The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in SourceCodester Company Website CMS and classified as critical. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross-site scripting (XSS) vulnerability in json search parse and the json response in wrteam.in, eShop - Multipurpose Ecommerce Store Website version 3.0.4 allows remote attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a stored XSS vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability classified as problematic was found in SourceCodester Simple E-Learning System. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Inspiro PRO WordPress plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Thinkific Uploader WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WP DS Blog Map WordPress plugin through 3.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Google Maps Anywhere WordPress plugin through 1.2.6.3 does not sanitise and escape any of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The DW Promobar WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Better Tag Cloud WordPress plugin through 0.99.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Auto More Tag WordPress plugin through 4.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The mTouch Quiz WordPress plugin through 3.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Rough Chart WordPress plugin through 1.0.0 does not properly escape chart data label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WordPress Comments Fields WordPress plugin before 4.1 does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In Zammad 5.2.0, customers who have secondary organizations assigned were able to see all organizations of the system rather than only those to which they are assigned. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.