| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Newsletter2Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resetStyles' AJAX action in all versions up to, and including, 4.0.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset styles. |
| The WC Price History for Omnibus plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and modify history data. |
| The Perfect Portal Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'perfect_portal_intake_form' shortcode in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Coupon Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Coupon Code' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Muslim Prayer Time-Salah/Iqamah plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Masjid ID parameter in all versions up to, and including, 1.8.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The 3DVieweronline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's '3Dvo-model' shortcode in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Contests by Rewards Fuel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RF_CONTEST' shortcode in all versions up to, and including, 2.0.65 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Ask Me Anything (Anonymously) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'askmeanythingpeople' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Files Download Delay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fddwrap' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The SimplyRETS Real Estate IDX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sr_search_form' shortcode in all versions up to, and including, 2.11.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The GeoDataSource Country Region DropDown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gds-country-dropdown' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Post to Pdf plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gmptp_single_post' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Action Network plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_instagram_ajax_query AJAX action. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. |
| The SimpleShop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.0. This is due to missing or incorrect nonce validation on the maybe_disconnect_simpleshop function. This makes it possible for unauthenticated attackers to disconnect the site from simpleshop via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. |
| The SmartEmailing.cz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'se-lists-updated' parameter in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's CSS settings. |
| The RSS Icon Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_color’ parameter in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. |