Vendor CVEs
WordPress
All CVEs
33,183 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-24507 | Cri | 0.65 | 9.8 | 0.11 | Aug 9, 2021 | The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL… | ||
| CVE-2021-24285 | Cri | 0.65 | 9.8 | 0.15 | May 14, 2021 | The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading… | ||
| CVE-2016-20010 | Cri | 0.65 | 10.0 | 0.04 | May 5, 2021 | EWWW Image Optimizer before 2.8.5 allows remote command execution because it relies on a protection mechanism involving boolval, which is unavailable before PHP 5.5. | ||
| CVE-2021-24175 | Cri | 0.65 | 9.8 | 0.14 | Apr 5, 2021 | The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create… | ||
| CVE-2020-29047 | Cri | 0.65 | 9.8 | 0.16 | Mar 3, 2021 | The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php. | ||
| CVE-2020-35949 | Cri | 0.65 | 10.0 | 0.05 | Jan 1, 2021 | An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type… | ||
| CVE-2020-35945 | Cri | 0.65 | 9.9 | 0.02 | Jan 1, 2021 | An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file… | ||
| CVE-2020-27481 | Cri | 0.65 | 9.8 | 0.11 | Nov 12, 2020 | An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent… | ||
| CVE-2020-13640 | Cri | 0.65 | 9.8 | 0.13 | Jun 18, 2020 | A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.) | ||
| CVE-2020-13126 | Cri | 0.65 | 9.9 | 0.09 | May 17, 2020 | An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free… | ||
| CVE-2015-9499 | Cri | 0.65 | 9.8 | 0.15 | Oct 22, 2019 | The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive. | ||
| CVE-2017-18580 | Cri | 0.65 | 9.8 | 0.12 | Aug 22, 2019 | The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode. | ||
| CVE-2016-10927 | Cri | 0.65 | 10.0 | 0.02 | Aug 22, 2019 | The nelio-ab-testing plugin before 4.5.11 for WordPress has SSRF in ajax/iesupport.php. | ||
| CVE-2016-10926 | Cri | 0.65 | 10.0 | 0.02 | Aug 22, 2019 | The nelio-ab-testing plugin before 4.5.9 for WordPress has SSRF in ajax/iesupport.php. | ||
| CVE-2018-20555 | Cri | 0.65 | 9.8 | 0.10 | Mar 21, 2019 | The Design Chemical Social Network Tabs plugin 1.7.1 for WordPress allows remote attackers to discover Twitter access_token, access_token_secret, consumer_key, and consumer_secret values by reading the dcwp_twitter.php source code. This leads to Twitter account takeover. | ||
| CVE-2026-40750 | Cri | 0.64 | 9.9 | 0.00 | Jun 16, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server. This issue affects Kids Online Store: from n/a through 0.8.9. | ||
| CVE-2026-49774 | Cri | 0.64 | 9.9 | 0.00 | Jun 16, 2026 | Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0. | ||
| CVE-2026-9691 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions. | ||
| CVE-2026-49781 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions. | ||
| CVE-2026-49770 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions. | ||
| CVE-2026-49769 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | ||
| CVE-2026-49768 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. | ||
| CVE-2026-49766 | Cri | 0.64 | 9.9 | 0.01 | Jun 15, 2026 | Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions. | ||
| CVE-2026-49765 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions. | ||
| CVE-2026-49764 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions. | ||
| CVE-2026-49763 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions. | ||
| CVE-2026-49109 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions. | ||
| CVE-2026-49106 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions. | ||
| CVE-2026-49105 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | ||
| CVE-2026-49104 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions. | ||
| CVE-2026-49085 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | ||
| CVE-2026-39591 | Cri | 0.64 | 9.9 | 0.00 | Jun 15, 2026 | Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions. | ||
| CVE-2026-39583 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions. | ||
| CVE-2026-34901 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions. | ||
| CVE-2026-27053 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions. | ||
| CVE-2018-25436 | Cri | 0.64 | 9.8 | 0.01 | Jun 15, 2026 | WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file… | ||
| CVE-2026-8935 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting… | ||
| CVE-2026-53787 | Cri | 0.64 | 9.8 | 0.05 | Jun 12, 2026 | Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint… | ||
| CVE-2026-49060 | Cri | 0.64 | 9.8 | 0.01 | Jun 11, 2026 | Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4. | ||
| CVE-2025-6254 | Cri | 0.64 | 9.8 | 0.00 | Jun 10, 2026 | The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for… | ||
| CVE-2017-20251 | Cri | 0.64 | 9.8 | 0.01 | Jun 9, 2026 | WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the… | ||
| CVE-2024-58349 | Cri | 0.64 | 9.8 | 0.01 | Jun 8, 2026 | WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme… | ||
| CVE-2024-58348 | Cri | 0.64 | 9.8 | 0.01 | Jun 8, 2026 | WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to… | ||
| CVE-2023-54352 | Cri | 0.64 | 9.8 | 0.01 | Jun 8, 2026 | WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to… | ||
| CVE-2019-25738 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the… | ||
| CVE-2019-25727 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers can send GET requests to the edit.php endpoint with export=export_csv and a… | ||
| CVE-2026-5076 | Cri | 0.64 | 9.8 | 0.00 | Jun 2, 2026 | The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a… | ||
| CVE-2025-53209 | Cri | 0.64 | 9.8 | 0.00 | Jun 2, 2026 | Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation. This issue affects Masteriyo LMS PRO: from n/a through 2.20.0. | ||
| CVE-2026-48879 | Cri | 0.64 | 9.8 | 0.00 | Jun 1, 2026 | Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17. | ||
| CVE-2026-42680 | Cri | 0.64 | 9.8 | 0.00 | Jun 1, 2026 | Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through 29.0.1. |
- risk 0.65cvss 9.8epss 0.11
The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL…
- risk 0.65cvss 9.8epss 0.15
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading…
- risk 0.65cvss 10.0epss 0.04
EWWW Image Optimizer before 2.8.5 allows remote command execution because it relies on a protection mechanism involving boolval, which is unavailable before PHP 5.5.
- risk 0.65cvss 9.8epss 0.14
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create…
- risk 0.65cvss 9.8epss 0.16
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
- risk 0.65cvss 10.0epss 0.05
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. If a quiz question could be answered by uploading a file, only the Content-Type…
- risk 0.65cvss 9.9epss 0.02
An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file…
- risk 0.65cvss 9.8epss 0.11
An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent…
- risk 0.65cvss 9.8epss 0.13
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)
- risk 0.65cvss 9.9epss 0.09
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free…
- risk 0.65cvss 9.8epss 0.15
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
- risk 0.65cvss 9.8epss 0.12
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.
- risk 0.65cvss 10.0epss 0.02
The nelio-ab-testing plugin before 4.5.11 for WordPress has SSRF in ajax/iesupport.php.
- risk 0.65cvss 10.0epss 0.02
The nelio-ab-testing plugin before 4.5.9 for WordPress has SSRF in ajax/iesupport.php.
- risk 0.65cvss 9.8epss 0.10
The Design Chemical Social Network Tabs plugin 1.7.1 for WordPress allows remote attackers to discover Twitter access_token, access_token_secret, consumer_key, and consumer_secret values by reading the dcwp_twitter.php source code. This leads to Twitter account takeover.
- risk 0.64cvss 9.9epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server. This issue affects Kids Online Store: from n/a through 0.8.9.
- risk 0.64cvss 9.9epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
- risk 0.64cvss 9.9epss 0.01
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
- risk 0.64cvss 9.9epss 0.00
Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
- risk 0.64cvss 9.8epss 0.01
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file…
- risk 0.64cvss 9.8epss 0.00
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting…
- risk 0.64cvss 9.8epss 0.05
Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint…
- risk 0.64cvss 9.8epss 0.01
Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4.
- risk 0.64cvss 9.8epss 0.00
The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for…
- risk 0.64cvss 9.8epss 0.01
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the…
- risk 0.64cvss 9.8epss 0.01
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme…
- risk 0.64cvss 9.8epss 0.01
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to…
- risk 0.64cvss 9.8epss 0.01
WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to…
- risk 0.64cvss 9.8epss 0.00
WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the…
- risk 0.64cvss 9.8epss 0.00
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers can send GET requests to the edit.php endpoint with export=export_csv and a…
- risk 0.64cvss 9.8epss 0.00
The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a…
- risk 0.64cvss 9.8epss 0.00
Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation. This issue affects Masteriyo LMS PRO: from n/a through 2.20.0.
- risk 0.64cvss 9.8epss 0.00
Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17.
- risk 0.64cvss 9.8epss 0.00
Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through 29.0.1.
Page 9 of 664