Skip to main content
CVE-2024-5450 CRITICAL POC Act Now

The Bug Library WordPress plugin before 2.1.1 does not check the file type on user-submitted bug reports, allowing an unauthenticated user to upload PHP files. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP File Upload Bug Library
NVD WPScan
CVSS 3.1
9.1
EPSS
0.8%
CVE-2024-5080 HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP File Upload Wp Emember
NVD WPScan
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-5076 HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wp Emember
NVD WPScan
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-5034 HIGH POC This Week

The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Sully
NVD WPScan
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-5167 HIGH POC This Week

The CM Email Registration Blacklist and Whitelist WordPress plugin before 1.4.9 does not have CSRF check when adding or deleting an item from the blacklist or whitelist, which could allow attackers. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Cm E Mail Blacklist
NVD WPScan
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-5715 HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
7.1
EPSS
0.4%
CVE-2024-5472 HIGH POC This Week

The WP QuickLaTeX WordPress plugin before 3.8.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Quicklatex
NVD WPScan
CVSS 3.1
7.1
EPSS
0.4%
CVE-2024-5287 HIGH POC This Week

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in user change them via a CSRF attack. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wp Affiliate Platform
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-5151 HIGH POC This Week

The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Sully
NVD WPScan
CVSS 3.1
7.1
EPSS
0.4%
CVE-2024-5744 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
6.8
EPSS
0.4%
CVE-2024-5284 MEDIUM POC This Month

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF Wp Affiliate Platform
NVD WPScan
CVSS 3.1
6.8
EPSS
0.2%
CVE-2024-5077 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF Wp Emember
NVD WPScan
CVSS 3.1
6.8
EPSS
0.2%
CVE-2024-4977 MEDIUM POC This Month

The Index WP MySQL For Speed WordPress plugin before 1.4.18 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Index Wp Mysql For Speed
NVD WPScan
CVSS 3.1
6.8
EPSS
0.5%
CVE-2024-3710 MEDIUM POC This Month

The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Image Photo Gallery Final Tiles Grid
NVD WPScan
CVSS 3.1
6.8
EPSS
0.5%
CVE-2024-3632 MEDIUM POC This Month

The Smart Image Gallery WordPress plugin before 1.0.19 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Smart Image Gallery
NVD WPScan
CVSS 3.1
6.8
EPSS
0.3%
CVE-2024-5028 MEDIUM POC This Month

The CM WordPress Search And Replace Plugin WordPress plugin before 1.3.9 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Cm Search And Replace
NVD WPScan
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-3963 MEDIUM POC This Month

The Giveaways and Contests by RafflePress WordPress plugin before 1.12.14 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Rafflepress
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-5283 MEDIUM POC This Month

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Affiliate Platform
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-5282 MEDIUM POC This Month

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Affiliate Platform
NVD WPScan
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-5281 MEDIUM POC This Month

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Affiliate Platform
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-5079 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape some of the fields when members register, which allows unauthenticated users to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-4272 MEDIUM POC This Month

The Support SVG WordPress plugin before 1.1.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Support Svg
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-4269 MEDIUM POC This Month

The SVG Block WordPress plugin before 1.1.20 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Svg Block
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-2870 MEDIUM POC This Month

The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Swift Framework
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-5442 MEDIUM POC This Month

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Nextgen Gallery
NVD WPScan
CVSS 3.1
5.9
EPSS
0.4%
CVE-2024-5075 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
5.9
EPSS
0.3%
CVE-2024-5033 MEDIUM POC This Month

The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF Sully
NVD WPScan
CVSS 3.1
5.9
EPSS
0.2%
CVE-2024-4752 MEDIUM POC This Month

The EventON WordPress plugin before 2.2.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Eventon
NVD WPScan
CVSS 3.1
5.9
EPSS
0.4%
CVE-2024-3964 MEDIUM POC This Month

The Product Enquiry for WooCommerce WordPress plugin before 3.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Product Enquiry For Woocommerce
NVD WPScan
CVSS 3.1
5.9
EPSS
0.5%
CVE-2024-3753 MEDIUM POC This Month

The Hostel WordPress plugin before 1.1.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Hostel
NVD WPScan
CVSS 3.1
5.9
EPSS
0.8%
CVE-2024-5713 MEDIUM POC This Month

The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.4 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS If So
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-5644 MEDIUM POC This Month

The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tournamatch
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-5627 MEDIUM POC This Month

The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tournamatch
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-5074 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-4602 MEDIUM POC This Month

The Embed Peertube Playlist WordPress plugin before 1.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Embed Peertube Playlist
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-3026 MEDIUM POC This Month

The WordPress Button Plugin MaxButtons WordPress plugin before 9.7.8 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Maxbuttons
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-6070 MEDIUM POC This Month

The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS If So
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-5286 MEDIUM POC This Month

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Affiliate Platform
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-5002 MEDIUM POC This Month

The User Submitted Posts WordPress plugin before 20240516 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS User Submitted Posts
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-3751 MEDIUM POC This Month

The Seriously Simple Podcasting WordPress plugin before 3.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Seriously Simple Podcasting
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2024-5575 MEDIUM POC This Month

The Ditty WordPress plugin before 3.1.43 does not sanitise and escape some of its blocks' settings, which could allow high privilege users such as authors to perform Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ditty
NVD WPScan
CVSS 3.1
4.7
EPSS
0.4%
CVE-2024-5280 MEDIUM POC This Month

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make non-logged in. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF Wp Affiliate Platform
NVD WPScan
CVSS 3.1
4.7
EPSS
0.2%
CVE-2024-5032 MEDIUM POC This Month

The SULly WordPress plugin before 4.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Sully
NVD WPScan
CVSS 3.1
4.7
EPSS
0.5%
CVE-2024-4217 MEDIUM POC This Month

The shortcodes-ultimate-pro WordPress plugin before 7.1.5 does not properly escape some of its shortcodes' settings, making it possible for attackers with a Contributor account to conduct Stored XSS. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Shortcodes Ultimate
NVD WPScan
CVSS 3.1
4.7
EPSS
0.5%
CVE-2024-3919 MEDIUM POC This Month

The OpenPGP Form Encryption for WordPress plugin before 1.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed,. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Openpgp Form Encryption
NVD WPScan
CVSS 3.1
4.6
EPSS
0.3%
CVE-2024-6574 MEDIUM This Month

The Laposta plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.12. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-6465 MEDIUM This Month

The WP Links Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wplf_ajax_update_screenshots' function in all versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy