Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wordpress wordpress 3.0 vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2024-3471
The Button Generator WordPress plugin prior to 3.0 does not have CSRF check in place when bulk deleting, which could allow malicious users to make a logged in admin delete buttons via a CSRF attack
4.8
CVSSv3
CVE-2023-5005
The Autocomplete Location field Contact Form 7 WordPress plugin prior to 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin prior to 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cro...
Codesmade Autocomplete Location Field Contact Form 7
6.1
CVSSv3
CVE-2023-5210
The AMP+ Plus WordPress plugin up to and including 3.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Amp-cloud Amp Plus
5.4
CVSSv3
CVE-2023-5458
The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin prior to 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
Ashik Cits Support Svg\\, Webp Media And Ttf\\,otf File Upload
6.5
CVSSv3
CVE-2023-5430
The Jquery news ticker plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
Gopiplus Jquery News Ticker
5.4
CVSSv3
CVE-2023-5126
The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'plugin_delete_me' shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth...
Cmc3215 Delete Me
4.8
CVSSv3
CVE-2023-2029
The PrePost SEO WordPress plugin up to and including 3.0 does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite s...
Enzipe Prepost Seo
5.4
CVSSv3
CVE-2023-0367
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin prior to 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributo...
Pricing Tables For Wpbakery Page Builder Project Pricing Tables For Wpbakery Page Builder
6.5
CVSSv3
CVE-2023-1274
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin prior to 3.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI a...
Pricing Tables For Wpbakery Page Builder Project Pricing Tables For Wpbakery Page Builder
5.4
CVSSv3
CVE-2023-0399
The Image Over Image For WPBakery Page Builder WordPress plugin prior to 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perfo...
Image Over Image For Wpbakery Page Builder Project Image Over Image For Wpbakery Page Builder
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
cross-site scripting
CVE-2024-5158
XML external entity
CVE-2024-4262
CVE-2024-2036
CVE-2024-4985
CVE-2024-21791
remote attackers
CVE-2023-43208
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »