U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): WordPress
  • Search Type: Search All
There are 7,903 matching records.
Displaying matches 41 through 60.
Vuln ID Summary CVSS Severity
CVE-2023-7165

The JetBackup WordPress plugin before 2.0.9.9 doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.

Published: February 27, 2024; 4:15:37 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-7115

The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: February 27, 2024; 4:15:37 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-6585

The WP JobSearch WordPress plugin before 2.3.4 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server

Published: February 27, 2024; 4:15:37 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-6584

The WP JobSearch WordPress plugin before 2.3.4 does not prevent attackers from logging-in as any users with the only knowledge of that user's email address.

Published: February 27, 2024; 4:15:37 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1698

The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: February 27, 2024; 1:15:46 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1687

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to unauthorized execution of shortcodes due to a missing capability check on the get_text_editor_content() function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.

Published: February 27, 2024; 1:15:45 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1686

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the apply_layout function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve arbitrary order data which may contain PII.

Published: February 27, 2024; 1:15:45 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1323

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Type Grid Widget Title in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: February 27, 2024; 12:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1758

The SuperFaktura WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.40.3 via the wc_sf_url_check function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Published: February 26, 2024; 11:27:53 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1710

The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files.

Published: February 26, 2024; 11:27:52 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1165

The Brizy – Page Builder plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.39 via the 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files to arbitrary locations on the server

Published: February 26, 2024; 11:27:51 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-5775

The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated attackers, with administrator-level access, to retrieve the password from the password input field in the UI or from the options table where the password is stored.

Published: February 26, 2024; 11:27:49 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1810

The Archivist – Custom Archive Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode_attributes' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: February 24, 2024; 12:15:43 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1362

The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: February 23, 2024; 6:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1361

The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the apiCall() function. This makes it possible for unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: February 23, 2024; 6:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1360

The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwp_install_plugin() function. This makes it possible for unauthenticated attackers to install recommended plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: February 23, 2024; 6:15:08 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1590

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: February 23, 2024; 5:15:07 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-4826

The SocialDriver WordPress theme before version 2024 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting (XSS) attack.

Published: February 23, 2024; 5:15:07 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1779

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter the message read status of messages.

Published: February 23, 2024; 2:15:49 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2024-1778

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter bookmark statuses.

Published: February 23, 2024; 2:15:48 AM -0500
V3.x:(not available)
V2.0:(not available)