U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): wordpress
  • Search Type: Search All
  • CPE Name Search: false
  • CVSS Version: 3
There are 9,875 matching records.
Displaying matches 881 through 900.
Vuln ID Summary CVSS Severity
CVE-2024-11419

The Password for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the get3_init_admin_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: December 11, 2024; 11:15:05 PM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-11417

The dejure.org Vernetzungsfunktion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.97.5. This is due to missing or incorrect nonce validation on the djo_einstellungen_menue() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: December 11, 2024; 11:15:05 PM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-11413

The HostFact bestelformulier integratie plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bestelformulier' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: December 11, 2024; 11:15:05 PM -0500
V4.0:(not available)
V3.1: 6.4 MEDIUM
V2.0:(not available)
CVE-2024-11279

The Schema App Structured Data plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.4. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: December 11, 2024; 11:15:04 PM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-11015

The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticate_user' user function not implementing sufficient null value checks when setting the access token and user information. This makes it possible for unauthenticated attackers to log in as the first user who has signed in using Google OAuth, which could be the site administrator.

Published: December 11, 2024; 11:15:04 PM -0500
V4.0:(not available)
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2024-10111

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.

Published: December 11, 2024; 11:15:04 PM -0500
V4.0:(not available)
V3.1: 8.1 HIGH
V2.0:(not available)
CVE-2024-11351

The Restrict – membership, site, content and user access restrictions for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.8 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

Published: December 11, 2024; 8:15:06 AM -0500
V4.0:(not available)
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2024-12325

The Waymark plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: December 11, 2024; 7:15:19 AM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-12294

The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts.

Published: December 11, 2024; 6:15:06 AM -0500
V4.0:(not available)
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2024-11840

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or conduct SQL injection attacks.

Published: December 11, 2024; 6:15:06 AM -0500
V4.0:(not available)
V3.1: 7.1 HIGH
V2.0:(not available)
CVE-2024-11008

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

Published: December 11, 2024; 6:15:04 AM -0500
V4.0:(not available)
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2024-12283

The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: December 11, 2024; 4:15:05 AM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-12004

The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the ajax_update_order_note() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: December 11, 2024; 4:15:05 AM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-12323

The turboSMTP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link while logged in to turboSMTP.

Published: December 10, 2024; 10:15:07 AM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-11868

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material.

Published: December 10, 2024; 8:15:15 AM -0500
V4.0:(not available)
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2024-11928

The iChart – Easy Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: December 10, 2024; 6:15:07 AM -0500
V4.0:(not available)
V3.1: 6.4 MEDIUM
V2.0:(not available)
CVE-2024-11973

The Quran multilanguage Text & Audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sourate' and 'lang' parameter in all versions up to, and including, 2.3.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: December 10, 2024; 5:15:06 AM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-11945

The Email Reminders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: December 10, 2024; 5:15:04 AM -0500
V4.0:(not available)
V3.1: 6.4 MEDIUM
V2.0:(not available)
CVE-2024-11940

The Property Hive Mortgage Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘price’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: December 10, 2024; 4:15:04 AM -0500
V4.0:(not available)
V3.1: 6.4 MEDIUM
V2.0:(not available)
CVE-2023-6947

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.26. This makes it possible for authenticated attackers, with contributor level or higher to read the contents of arbitrary folders on the server, which can contain sensitive information such as folder structure.

Published: December 10, 2024; 1:15:19 AM -0500
V4.0:(not available)
V3.1: 7.7 HIGH
V2.0:(not available)