U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Wordpress
There are 10,585 matching records.
Displaying matches 2,341 through 2,360.
Vuln ID Summary CVSS Severity
CVE-2024-1477

The Easy Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2 via the REST API. This makes it possible for authenticated attackers to obtain post and page content via REST API thus bypassign the protection provided by the plugin.

Published: March 20, 2024; 3:15:10 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1473

The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mode protection provided by the plugin.

Published: March 20, 2024; 3:15:10 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1379

The Website Article Monetization By MageNet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'abp_auth_key' parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping and a missing authorization check. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 3:15:09 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1325

The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.3. This is due to missing or incorrect nonce validation on the 'ajax_cancel_review' function. This makes it possible for unauthenticated attackers to reset the site's review count via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: March 20, 2024; 3:15:09 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1205

The Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Published: March 20, 2024; 3:15:09 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1181

The Coming Soon, Under Construction & Maintenance Mode By Dazzler plugin for WordPress is vulnerable to maintenance mode bypass in all versions up to, and including, 2.1.2. This is due to the plugin relying on the REQUEST_URI to determine if the page being accesses is an admin area. This makes it possible for unauthenticated attackers to bypass maintenance mode and access the site which may be considered confidential when in maintenance mode.

Published: March 20, 2024; 3:15:09 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1119

The Order Tip for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_tips_to_csv() function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to export the plugin's order fees.

Published: March 20, 2024; 3:15:08 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-2538

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.

Published: March 20, 2024; 2:15:12 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-2474

The Standout Color Boxes and Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'color-button' shortcode in all versions up to, and including, 0.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 1:15:46 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-2124

The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget/block in all versions up to, and including, 4.2.5 due to insufficient input sanitization and output escaping on user supplied attributes such as 'className'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 1:15:45 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1983

The Simple Ajax Chat WordPress plugin before 20240223 does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users.

Published: March 20, 2024; 1:15:45 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-0856

The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.

Published: March 20, 2024; 1:15:45 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-0337

The Travelpayouts: All Travel Brands in One Place WordPress plugin through 1.1.15 is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Published: March 20, 2024; 1:15:45 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-7246

The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks

Published: March 20, 2024; 1:15:45 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-2255

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.5.2 due to insufficient input sanitization and output escaping on user supplied attributes such as listStyle. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 12:15:10 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-2460

The GamiPress – Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gamipress_button' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 19, 2024; 11:15:08 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-2384

The WooCommerce POS plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.4.11. This is due to the plugin not properly verifying the authentication and authorization of the current user This makes it possible for authenticated attackers, with customer-level access and above, to view potentially sensitive information about other users by leveraging their order id

Published: March 19, 2024; 11:15:08 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1799

The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to SQL Injection via the 'achievement_types' attribute of the gamipress_earnings shortcode in all versions up to, and including, 6.8.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: March 19, 2024; 11:15:08 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-2387

The Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms plugin for WordPress is vulnerable to SQL Injection via the ‘integration_id’ parameter in all versions up to, and including, 1.82.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries and subsequently inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Published: March 19, 2024; 10:15:08 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-1995

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and above, to retrieve post content that is password protected and/or private.

Published: March 19, 2024; 10:15:08 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)