cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-13499,https://securityvulnerability.io/vulnerability/CVE-2024-13499,Arbitrary Shortcode Execution in GamiPress Plugin for WordPress,"The GamiPress plugin, used for gamifying WordPress sites by rewarding users with points, achievements, badges, and ranks, has a critical vulnerability that allows for arbitrary shortcode execution. This issue arises from the gamipress_do_shortcode() function, which fails to adequately validate input. As a result, unauthenticated attackers can exploit this vulnerability to execute arbitrary shortcodes, potentially leading to unauthorized actions on affected WordPress sites. All versions of GamiPress up to and including 7.2.1 are impacted, necessitating immediate attention and remediation from site administrators.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2024-13495,https://securityvulnerability.io/vulnerability/CVE-2024-13495,Arbitrary Shortcode Execution in GamiPress by GamiPress,"The GamiPress plugin, designed for gamification in WordPress, is susceptible to arbitrary shortcode execution due to inadequate validation in the gamipress_ajax_get_logs() function. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized actions or compromises within the WordPress environment. All versions up to and including 7.2.1 are affected, emphasizing the need for users to ensure they are running the latest, secure versions to mitigate this risk.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2024-13496,https://securityvulnerability.io/vulnerability/CVE-2024-13496,Time-Based SQL Injection Vulnerability in GamiPress Plugin for WordPress,"The GamiPress plugin, designed for gamification in WordPress to manage points and achievements, contains a vulnerability that allows unauthenticated attackers to exploit time-based SQL Injection via the 'orderby' parameter. This issue arises from improper escaping of user-supplied inputs and inadequate preparation of SQL queries, enabling attackers to inject additional SQL commands into existing queries. If exploited, this could allow unauthorized users to extract sensitive information stored in the database, posing a significant risk to WordPress site security.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.5,HIGH,0.0006000000284984708,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2024-11036,https://securityvulnerability.io/vulnerability/CVE-2024-11036,Unauthenticated Arbitrary Shortcode Execution Vulnerability in GamiPress Plugin,"The GamiPress plugin, widely utilized for gamification in WordPress websites, is exposed to a security vulnerability that permits arbitrary shortcode execution through the gamipress_get_user_earnings AJAX action. All versions up to and including 7.1.5 do not adequately validate user-supplied input before processing it through the do_shortcode function. This oversight can be exploited by unauthenticated users, enabling them to run unauthorized shortcodes and potentially execute harmful code or commands on the server. Website owners utilizing GamiPress should promptly evaluate their installations to mitigate risks associated with this vulnerability.",Wordpress,"Gamipress – The #1 Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,,false,false,2024-11-19T11:02:29.496Z,0
CVE-2024-5536,https://securityvulnerability.io/vulnerability/CVE-2024-5536,Stored Cross-Site Scripting Vulnerability in GamiPress Link Plugin,"The GamiPress – Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gamipress_link shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Gamipress - Link,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-06-05T10:15:00.000Z,0
CVE-2024-2783,https://securityvulnerability.io/vulnerability/CVE-2024-2783,Stored Cross-Site Scripting Vulnerability in GamiPress Plugin for WordPress,"The GamiPress plugin, a popular gamification tool for WordPress, is susceptible to a Stored Cross-Site Scripting vulnerability. This occurs due to inadequate input sanitization and output escaping of user-supplied attributes in its shortcodes. As a result, authenticated users with contributor-level access or higher can exploit the vulnerability, injecting arbitrary web scripts into pages. These injected scripts execute whenever a user visits the affected pages, posing significant security risks. Website owners are urged to update to the latest version and ensure proper sanitization practices are in place.",Wordpress,"Gamipress – The #1 Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-09T18:58:55.932Z,0
CVE-2024-1799,https://securityvulnerability.io/vulnerability/CVE-2024-1799,"GamiPress Vulnerable to SQL Injection, Sensitive Information at Risk","The GamiPress plugin for WordPress, widely used for gamification purposes, is exposed to a SQL Injection vulnerability through the 'achievement_types' attribute within the gamipress_earnings shortcode. This issue affects all versions up to and including 6.8.6. The vulnerability arises from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. With contributor-level access or higher, authenticated attackers can manipulate SQL queries, allowing them to potentially extract sensitive data from the database. Proper security measures and updates are recommended to mitigate risks associated with this vulnerability.",Wordpress,"Gamipress – The #1 Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-20T02:35:42.251Z,0
CVE-2024-2460,https://securityvulnerability.io/vulnerability/CVE-2024-2460,GamiPress Button Plugin Vulnerable to Stored Cross-Site Scripting,"The GamiPress – Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gamipress_button' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Gamipress – Button,6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-20T02:35:41.153Z,0
CVE-2023-25715,https://securityvulnerability.io/vulnerability/CVE-2023-25715,WordPress GamiPress Plugin <= 2.5.6 is vulnerable to Broken Access Control,"Missing Authorization vulnerability in GamiPress GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress.This issue affects GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress: from n/a through 2.5.6.

",Wordpress,"Gamipress – The #1 Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",5.4,MEDIUM,0.0004799999878741801,false,,false,false,false,,false,false,2023-12-19T16:15:00.000Z,0
CVE-2023-0154,https://securityvulnerability.io/vulnerability/CVE-2023-0154,GamiPress – Vimeo integration < 1.0.9 - Contributor+ Stored XSS,"The GamiPress WordPress plugin before 1.0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.",Wordpress,GamiPress,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2023-02-06T20:15:00.000Z,0