Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wordpress wordpress vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv2
CVE-2022-27862
Arbitrary File Upload leading to RCE in E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 on WordPress allows malicious users to upload and execute dangerous file types (e.g. PHP shell) via the signature upload on the booking form.
Vikwp Vikbooking Hotel Booking Engine \\& Property Management System Plugin
7.5
CVSSv2
CVE-2022-1020
The Product Table for WooCommerce (wooproducttable) WordPress plugin prior to 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback...
Codeastrology Woo Product Table
7.5
CVSSv2
CVE-2022-0785
The Daily Prayer Time WordPress plugin prior to 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection
Daily Prayer Time Project Daily Prayer Time
7.5
CVSSv2
CVE-2022-0142
The Visual Form Builder WordPress plugin prior to 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
Vfbpro Visual Form Builder
7.5
CVSSv2
CVE-2022-0949
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin prior to 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to un...
Stopbadbots Block And Stop Bad Bots
7.5
CVSSv2
CVE-2022-0787
The Limit Login Attempts (Spam Protection) WordPress plugin prior to 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections
Limit Login Attempts Project Limit Login Attempts
7.5
CVSSv2
CVE-2022-0784
The Title Experiments Free WordPress plugin prior to 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection
Title Experiments Free Project Title Experiments Free
7.5
CVSSv2
CVE-2022-0846
The SpeakOut! Email Petitions WordPress plugin prior to 2.14.15.1 does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users
Speakout\\! Email Petitions Project Speakout\\! Email Petitions
1 Github repository
7.5
CVSSv2
CVE-2021-25070
The Block Bad Bots WordPress plugin prior to 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue
Stopbadbots Block And Stop Bad Bots
7.5
CVSSv2
CVE-2022-0479
The Popup Builder WordPress plugin prior to 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site ...
Sygnoos Popup Builder
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-20065
open redirect
CVE-2024-1086
path traversal
CVE-2024-29825
XXE
CVE-2024-29822
CVE-2024-20696
CVE-2024-3564
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
5
6
7
8
9
10
NEXT »