Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wordpress wordpress 2.5.1 vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2022-0679
The Narnoo Distributor WordPress plugin up to and including 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) whic...
Narnoo Distributor Project Narnoo Distributor
8.8
CVSSv3
CVE-2022-0215
The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.p...
Xootix Login\\/signup Popup
Xootix Side Cart Woocommerce
Xootix Waitlist Woocommerce
7.5
CVSSv3
CVE-2017-11658
In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion mitigation technique is to trim traversal characters (..) -- however, this is insufficient to stop remote attacks and can be bypassed by using 0x00 bytes, as demonstrated by a .%00.../.%00.../ attack.
Wp-rocket Wp-rocket 2.9.11
Wp-rocket Wp-rocket 2.9.10
Wp-rocket Wp-rocket 2.9.9
Wp-rocket Wp-rocket 2.9.8.1
Wp-rocket Wp-rocket 2.8.18
Wp-rocket Wp-rocket 2.8.17
Wp-rocket Wp-rocket 2.8.16
Wp-rocket Wp-rocket 2.8.15
Wp-rocket Wp-rocket 2.8.1
Wp-rocket Wp-rocket 2.8.0
Wp-rocket Wp-rocket 2.7.4
Wp-rocket Wp-rocket 2.7.3
Wp-rocket Wp-rocket 2.6.7
Wp-rocket Wp-rocket 2.6.6
Wp-rocket Wp-rocket 2.6.5
Wp-rocket Wp-rocket 2.6.4
Wp-rocket Wp-rocket 2.5.3
Wp-rocket Wp-rocket 2.5.2
Wp-rocket Wp-rocket 2.5.1
Wp-rocket Wp-rocket 2.5.0
Wp-rocket Wp-rocket 2.3.1
Wp-rocket Wp-rocket 2.3.0
7.2
CVSSv3
CVE-2022-0255
The Database Backup for WordPress plugin prior to 2.5.1 does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue
Deliciousbrains Database Backup
6.6
CVSSv3
CVE-2021-24345
The page lists-management feature of the Sendit WP Newsletter WordPress plugin up to and including 2.5.1, available to Administrator users does not sanitise, validate or escape the id_lista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection.
Sendit Project Sendit
6.5
CVSSv3
CVE-2023-5006
The WP Discord Invite WordPress plugin prior to 2.5.1 does not protect some of its actions against CSRF attacks, allowing an unauthenticated malicious user to perform actions on their behalf by tricking a logged in administrator to submit a crafted request.
Sarveshmrao Wp Discord Invite
6.1
CVSSv3
CVE-2019-25145
The Contact Form & SMTP Plugin by PirateForms plugin for WordPress is vulnerable to HTML injection in the ‘public/class-pirateforms-public.php’ file in versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it p...
Wpforms Contact Form
6.1
CVSSv3
CVE-2021-25063
The Skins for Contact Form 7 WordPress plugin prior to 2.5.1 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
Cf7skins Contact Form 7 Skins
6.1
CVSSv3
CVE-2015-7357
Cross-site scripting (XSS) vulnerability in the uDesign (aka U-Design) theme 2.3.0 prior to 2.7.10 for WordPress allows remote malicious users to inject arbitrary web script or HTML via a fragment identifier, as demonstrated by #<svg onload=alert(1)>.
Udesign Project Udesign 2.7.8
Udesign Project Udesign 2.7.7
Udesign Project Udesign 2.7.6
Udesign Project Udesign 2.7.5
Udesign Project Udesign 2.4.19
Udesign Project Udesign 2.4.18
Udesign Project Udesign 2.4.17
Udesign Project Udesign 2.4.16
Udesign Project Udesign 2.4.3
Udesign Project Udesign 2.4.2
Udesign Project Udesign 2.4.1
Udesign Project Udesign 2.4.0
Udesign Project Udesign 2.3.1
Udesign Project Udesign 2.7.0
Udesign Project Udesign 2.6.0
Udesign Project Udesign 2.5.6
Udesign Project Udesign 2.5.5
Udesign Project Udesign 2.5.4
Udesign Project Udesign 2.4.11
Udesign Project Udesign 2.4.10
Udesign Project Udesign 2.4.9
Udesign Project Udesign 2.4.8
6.1
CVSSv3
CVE-2015-8350
Multiple cross-site scripting (XSS) vulnerabilities in the Calls to Action plugin prior to 2.5.1 for WordPress allow remote malicious users to inject arbitrary web script or HTML via the (1) open-tab parameter in a wp_cta_global_settings action to wp-admin/edit.php or (2) wp-cta-...
Inboundnow Call To Action
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-29895
blind SQL injection
CVE-2024-5064
CVE-2023-52677
CVE-2023-52682
CVE-2024-30051
CVE-2024-35849
remote attackers
remote
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
NEXT »