Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wordpress wordpress vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2024-5645
The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_css_id’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible ...
4.7
CVSSv3
CVE-2023-5424
The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated malicious users to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and ope...
6.4
CVSSv3
CVE-2024-4703
The One Page Express Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's one_page_express_contact_form shortcode in all versions up to, and including, 1.6.37 due to insufficient input sanitization and output escaping on user supplied ...
6.4
CVSSv3
CVE-2024-4451
The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_video_player shortcode in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. Th...
6.4
CVSSv3
CVE-2024-4488
The Royal Elementor Addons and Templates for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘inline_list’ parameter in versions up to, and including, 1.3.976 due to insufficient input sanitization and output escaping. This makes it possible for authent...
6.4
CVSSv3
CVE-2024-4489
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 1.3.976 due to insufficient input sanitization and output escaping. This makes it possib...
NA
CVE-2024-5003
The WP Stacker WordPress plugin up to and including 1.8.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow malicious users to make logged in admin add Stored XSS payloads via a CSRF attack
NA
CVE-2024-4621
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin prior to 6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is dis...
NA
CVE-2024-4756
The WP Backpack WordPress plugin up to and including 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in m...
NA
CVE-2024-4620
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin prior to 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
validation
CVE-2012-1823
malicious code
CVE-2024-5770
CVE-2023-45866
CVE-2024-35687
local users
CVE-2024-31246
CVE-2024-35730
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
NEXT »