Skip to main content
CVE-2024-6159 CRITICAL POC Act Now

The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Push Notification For Post And Buddypress
NVD WPScan
CVSS 3.1
9.8
EPSS
9.8%
CVE-2024-8673 CRITICAL POC Act Now

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Z Downloads
NVD WPScan
CVSS 3.1
9.1
EPSS
5.8%
CVE-2025-46052 CRITICAL POC Act Now

An error-based SQL Injection (SQLi) vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL command and extract sensitive data by injecting a crafted payload into the DEL form field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi Weberp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-0852 HIGH POC This Week

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Coreactivity
NVD WPScan
CVSS 3.1
8.8
EPSS
2.9%
CVE-2024-6584 CRITICAL POC Act Now

The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Jetpack Boost
NVD WPScan
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-6486 HIGH POC This Week

The ImageMagick Engine ImageMagick Engine WordPress plugin before 1.7.11 for WordPress is vulnerable to OS Command Injection via the "cli_path" parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection WordPress RCE Imagemagick Engine
NVD WPScan
CVSS 3.1
7.2
EPSS
3.5%
CVE-2023-7239 HIGH POC This Week

The WP Dashboard Notes WordPress plugin before 1.0.11 does not validate that the user has access to the post_id parameter in its wpdn_update_note AJAX action. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Wp Dashboard Notes
NVD WPScan
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-9765 MEDIUM POC This Month

The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Ekc Tournament Manager
NVD WPScan
CVSS 3.1
6.5
EPSS
4.6%
CVE-2023-7231 HIGH POC This Week

The illi Link Party!. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Illi Link Party
NVD WPScan
CVSS 3.1
7.3
EPSS
0.3%
CVE-2023-5934 HIGH POC This Week

The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Travelpayouts
NVD WPScan
CVSS 3.1
7.3
EPSS
0.1%
CVE-2024-0249 HIGH POC This Week

The Advanced Schedule Posts WordPress plugin through 2.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Advanced Schedule Posts
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVE-2023-7197 HIGH POC This Week

The Marketing Twitter Bot WordPress plugin through 1.11 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF XSS Marketing Twitter Bot
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2023-7174 HIGH POC This Week

The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF XSS Abitgone Commentsafe
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-4705 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vehicle Parking Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4703 MEDIUM POC This Month

A vulnerability has been found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vehicle Parking Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4702 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in PHPGurukul Vehicle Parking Management System 1.13. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vehicle Parking Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4699 MEDIUM POC This Month

A vulnerability classified as critical was found in PHPGurukul Apartment Visitors Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Apartment Visitors Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4698 MEDIUM POC This Month

A vulnerability classified as critical has been found in PHPGurukul Directory Management System 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Directory Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4697 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Directory Management System 2.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Directory Management System
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-4704 MEDIUM POC This Month

A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vehicle Parking Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2024-3901 MEDIUM POC This Month

The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Genesis Blocks
NVD WPScan
CVSS 3.1
6.8
EPSS
0.3%
CVE-2025-3742 MEDIUM POC This Month

The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Responsive Lightbox PHP
NVD WPScan
CVSS 3.1
6.8
EPSS
0.3%
CVE-2025-4564 CRITICAL Act Now

The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP RCE Path Traversal
NVD
CVSS 3.1
9.8
EPSS
3.7%
CVE-2024-8286 MEDIUM POC This Month

The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Gdpr Cookie Consent
NVD WPScan
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-9450 MEDIUM POC This Month

The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Easync
NVD WPScan
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-4665 MEDIUM POC This Month

The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Eventprime
NVD WPScan
CVSS 3.1
6.4
EPSS
0.2%
CVE-2023-6786 MEDIUM POC This Month

The Payment Gateway for Telcell WordPress plugin through 2.0.1 does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect WordPress Payment Gateway For Telcell
NVD WPScan
CVSS 3.1
6.1
EPSS
1.0%
CVE-2023-7228 MEDIUM POC This Month

The illi Link Party!. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Illi Link Party
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-6541 MEDIUM POC This Month

The Allow SVG WordPress plugin before 1.2.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Allow Svg
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-13727 MEDIUM POC This Month

The MemberSpace WordPress plugin before 2.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Memberspace
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-7230 MEDIUM POC This Month

The illi Link Party!. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Illi Link Party
NVD WPScan
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-13865 MEDIUM POC This Month

The S3Player WordPress plugin through 4.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS S3Player
NVD WPScan
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-13823 MEDIUM POC This Month

The 360 Product Rotation WordPress plugin through 1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS 360 Product Rotation
NVD WPScan
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-6667 MEDIUM POC This Month

The KBucket: Your Curated Content in WordPress plugin before 4.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Kbucket
NVD WPScan
CVSS 3.1
6.1
EPSS
0.3%
CVE-2025-1303 MEDIUM POC This Month

The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Plugin Oficial PHP
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-6690 MEDIUM POC This Month

The wccp-pro WordPress plugin before 15.3 contains an open-redirect flaw via the referrer parameter, allowing redirection of users to external sites. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect WordPress Wp Content Copy Protection No Right Click
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-13619 MEDIUM POC This Month

The LifterLMS WordPress plugin before 8.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Lifterlms
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-12734 MEDIUM POC This Month

The Advance Post Prefix WordPress plugin through 1.1.1, Advance Post Prefix WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Advance Post Prefix
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-12732 MEDIUM POC This Month

The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Affiliateimportereb
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-12724 MEDIUM POC This Month

The WP DeskLite WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Desklite
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-13828 MEDIUM POC This Month

The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Badgearoo
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-44183 MEDIUM POC This Month

Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the name, email, and mobile parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Vehicle Record Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-44181 MEDIUM POC This Month

Phpgurukul Vehicle Record Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/add-brand.php via the brandname parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Vehicle Record Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-44180 MEDIUM POC This Month

{brandId}. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Vehicle Record Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-12873 MEDIUM POC This Month

The Custom Field Manager WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Custom Field Manager
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-3917 CRITICAL Act Now

The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-10075 MEDIUM POC This Month

The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

WordPress RCE Jetpack
NVD WPScan
CVSS 3.1
5.6
EPSS
0.3%
CVE-2023-7229 MEDIUM POC This Month

The illi Link Party!. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Illi Link Party
NVD WPScan
CVSS 3.1
5.5
EPSS
0.1%
CVE-2023-7088 MEDIUM POC This Month

The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Inventivo
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-7086 MEDIUM POC This Month

The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Svg Uploads Support
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy