Unknown · CVSS Not scored
The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The ghost plugin before 0.5.6 for WordPress has no access control for wp-admin/tools.php?ghostexport=true downloads of exported data.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The kento-post-view-counter plugin through 2.8 for WordPress has stored XSS via kento_pvc_numbers_lang, kento_pvc_today_text, or kento_pvc_total_text.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The kento-post-view-counter plugin through 2.8 for WordPress has wp-admin/admin.php?page=kentopvc_settings CSRF.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The newspaper theme before 6.7.2 for WordPress has a lack of options access control via td_ajax_update_panel.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The beauty-premium theme 1.0.8 for WordPress has CSRF with resultant arbitrary file upload in includes/sendmail.php.
Published Sep 20, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak.
Published Sep 20, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The supportflow plugin before 0.7 for WordPress has XSS via a discussion ticket title.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Tevolution plugin before 2.3.0 for WordPress has arbitrary file upload via single_upload.php or single-upload.php.
Published Sep 18, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-admin/edit.php option_name parameter.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The tweet-wheel plugin before 1.0.3.3 for WordPress has XSS via consumer_key, consumer_secret, access_token, and access_token_secret.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent HTTP header.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Truemag theme 2016 Q2 for WordPress has XSS via the s parameter.
Published Sep 18, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The nelio-ab-testing plugin before 4.5.0 for WordPress has filename=..%2f directory traversal.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ directory traversal for file upload.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The MemberSonic Lite plugin before 1.302 for WordPress has incorrect login access control because only knowlewdge of an e-mail address is required.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The wp-cerber plugin before 2.7 for WordPress has XSS via the X-Forwarded-For HTTP header.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The peepso-core plugin before 1.6.1 for WordPress has PeepSoProfilePreferencesAjax->save() privilege escalation.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has reflected XSS via the skin parameter.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The fossura-tag-miner plugin before 1.1.5 for WordPress has CSRF.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has frs_save CSRF with resultant stored XSS.
Published Sep 17, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The supportflow plugin before 0.7 for WordPress has XSS via a ticket excerpt.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ directory traversal for file deletion.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The icegram plugin before 1.9.19 for WordPress has XSS.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Akal theme through 2016-08-22 for WordPress has XSS via the framework/brad-shortcodes/tinymce/preview.php sc parameter.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The zx-csv-upload plugin 1 for WordPress has SQL injection via the id parameter.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Post Indexer plugin before 3.0.6.2 for WordPress has incorrect handling of data passed to the unserialize function.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The sirv plugin before 1.3.2 for WordPress has SQL injection via the id parameter.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate.
Published Sep 8, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The estatik plugin before 2.3.0 for WordPress has unauthenticated arbitrary file upload via es_media_images[] to wp-admin/admin-ajax.php.
Published Sep 16, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The wp-d3 plugin before 2.4.1 for WordPress has CSRF.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp-admin/tools.php?page=mpd CSRF.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Headway theme before 3.8.9 for WordPress has XSS via the license key field.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The xtremelocator plugin 1.5 for WordPress has SQL injection via the id parameter.
Published Sep 13, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL injection with resultant unsafe unserialization.
Published Sep 13, 2019 · Updated Aug 6, 2024