Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

#1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81

Security Advisories

Reported CVEsVendorsProductsReports
4113Vulnerabilities found
CVE-2025-2055
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.8||MEDIUM
EPSS-0.09% / 27.17%
||
7 Day CHG~0.00%
Published-03 Apr, 2025 | 06:00
Updated-29 Apr, 2025 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MapPress Maps for WordPress < 2.94.9 - Contributor+ Stored XSS

The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

Action-Not Available
Vendor-mappressproUnknown
Product-mappressMapPress Maps for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-2048
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.1||MEDIUM
EPSS-0.05% / 16.03%
||
7 Day CHG-0.02%
Published-01 Apr, 2025 | 06:00
Updated-12 Jun, 2025 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lana Downloads Manager < 1.10.0 - Admin+ Arbitrary File Download via Path Traversal

The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server

Action-Not Available
Vendor-lanaUnknown
Product-lana_downloads_managerLana Downloads Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-1986
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.1||MEDIUM
EPSS-0.03% / 6.71%
||
7 Day CHG-0.01%
Published-01 Apr, 2025 | 06:00
Updated-28 May, 2025 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gutentor < 3.4.7 - Admin+ SQL Injection

The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-gutentorUnknown
Product-gutentorGutentor
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-0613
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 20.34%
||
7 Day CHG-0.08%
Published-31 Mar, 2025 | 06:00
Updated-13 May, 2025 | 13:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Photo Gallery < 1.8.34 - Unauthenticated Stored XSS

The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-photo_galleryPhoto Gallery by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1762
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.66%
||
7 Day CHG-0.02%
Published-28 Mar, 2025 | 06:00
Updated-17 Apr, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Event Tickets with Ticket Scanner < 2.5.4 - Arbitrary Tickets Deletion via CSRF

The Event Tickets with Ticket Scanner WordPress plugin before 2.5.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Action-Not Available
Vendor-vollstartUnknown
Product-event_tickets_with_ticket_scannerEvent Tickets with Ticket Scanner
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-13146
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.02% / 4.57%
||
7 Day CHG-0.01%
Published-26 Mar, 2025 | 06:00
Updated-30 Apr, 2025 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booknetic < 4.1.5 - Staff Creation via CSRF

The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack

Action-Not Available
Vendor-fs-codeUnknown
Product-bookneticBooknetic
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-12683
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 5.67%
||
7 Day CHG-0.02%
Published-26 Mar, 2025 | 06:00
Updated-06 May, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart Maintenance Mode < 1.5.2 - Admin+ Stored XSS

The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-brijeshk89Unknown
Product-smart_maintenance_modeSmart Maintenance Mode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11847
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 6.41%
||
7 Day CHG-0.02%
Published-26 Mar, 2025 | 06:00
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP SVG Upload <= 1.0.0 - Author+ Stored XSS via SVG

The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

Action-Not Available
Vendor-Unknown
Product-wp-svg-upload
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1798
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 23.07%
||
7 Day CHG+0.02%
Published-25 Mar, 2025 | 06:00
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Design Comuni Italia < 1.1.2 - Unauthenticated Stored XSS

The does not sanitise and escape some parameters when outputting them back in a page, allowing unauthenticated users the ability to perform stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-Unknown
Product-design-comuni-wordpress-theme
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1452
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.03%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-06 May, 2025 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Favorites < 2.3.5 - Admin+ Stored XSS

The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-favoritepostsUnknown
Product-favoritesFavorites
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-0717
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.68%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-27 Mar, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Social Slider Feed < 2.2.9 - Admin+ Stored XSS

To exploit the vulnerability, it is necessary:

Action-Not Available
Vendor-Unknown
Product-Social Slider Feed
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-9770
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.7||MEDIUM
EPSS-0.03% / 6.44%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-29 Apr, 2025 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Recall < 16.26.12 - Admin+ SQL Injection

The WP-Recall WordPress plugin before 16.26.12 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-plechevandreyUnknown
Product-wp-recallWP-Recall
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-13863
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.1||HIGH
EPSS-0.03% / 8.53%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-29 Apr, 2025 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stylish Google Sheet Reader < 4.1 - Reflected XSS

The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Action-Not Available
Vendor-wppluginboxUnknown
Product-stylish_google_sheet_readerStylish Google Sheet Reader 4.0
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13618
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.05% / 14.03%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-20 Jun, 2025 | 15:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated SSRF

The aoa-downloadable WordPress plugin through 0.1.0 lacks authorization and authentication for requests to its download.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

Action-Not Available
Vendor-osteopathicUnknown
Product-downloadable_by_american_osteopathic_associationaoa-downloadable
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-13617
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-8.6||HIGH
EPSS-0.07% / 20.92%
||
7 Day CHG+0.02%
Published-25 Mar, 2025 | 06:00
Updated-20 Jun, 2025 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated Arbitrary File Download

The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server

Action-Not Available
Vendor-osteopathicUnknown
Product-downloadable_by_american_osteopathic_associationaoa-downloadable
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2024-13123
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 5.67%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-01 Apr, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AFI < 1.100.0 - Admin+ Stored XSS

The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-advancedformintegrationUnknown
Product-advanced_form_integrationAFI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13122
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 5.67%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-01 Apr, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AFI < 1.100.0 - Admin+ Stored XSS

The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-advancedformintegrationUnknown
Product-advanced_form_integrationAFI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13118
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 2.95%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-06 May, 2025 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IP Based Login < 2.4.1 - Log Deletion via CSRF

The IP Based Login WordPress plugin before 2.4.1 does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack

Action-Not Available
Vendor-brijeshk89Unknown
Product-ip_based_loginIP Based Login
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-12769
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.03%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-29 Apr, 2025 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Simple Banner < 3.0.4 - Admin+ Stored XSS

The Simple Banner WordPress plugin before 3.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-simple_banner_projectUnknown
Product-simple_bannerSimple Banner
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12682
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.47%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-06 May, 2025 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart Maintenance Mode < 1.5.2 - Admin+ Stored XSS

The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-brijeshk89Unknown
Product-smart_maintenance_modeSmart Maintenance Mode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-12109
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.1||MEDIUM
EPSS-0.04% / 9.52%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-29 Apr, 2025 | 17:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Labels For Woocommerce < 1.5.9 - Admin+ SQLi

The Product Labels For Woocommerce (Sale Badges) WordPress plugin before 1.5.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-UnknownAcowebs (Acodez IT Solutions Pvt. Ltd.)
Product-product_labels_for_woocommerce_\(sale_badges\)Product Labels For Woocommerce (Sale Badges)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-11503
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.84%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-29 Apr, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Tabs < 2.2.7 - Admin+ Stored XSS

The WP Tabs WordPress plugin before 2.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-shapedpluginUnknown
Product-wp_tabsWP Tabs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11273
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.47%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-15 May, 2025 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form & SMTP Plugin for WordPress by PirateForms < 2.6.0 - Admin+ Stored XSS

The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownWPForms, LLC
Product-contact_formContact Form & SMTP Plugin for WordPress by PirateForms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11272
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.47%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-15 May, 2025 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contact Form & SMTP Plugin for WordPress by PirateForms < 2.6.0 - Admin+ Stored XSS

The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-UnknownWPForms, LLC
Product-pirate_formsContact Form & SMTP Plugin for WordPress by PirateForms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10703
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.47%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-15 May, 2025 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Registrations for The Events Calendar < 2.13.4 - Admin+ Stored XSS

The Registrations for the Events Calendar WordPress plugin before 2.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-roundupwpUnknown
Product-registrations_for_the_events_calendarRegistrations for the Events Calendar
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10679
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.84%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-06 May, 2025 | 20:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quiz and Survey Master (QSM) < 9.2.1 - Author+ Stored XSS

The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-expresstechUnknown
Product-quiz_and_survey_masterQuiz and Survey Master (QSM)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10638
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.1||MEDIUM
EPSS-0.04% / 9.52%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-05 May, 2025 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Labels For Woocommerce < 1.5.11 - Admin+ SQLi

The Product Labels For Woocommerce (Sale Badges) WordPress plugin before 1.5.11 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-UnknownAcowebs (Acodez IT Solutions Pvt. Ltd.)
Product-product_labels_for_woocommerce_\(sale_badges\)Product Labels For Woocommerce (Sale Badges)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-10566
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.84%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-01 Apr, 2025 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Slider by 10Web < 1.2.62 - Contributor+ Stored XSS

The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-sliderSlider by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10565
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-6.1||MEDIUM
EPSS-0.03% / 6.84%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Slider by 10Web < 1.2.62 - Admin+ Stored XSS via Widget

The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-sliderSlider by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10560
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.03%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-03 Apr, 2025 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Form Maker by 10Web < 1.15.30 - Admin+ Stored XSS

The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-form_makerForm Maker by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10554
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.03%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-15 May, 2025 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP-Advanced-Search < 3.3.9.3 - Admin+ Stored XSS

The WordPress WP-Advanced-Search WordPress plugin before 3.3.9.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-internet-formationUnknown
Product-wp-advanced-searchWordPress WP-Advanced-Search
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10472
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.03% / 7.89%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-15 May, 2025 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stylish Price List < 7.1.12 - Contributor+ Stored XSS

The Stylish Price List WordPress plugin before 7.1.12 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-stylishpricelistUnknown
Product-stylish_price_listStylish Price List
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10105
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.9||MEDIUM
EPSS-0.04% / 9.96%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jobs for WordPress < 2.7.11 - Contributor+ Stored XSS

The Job Postings WordPress plugin before 2.7.11 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-blueglassUnknown
Product-jobs_for_wordpressJob Postings
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1203
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.03%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 06:00
Updated-24 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Slider, Gallery, Carousel by MetaSlider < 3.95.0 - Editor+ Stored XSS

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown
Product-Slider, Gallery, and Carousel by MetaSlider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1062
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.03%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 06:00
Updated-24 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Slider, Gallery, Carousel by MetaSlider < 3.95.0 - Editor+ Stored XSS

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.95.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown
Product-Slider, Gallery, and Carousel by MetaSlider
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13124
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.41%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 06:00
Updated-13 May, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Photo Gallery by 10Web < 1.8.33 - Admin+ Stored XSS

The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-photo_galleryPhoto Gallery by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10558
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 6.72%
||
7 Day CHG~0.00%
Published-24 Mar, 2025 | 06:00
Updated-13 May, 2025 | 13:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Form Maker by 10Web < 1.15.30 - Admin+ Stored XSS

The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-form_makerForm Maker by 10Web
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1446
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.1||MEDIUM
EPSS-0.04% / 11.01%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pods < 3.2.8.2 - Admin+ SQL Injection

The Pods WordPress plugin before 3.2.8.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

Action-Not Available
Vendor-podsfoundationUnknown
Product-podsPods
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-0718
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.03% / 6.03%
||
7 Day CHG~0.00%
Published-23 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nested Pages < 3.2.13 - Contributor+ Stored XSS

The Nested Pages WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-kylephillipsUnknown
Product-nested_pagesNested Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13881
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.1||HIGH
EPSS-0.05% / 14.53%
||
7 Day CHG+0.01%
Published-20 Mar, 2025 | 06:00
Updated-20 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LinkMyPosts <= 1.0 - Reflected XSS

The Link My Posts WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-Unknown
Product-Link My Posts
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13880
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.1||HIGH
EPSS-0.05% / 14.53%
||
7 Day CHG+0.01%
Published-20 Mar, 2025 | 06:00
Updated-20 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
My Quota <= 1.0.8 - Reflected XSS

The My Quota WordPress plugin through 1.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-Unknown
Product-My Quota
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13878
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.1||HIGH
EPSS-0.05% / 14.53%
||
7 Day CHG+0.01%
Published-20 Mar, 2025 | 06:00
Updated-20 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SpotBot <= 0.1.8 - Reflected XSS

The SpotBot WordPress plugin through 0.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-Unknown
Product-SpotBot
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13877
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.1||HIGH
EPSS-0.05% / 14.53%
||
7 Day CHG+0.01%
Published-20 Mar, 2025 | 06:00
Updated-09 Apr, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Passbeemedia Web Push Notifications <= 1.0.0 - Reflected XSS

The Passbeemedia Web Push Notification WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-sjehutchUnknown
Product-passbeemedia_web_push_notificationPassbeemedia Web Push Notification
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13876
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.1||HIGH
EPSS-0.05% / 14.53%
||
7 Day CHG+0.01%
Published-20 Mar, 2025 | 06:00
Updated-09 Apr, 2025 | 13:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Meintopf <= 0.2.1 - Reflected XSS

The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-tiefpunktUnknown
Product-meintopfmEintopf
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-13875
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.1||HIGH
EPSS-0.05% / 14.53%
||
7 Day CHG+0.01%
Published-20 Mar, 2025 | 06:00
Updated-10 Apr, 2025 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Programmmanager <= 1.2 - Reflected XSS

The WP-PManager WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Action-Not Available
Vendor-mantus667Unknown
Product-wp-pmanagerWP-PManager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1232
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-8.8||HIGH
EPSS-0.29% / 51.89%
||
7 Day CHG+0.06%
Published-19 Mar, 2025 | 06:00
Updated-09 May, 2025 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Site Reviews < 7.2.5 - Unauthenticated Stored XSS

The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks

Action-Not Available
Vendor-geminilabsUnknown
Product-site_reviewsSite Reviews
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1624
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.05%
||
7 Day CHG+0.01%
Published-16 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GDPR Cookie Compliance < 4.15.9 - Admin+ Stored XSS

The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-mooveagencyUnknown
Product-gdpr_cookie_complianceGDPR Cookie Compliance
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1623
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.04% / 10.05%
||
7 Day CHG+0.01%
Published-16 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GDPR Cookie Compliance < 4.15.9 - Admin+ Stored XSS

The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-mooveagencyUnknown
Product-gdpr_cookie_complianceGDPR Cookie Compliance
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1622
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.03% / 8.43%
||
7 Day CHG+0.01%
Published-16 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GDPR Cookie Compliance < 4.15.7 - Admin+ Stored XSS

The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-mooveagencyUnknown
Product-gdpr_cookie_complianceGDPR Cookie Compliance
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-1621
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 10.05%
||
7 Day CHG+0.01%
Published-16 Mar, 2025 | 06:00
Updated-02 Apr, 2025 | 12:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GDPR Cookie Compliance < 4.15.7 - Admin+ Stored XSS

The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-mooveagencyUnknown
Product-gdpr_cookie_complianceGDPR Cookie Compliance
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • ...
  • 6
  • 7
  • 8
  • ...
  • 82
  • 83
  • Next