U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 8,315 matching records.
Displaying matches 261 through 280.
Vuln ID Summary CVSS Severity
CVE-2024-1400

The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages.

Published: March 11, 2024; 6:15:54 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1487

The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.

Published: March 11, 2024; 2:15:18 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1290

The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.

Published: March 11, 2024; 2:15:18 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1279

The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata.

Published: March 11, 2024; 2:15:17 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1273

The Starbox WordPress plugin before 3.5.0 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

Published: March 11, 2024; 2:15:17 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1068

The 404 Solution WordPress plugin before 2.35.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins.

Published: March 11, 2024; 2:15:17 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-0561

The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: March 11, 2024; 2:15:17 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-0559

The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: March 11, 2024; 2:15:17 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-7247

The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site.

Published: March 11, 2024; 2:15:17 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-6444

The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner's email address (which by default is the admin email address) via an unauthenticated crafted request.

Published: March 11, 2024; 2:15:17 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1870

The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key.

Published: March 09, 2024; 5:15:06 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1767

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes like 'className' and 'radius'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 09, 2024; 2:15:09 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1320

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'offline_status' parameter in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 09, 2024; 2:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1125

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the calendar_events_delete() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.

Published: March 09, 2024; 2:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1124

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the ep_send_attendees_email() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary emails with arbitrary content from the site.

Published: March 09, 2024; 2:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1123

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_frontend_event_submission() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the title and content of arbitrary posts. This can also be exploited by unauthenticated attackers when the allow_submission_by_anonymous_user setting is enabled.

Published: March 09, 2024; 2:15:07 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-2298

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products.

Published: March 08, 2024; 2:15:06 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1851

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_create_list() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating product lists.

Published: March 08, 2024; 2:15:05 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1987

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.4.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 08, 2024; 1:15:52 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1986

The Booster Elite for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wc_add_new_product() function in all versions up to, and including, 7.1.7. This makes it possible for customer-level attackers, and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable when the user product upload functionality is enabled.

Published: March 07, 2024; 4:15:08 PM -0500
V3.x:(not available)
V2.0:(not available)