CVE-2022-1952CriJul 11, 2022
    risk 0.65cvss 9.8epss 0.23

    The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected…

  • CVE-2022-1574CriJun 27, 2022
    risk 0.65cvss 9.8epss 0.12

    The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server

  • CVE-2022-1768CriJun 13, 2022
    risk 0.65cvss 9.8epss 0.12

    The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possible for unauthenticated attackers to…

  • CVE-2022-0786CriJun 13, 2022
    risk 0.65cvss 9.8epss 0.13

    The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users

  • CVE-2022-1692CriJun 8, 2022
    risk 0.65cvss 9.8epss 0.10

    The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack

  • CVE-2022-1556CriMay 30, 2022
    risk 0.65cvss 9.8epss 0.20

    The StaffList WordPress plugin before 3.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection

  • CVE-2022-0781CriMay 23, 2022
    risk 0.65cvss 9.8epss 0.12

    The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection

  • CVE-2022-0867CriMay 16, 2022
    risk 0.65cvss 9.8epss 0.13

    The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users

  • CVE-2022-0817CriMay 9, 2022
    risk 0.65cvss 9.8epss 0.12

    The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users

  • CVE-2022-1391CriApr 25, 2022
    risk 0.65cvss 9.8epss 0.14

    The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

  • CVE-2022-1390CriApr 25, 2022
    risk 0.65cvss 9.8epss 0.22

    The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also…

  • CVE-2022-0784CriMar 28, 2022
    risk 0.65cvss 9.8epss 0.10

    The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

  • CVE-2022-0747CriMar 21, 2022
    risk 0.65cvss 9.8epss 0.15

    The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id parameter before using it in a SQL statement via the qcld_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection

  • CVE-2022-0434CriMar 7, 2022
    risk 0.65cvss 9.8epss 0.15

    The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL…

  • CVE-2022-24665CriFeb 16, 2022
    risk 0.65cvss 9.9epss 0.03

    PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts.

  • CVE-2022-24663CriFeb 16, 2022
    risk 0.65cvss 9.9epss 0.02

    PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user.

  • CVE-2021-24915CriNov 29, 2021
    risk 0.65cvss 9.8epss 0.13

    The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform…

  • CVE-2021-24827CriNov 8, 2021
    risk 0.65cvss 9.8epss 0.13

    The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue

Page 8 of 664