cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-9218,https://securityvulnerability.io/vulnerability/CVE-2024-9218,The Magazine Blocks Blog Designer Vulnerable to Reflected Cross-Site Scripting,"The Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.14. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,"Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder With Posts Blocks, Post Grid",6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-10-02T08:31:51.008Z,0
CVE-2024-3815,https://securityvulnerability.io/vulnerability/CVE-2024-3815,Stored Cross-Site Scripting Vulnerability in WordPress Newspaper Theme,"The Newspaper theme for WordPress is vulnerable to Stored Cross-Site Scripting via attachment meta in the archive page in all versions up to, and including, 12.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Newspaper - News & WooCommerce WordPress Theme,4.8,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-06-15T02:15:00.000Z,0
CVE-2024-0900,https://securityvulnerability.io/vulnerability/CVE-2024-0900,Elespare Plugin Vulnerable to Unauthorized Post Creation,"The Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! plugin for WordPress is vulnerable to unauthorized post creation due to a missing capability check on the elespare_create_post() function hooked via AJAX in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary posts.",Wordpress,"Elespare – Blog, Magazine And Newspaper Addons For Elementor With Templates, Widgets, Kits, And Header/footer Builder. One Click Import: No Coding Required!",4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-23T08:32:54.055Z,0
CVE-2023-49826,https://securityvulnerability.io/vulnerability/CVE-2023-49826,WordPress Soledad Theme <= 8.4.1 is vulnerable to PHP Object Injection,"A deserialization of untrusted data vulnerability exists in the PenciDesign Soledad WordPress theme, impacting versions from n/a up to 8.4.1. This vulnerability could allow an attacker to exploit the theme’s functionality, leading to unauthorized execution of malicious code through PHP object injection. Users of the Soledad theme are advised to update to the latest version immediately to mitigate potential risks associated with this issue.",Wordpress,"Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme",8.1,HIGH,0.001129999989643693,false,,false,false,false,,false,false,2023-12-21T13:15:00.000Z,0
CVE-2023-49825,https://securityvulnerability.io/vulnerability/CVE-2023-49825,WordPress Soledad Theme <= 8.4.1 is vulnerable to SQL Injection,"An SQL Injection vulnerability in the PenciDesign Soledad WordPress theme allows attackers to manipulate SQL queries through unsanitized input. This can lead to unauthorized data access or modification. Versions affected include all those prior to 8.4.1, leaving sites using this theme at risk if not updated. Website owners are strongly advised to implement the latest patches to mitigate potential threats.",Wordpress,"Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme",8.5,HIGH,0.0006200000061653554,false,,false,false,false,,false,false,2023-12-20T16:15:00.000Z,0
CVE-2023-49827,https://securityvulnerability.io/vulnerability/CVE-2023-49827,WordPress Soledad Theme <= 8.4.1 is vulnerable to Cross Site Scripting (XSS),"A reflected XSS vulnerability in the PenciDesign Soledad WordPress Theme allows attackers to inject malicious scripts into web pages. This can be exploited when user input is not properly neutralized during page generation, potentially enabling unauthorized actions or data theft from users visiting the impacted site. The vulnerability affects all versions of the Soledad theme up to 8.4.1.",Wordpress,"Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme",7.1,HIGH,0.0005000000237487257,false,,false,false,false,,false,false,2023-12-14T15:15:00.000Z,0
CVE-2020-36721,https://securityvulnerability.io/vulnerability/CVE-2020-36721,"Unauthenticated Plugin Control Vulnerability in WordPress Themes by Brilliance, Activello, and Newspaper X","The Brilliance, Activello, and Newspaper X themes for WordPress contain a vulnerability that allows unauthenticated users to activate or deactivate any plugins installed on a site. This issue arises from the absence of proper capability checks and nonces within the functions responsible for handling plugin activation and deactivation in the themes' codebase. As a result, an attacker could exploit this flaw to gain control over site functionalities, potentially leading to further security breaches. Website owners are encouraged to update their themes to the latest versions to mitigate this risk.",Wordpress,"Newspaper X,Brilliance,Activello",6.5,MEDIUM,0.0026000000070780516,false,,false,false,false,,false,false,2023-06-07T01:51:37.465Z,0
CVE-2020-36708,https://securityvulnerability.io/vulnerability/CVE-2020-36708,Function Injection Vulnerability in Popular WordPress Themes,"An unauthenticated function injection vulnerability exists in multiple WordPress themes due to the epsilon_framework_ajax_action, allowing attackers to invoke sensitive functions and potentially achieve remote code execution. This affects versions of popular themes such as Shapely, NewsMag, and Activello, among others. It is crucial for users of these themes to apply updates to safeguard against unauthorized access and exploitation.",Wordpress,"Allegiant,Naturemag Lite,Newsmag,Shapely,Bonkers,Regina Lite,Transcend,Sparkling,Newspaper X,Antreas,Affluent,Brilliance,Activello,Illdy,Medzone Lite,Pixova Lite",9.8,CRITICAL,0.04871999844908714,false,,false,false,false,,false,false,2023-06-07T01:51:22.525Z,0
CVE-2022-3477,https://securityvulnerability.io/vulnerability/CVE-2022-3477,tagDiv Composer < 3.5 - Unauthenticated Account Takeover,"The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address",Wordpress,"Tagdiv Composer,Newspaper,Newsmag",9.8,CRITICAL,0.003700000001117587,false,,false,false,false,,false,false,2022-11-14T00:00:00.000Z,0
CVE-2022-2167,https://securityvulnerability.io/vulnerability/CVE-2022-2167,Newspaper < 12 - Reflected Cross-Site Scripting,"The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting",Wordpress,Newspaper,6.1,MEDIUM,0.0007600000244565308,false,,false,false,false,,false,false,2022-10-31T00:00:00.000Z,0
CVE-2022-2627,https://securityvulnerability.io/vulnerability/CVE-2022-2627,Newspaper < 12 - Reflected Cross-Site Scripting,"The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting.",Wordpress,Newspaper,6.1,MEDIUM,0.0010999999940395355,false,,false,false,false,,false,false,2022-10-31T00:00:00.000Z,0
CVE-2021-3135,https://securityvulnerability.io/vulnerability/CVE-2021-3135,,An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php td_block_id parameter in a td_ajax_block API call.,Wordpress,Newspaper,6.1,MEDIUM,0.0006399999838322401,false,,false,false,false,,false,false,2021-07-19T20:01:13.000Z,0
CVE-2015-9500,https://securityvulnerability.io/vulnerability/CVE-2015-9500,,The Exquisite Ultimate Newspaper theme 1.3.3 for WordPress has XSS via the anchor identifier to assets/js/jquery.foundation.plugins.js.,Wordpress,Exquisite Ultimate Newspaper,6.1,MEDIUM,0.004639999940991402,false,,false,false,false,,false,false,2019-10-22T20:52:08.000Z,0
CVE-2016-10972,https://securityvulnerability.io/vulnerability/CVE-2016-10972,,The newspaper theme before 6.7.2 for WordPress has a lack of options access control via td_ajax_update_panel.,Wordpress,Newspaper,9.8,CRITICAL,0.08501999825239182,false,,false,false,false,,false,false,2019-09-16T16:40:00.000Z,0
CVE-2017-18634,https://securityvulnerability.io/vulnerability/CVE-2017-18634,,The newspaper theme before 6.7.2 for WordPress has script injection via td_ads[header] to admin-ajax.php.,Wordpress,Newspaper,9.8,CRITICAL,0.015180000104010105,false,,false,false,false,,false,false,2019-09-16T11:18:24.000Z,0