U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 7,841 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2024-1053

The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to email the attendees list to themselves.

Published: February 22, 2024; 1:15:57 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-0903

The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_submitted' 'link' value in all versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the feedback submission page that will execute when a user clicks the link, while also pressing the command key.

Published: February 22, 2024; 1:15:57 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-24837

Cross-Site Request Forgery (CSRF) vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce, Frédéric GILLES FG Drupal to WordPress, Frédéric GILLES FG Joomla to WordPress.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.44.3; FG Drupal to WordPress: from n/a through 3.67.0; FG Joomla to WordPress: from n/a through 4.15.0.

Published: February 21, 2024; 3:15:46 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1081

The 3D FlipBook – PDF Flipbook WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bookmark feature in all versions up to, and including, 1.15.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: February 21, 2024; 2:15:53 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-0593

The Simple Job Board plugin for WordPress is vulnerable to unauthorized access of data| due to insufficient authorization checking on the fetch_quick_job() function in all versions up to, and including, 2.10.8. This makes it possible for unauthenticated attackers to fetch arbitrary posts, which can be password protected or private and contain sensitive information.

Published: February 21, 2024; 2:15:52 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1562

The WooCommerce Google Sheet Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the execute_post_data function in all versions up to, and including, 1.3.11. This makes it possible for unauthenticated attackers to update plugin settings.

Published: February 20, 2024; 11:15:07 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1501

The Database Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.22. This is due to missing or incorrect nonce validation on the install_wpr() function. This makes it possible for unauthenticated attackers to install the WP Reset Plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: February 20, 2024; 11:15:07 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1108

The Plugin Groups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_init() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to change the settings of the plugin, which can also cause a denial of service due to a misconfiguration.

Published: February 20, 2024; 10:15:08 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1559

The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'll_reciprocal' parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: February 19, 2024; 11:15:07 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1510

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_tooltip shortcode in all versions up to, and including, 7.0.2 due to insufficient input sanitization and output escaping on user supplied attributes and user supplied tags. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: February 19, 2024; 10:15:08 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1512

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: February 17, 2024; 3:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-0610

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: February 17, 2024; 3:15:07 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-0708

The Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to access landing pages that may not be public.

Published: February 15, 2024; 2:15:10 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1160

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon Link in all versions up to, and including, 4.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: February 13, 2024; 5:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1159

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: February 13, 2024; 5:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1157

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button URL in all versions up to, and including, 4.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: February 13, 2024; 5:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-0566

The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Published: February 12, 2024; 11:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-0421

The MapPress Maps for WordPress plugin before 2.88.16 does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.

Published: February 12, 2024; 11:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-0420

The MapPress Maps for WordPress plugin before 2.88.15 does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks

Published: February 12, 2024; 11:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-0250

The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before 6.3 is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Published: February 12, 2024; 11:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)