Skip to main content
CVE-2020-36708 CRITICAL POC THREAT Emergency

The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.5%.

RCE Code Injection WordPress Activello Bonkers +14
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
90.5%
Threat
6.2
CVE-2020-36705 CRITICAL POC THREAT Emergency

The Adning Advertising plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the _ning_upload_image function in versions up to, and including, 1.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 89.5%.

WordPress File Upload RCE Adning Advertising
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
89.5%
Threat
6.1
CVE-2021-4380 CRITICAL POC THREAT Emergency

The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 83.3%.

PHP WordPress Authentication Bypass Pinterest Automatic Pin
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
83.3%
Threat
6.0
CVE-2020-36719 CRITICAL POC THREAT Emergency

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 74.3%.

Authentication Bypass WordPress Listingpro
NVD VulDB
CVSS 3.1
9.8
EPSS
74.3%
Threat
5.7
CVE-2021-4374 CRITICAL POC THREAT Emergency

The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 72.2%.

PHP WordPress Authentication Bypass Wordpress Automatic Plugin
NVD
CVSS 3.1
9.1
EPSS
72.2%
Threat
5.5
CVE-2020-36728 MEDIUM POC THREAT This Month

The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 84.4%.

WordPress Path Traversal Adning Advertising
NVD
CVSS 3.1
6.5
EPSS
84.4%
Threat
5.3
CVE-2019-25141 CRITICAL POC PATCH THREAT Act Now

The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 62.9%.

Authentication Bypass WordPress Easy Wp Smtp
NVD VulDB
CVSS 3.1
9.8
EPSS
62.9%
Threat
5.3
CVE-2020-36730 HIGH POC THREAT Act Now

The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 46.4%.

WordPress Authentication Bypass Cmp
NVD WPScan
CVSS 3.1
8.3
EPSS
46.4%
Threat
4.6
CVE-2023-33782 HIGH POC THREAT Act Now

D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3 diagnostics function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 42.9%.

Command Injection D-Link Dir 842V2 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
42.9%
Threat
4.5
CVE-2023-33781 HIGH POC THREAT Act Now

An issue in D-Link DIR-842V2 v1.0.3 allows attackers to execute arbitrary commands via importing a crafted file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 36.0%.

Information Disclosure D-Link Dir 842V2 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
36.0%
Threat
4.3
CVE-2023-3124 HIGH POC THREAT Act Now

The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 26.0%.

Authentication Bypass Privilege Escalation WordPress Elementor Pro Elementor
NVD VulDB
CVSS 3.1
8.8
EPSS
26.0%
Threat
4.0
CVE-2023-20887 CRITICAL POC KEV PATCH THREAT Act Now

Aria Operations for Networks contains a command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE VMware Command Injection Aria Operations For Networks
NVD
CVSS 3.1
9.8
EPSS
98.3%
CVE-2021-4368 CRITICAL POC PATCH Act Now

The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE WordPress Authentication Bypass Frontend File Manager Plugin
NVD
CVSS 3.1
9.9
EPSS
7.2%
CVE-2020-36731 HIGH POC THREAT Act Now

The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.5%.

XSS WordPress Flexible Checkout Fields
NVD
CVSS 3.1
7.2
EPSS
19.5%
CVE-2019-25138 CRITICAL POC Act Now

The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload RCE User Submitted Posts
NVD VulDB
CVSS 3.1
9.8
EPSS
5.5%
CVE-2016-15033 CRITICAL POC Act Now

The Delete All Comments plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the via the delete-all-comments.php file in versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress File Upload Delete All Comments
NVD VulDB
CVSS 3.1
9.8
EPSS
5.5%
CVE-2022-4949 HIGH POC PATCH This Week

The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE WordPress File Upload Adsanity Xen
NVD VulDB
CVSS 3.1
8.8
EPSS
8.6%
CVE-2021-4354 HIGH POC This Week

The PWA for WP & AMP for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pwaforwp_splashscreen_uploader function in versions up to, and including, 1.7.32. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload RCE Pwa For Wp Amp
NVD VulDB
CVSS 3.1
8.8
EPSS
7.8%
CVE-2020-36718 CRITICAL POC PATCH Act Now

The GDPR CCPA Compliance Support plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3 via deserialization of untrusted input "njt_gdpr_allow_permissions". Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization PHP WordPress Gpdr Ccpa Compliance Support
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-36727 CRITICAL POC Act Now

The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress Newsletter Manager
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-36726 CRITICAL POC Act Now

The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress Ultimate Reviews
NVD VulDB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-36713 CRITICAL POC Act Now

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Mstore Api
NVD VulDB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2021-4340 CRITICAL POC Act Now

The uListing plugin for WordPress is vulnerable to generic SQL Injection via the ‘listing_id’ parameter in versions up to, and including, 1.6.6 due to insufficient escaping on the user supplied. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Ulisting
NVD VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2021-4343 CRITICAL POC PATCH Act Now

The Unauthenticated Account Creation plugin for WordPress is vulnerable to Unauthenticated Account Creation in versions up to, and including, 1.6.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress Authentication Bypass Ulisting
NVD VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2021-4360 CRITICAL POC Act Now

The Controlled Admin Access plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 1.5.5 by not properly restricting access to the configuration page. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Privilege Escalation WordPress Controlled Admin Access
NVD WPScan
CVSS 3.1
9.9
EPSS
0.1%
CVE-2021-4347 CRITICAL POC Act Now

The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Advanced Shipment Tracking For Woocommerce
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2021-4346 CRITICAL POC PATCH Act Now

The uListing plugin for WordPress is vulnerable to Unauthenticated Arbitrary Account Changes in versions up to, and including, 1.6.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Ulisting
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2021-4381 CRITICAL POC PATCH Act Now

The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress Authentication Bypass Ulisting
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2021-4370 CRITICAL POC PATCH Act Now

The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress Authentication Bypass Ulisting
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2021-4341 CRITICAL POC Act Now

The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Ulisting
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2020-36724 CRITICAL POC PATCH Act Now

The Wordable plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress Authentication Bypass Wordable
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2023-33556 CRITICAL POC Act Now

TOTOLink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the staticGw parameter at /setting/setWanIeCfg. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A7100Ru Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2023-33496 CRITICAL POC Act Now

xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Xxl Rpc
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-33864 CRITICAL POC Act Now

StreamReader::ReadFromExternal in RenderDoc before 1.27 allows an Integer Overflow with a resultant Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Buffer Overflow Renderdoc
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2023-33863 CRITICAL POC Act Now

SerialiseValue in RenderDoc before 1.27 allows an Integer Overflow with a resultant Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Buffer Overflow Renderdoc
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2023-33282 CRITICAL POC Act Now

Marval MSM through 14.19.0.12476 and 15.0 has a System account with default credentials. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Msm
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-33553 CRITICAL POC Act Now

An issue in Planet Technologies WDRT-1800AX v1.01-CP21 allows attackers to bypass authentication and escalate privileges to root via manipulation of the LoginStatus cookie. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Wdrt 1800Ax Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-30400 CRITICAL POC Act Now

An issue was discovered in Anyka Microelectronics AK3918EV300 MCU v18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Ak3918Ev300 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
3.5%
CVE-2020-36723 MEDIUM POC THREAT This Month

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.7%.

PHP Information Disclosure WordPress Listingpro
NVD VulDB
CVSS 3.1
5.3
EPSS
20.7%
CVE-2021-4356 CRITICAL POC PATCH Act Now

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Authentication Bypass WordPress Frontend File Manager Plugin
NVD
CVSS 3.1
9.0
EPSS
0.7%
CVE-2020-36701 HIGH POC PATCH This Week

The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in versions up to, and including, 2.9.3 via the 'process_bulk_action' function in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress PHP File Upload Page Builder King Composer
NVD VulDB
CVSS 3.1
8.8
EPSS
1.7%
CVE-2021-4357 CRITICAL POC PATCH Act Now

The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability checks, and a missing security nonce, on the UlistingUserRole::save_role_api function in versions up. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Ulisting
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2019-25142 HIGH POC PATCH This Week

The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Materialis Mesmerize
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2020-36725 HIGH POC This Week

The TI WooCommerce Wishlist and TI WooCommerce Wishlist Pro plugins for WordPress are vulnerable to an Options Change vulnerability in versions up to, and including, 1.21.11 and 1.21.4 via the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Authentication Bypass Ti Woocommerce Wishlist
NVD WPScan
CVSS 3.1
8.8
EPSS
0.6%
CVE-2019-25150 HIGH POC This Week

The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Email Templates
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2020-36717 HIGH POC This Week

The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Kali Forms
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-4349 HIGH POC PATCH This Week

The Process Steps Template Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress CSRF Process Steps Template Designer
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2021-4361 HIGH POC This Week

The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Jobsearch Wp Job Board
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2020-36700 HIGH POC PATCH This Week

The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress Authentication Bypass PHP Page Builder Kingcomposer
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2021-4337 HIGH POC This Week

Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various versions listed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Add Product Tabs Autopilot Seo Bulk Add To Cart +13
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy