U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): wordpress
  • Search Type: Search All
There are 9,539 matching records.
Displaying matches 141 through 160.
Vuln ID Summary CVSS Severity
CVE-2024-4887

The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, resulting in code execution. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit.

Published: June 07, 2024; 12:15:31 AM -0400
V4.0:(not available)
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2024-36082

SQL injection vulnerability in Music Store - WordPress eCommerce versions prior to 1.1.14 allows a remote authenticated attacker with an administrative privilege to execute arbitrary SQL commands. Information stored in the database may be obtained or altered by the attacker.

Published: June 07, 2024; 12:15:30 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1988

The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute in blocks in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 07, 2024; 12:15:25 AM -0400
V4.0:(not available)
V3.1: 6.4 MEDIUM
V2.0:(not available)
CVE-2024-5607

The GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions named ajaxUpdateSettings() in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings, update page content, send arbitrary emails and inject malicious web scripts.

Published: June 06, 2024; 11:15:09 PM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2024-3987

The WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt text in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 06, 2024; 11:15:09 PM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2024-1768

The Clever Fox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's info box block in all versions up to, and including, 25.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 06, 2024; 11:15:09 PM -0400
V4.0:(not available)
V3.1: 6.4 MEDIUM
V2.0:(not available)
CVE-2024-1689

The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to deactivate arbitrary plugin modules.

Published: June 06, 2024; 10:15:09 PM -0400
V4.0:(not available)
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2023-6876

The Clever Fox – One Click Website Importer by Nayra Themes plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clever-fox-activate-theme' function in all versions up to, and including, 25.2.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the active theme, including to an invalid value which can take down the site.

Published: June 06, 2024; 10:15:08 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-5489

The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete any custom font.

Published: June 06, 2024; 8:15:09 AM -0400
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2024-5188

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'get_manual_calendar_events' function in all versions up to, and including, 5.9.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 06, 2024; 7:15:49 AM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2024-5038

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 06, 2024; 7:15:48 AM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2024-5329

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to blind SQL Injection via the ‘data[addonID]’ parameter in all versions up to, and including, 1.5.109 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: June 06, 2024; 6:15:10 AM -0400
V4.0:(not available)
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2024-5259

The MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hover_animation’ parameter in all versions up to, and including, 4.1.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 06, 2024; 6:15:09 AM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2024-5221

The Qi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 06, 2024; 5:15:14 AM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2024-5665

The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘export_settings’ function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary options on affected sites.

Published: June 06, 2024; 4:15:40 AM -0400
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2024-5615

The Open Graph plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.11.2 via the 'opengraph_default_description' function. This makes it possible for unauthenticated attackers to extract sensitive data including partial content of password-protected blog posts.

Published: June 06, 2024; 12:15:15 AM -0400
V4.0:(not available)
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2024-5449

The WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdm_social_share_save_options function in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.

Published: June 06, 2024; 12:15:14 AM -0400
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2024-5162

The WordPress prettyPhoto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 06, 2024; 12:15:14 AM -0400
V4.0:(not available)
V3.1: 6.4 MEDIUM
V2.0:(not available)
CVE-2024-5161

The Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 1.1.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: June 06, 2024; 12:15:14 AM -0400
V4.0:(not available)
V3.1: 6.4 MEDIUM
V2.0:(not available)
CVE-2024-5153

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain sensitive information, and to delete arbitrary directories, including the root WordPress directory.

Published: June 06, 2024; 12:15:13 AM -0400
V4.0:(not available)
V3.1: 9.1 CRITICAL
V2.0:(not available)