875 results (0.021 seconds)

CVSS: 8.8EPSS: %CPEs: 1EXPL: 0

28 Mar 2025 — The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 8.8EPSS: %CPEs: 1EXPL: 0

28 Mar 2025 — The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

27 Mar 2025 — The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. ... /wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. • https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L153 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.9EPSS: 0%CPEs: -EXPL: 0

26 Mar 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Visual Text Editor allows Remote Code Inclusion. This issue affects Visual Text Editor: from n/a through 1.2.1. • https://patchstack.com/database/wordpress/plugin/visual-text-editor/vulnerability/wordpress-visual-text-editor-plugin-1-2-1-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0

25 Mar 2025 — The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. • https://github.com/BoldGrid/boldgrid-backup/pull/622/files • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

24 Mar 2025 — The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. • https://plugins.trac.wordpress.org/browser/elisqlreports/tags/4..11.13/index.php • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0

24 Mar 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email allows Code Injection. This issue affects WP e-Commerce Style Email: from n/a through 0.6.2. • https://patchstack.com/database/wordpress/plugin/wp-e-commerce-style-email/vulnerability/wordpress-wp-e-commerce-style-email-plugin-0-6-2-csrf-to-remote-code-execution-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

21 Mar 2025 — The Block Logic – Full Gutenberg Block Display Control plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.8 via the block_logic_check_logic function. • https://plugins.trac.wordpress.org/browser/block-logic/tags/1.0.8/block-logic.php#L127 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

19 Mar 2025 — The Hide My WP Ghost plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 5.4.01. • https://patchstack.com/database/wordpress/plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-5-4-01-local-file-inclusion-to-rce-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

18 Mar 2025 — The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/file-away/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •