U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Wordpress
There are 10,002 matching records.
Displaying matches 2,181 through 2,200.
Vuln ID Summary CVSS Severity
CVE-2024-0566

The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-0421

The MapPress Maps for WordPress plugin before 2.88.16 does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-0420

The MapPress Maps for WordPress plugin before 2.88.15 does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-0250

The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before 6.3 is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-0248

The EazyDocs WordPress plugin before 2.4.0 re-introduced CVE-2023-6029 (https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/) in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9.

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-7233

The GigPress WordPress plugin through 2.3.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-6591

The Popup Box WordPress plugin before 20.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-6501

The Splashscreen WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-6499

The lasTunes WordPress plugin through 3.6.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-6294

The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-6082

The chartjs WordPress plugin through 2023.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-6081

The chartjs WordPress plugin through 2023.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: February 12, 2024; 11:15:08 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-6036

The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

Published: February 12, 2024; 11:15:07 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-24887

Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress.This issue affects Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress: from n/a through 21.2.8.4.

Published: February 12, 2024; 4:15:12 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-24926

Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.

Published: February 12, 2024; 3:15:41 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-24796

Deserialization of Untrusted Data vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin.This issue affects Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin: from n/a through 4.1.1.

Published: February 12, 2024; 3:15:40 AM -0500
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-47526

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chart Builder Team Chartify – WordPress Chart Plugin allows Stored XSS.This issue affects Chartify – WordPress Chart Plugin: from n/a through 2.0.6.

Published: February 12, 2024; 2:15:07 AM -0500
V4.0:(not available)
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2024-24927

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme allows Reflected XSS.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.

Published: February 12, 2024; 1:15:08 AM -0500
V4.0:(not available)
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-23517

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Start Booking Scheduling Plugin – Online Booking for WordPress allows Stored XSS.This issue affects Scheduling Plugin – Online Booking for WordPress: from n/a through 3.5.10.

Published: February 10, 2024; 4:15:09 AM -0500
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-51404

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MyAgilePrivacy My Agile Privacy – The only GDPR solution for WordPress that you can truly trust allows Stored XSS.This issue affects My Agile Privacy – The only GDPR solution for WordPress that you can truly trust: from n/a through 2.1.7.

Published: February 10, 2024; 4:15:07 AM -0500
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)