Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wordpress vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2021-4436
The 3DPrint Lite WordPress plugin prior to 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing ...
Wp3dprinting 3dprint Lite
9.8
CVSSv3
CVE-2024-0685
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the u...
Ninjaforms Ninja Forms
9.8
CVSSv3
CVE-2024-1061
The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.
Bplugins Html5 Video Player
9.8
CVSSv3
CVE-2022-40700
Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP – Membership Management ArcStone wp-amo, Long Watch Studio WooVirtualWallet – A virtual wallet for WooCommerce, Long Watch Studio WooVIP &nda...
Millionclues Admin Css Mu
Deano Amp Toolbox
Unihost Confirm Data
Agence-press Css Adder
Millionclues Custom Login Admin Front-end Css
Montonio Montonio For Woocommerce
Frumph Phpfreechat
Designmodo Qards
Paulclark Styles
Squidesma Theme Minifier
Longwatchstudio Woosupply
Longwatchstudio Woovip
Longwatchstudio Woovirtualwallet
Arcstone Amo For Wp - Membership Management
Wpopal Wpopal Core Features
9.8
CVSSv3
CVE-2021-4434
The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows malicious users to execute code on the server.
Warfareplugins Social Warfare
9.8
CVSSv3
CVE-2023-0224
The GiveWP WordPress plugin prior to 2.24.1 does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks
Givewp Givewp
9.8
CVSSv3
CVE-2022-1609
The School Management WordPress plugin prior to 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated malicious user to execute arbitrary PHP code on the site.
Weblizar School Management
4 Github repositories
9.8
CVSSv3
CVE-2023-3211
The WordPress Database Administrator WordPress plugin up to and including 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
Dmparekh Wordpress Database Administrator
9.8
CVSSv3
CVE-2023-6623
The Essential Blocks WordPress plugin prior to 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.
Wpdeveloper Essential Blocks
9.8
CVSSv3
CVE-2023-6049
The Estatik Real Estate Plugin WordPress plugin prior to 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog
Estatik Estatik
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
buffer overflow
type confusion
server-side request forgery
CVE-2024-38440
CVE-2024-27801
CVE-2024-5868
CVE-2024-0582
CVE-2024-37643
CVE-2024-3105
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »