cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-12043,https://securityvulnerability.io/vulnerability/CVE-2024-12043,Stored Cross-Site Scripting Vulnerability in Prime Slider for WordPress,"The Prime Slider – Addons For Elementor plugin for WordPress is susceptible to a stored Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping in the 'social_link_title' parameter of the 'blog' widget. This issue affects all versions up to and including 3.16.5, permitting authenticated users with Contributor-level access or higher to introduce malicious web scripts. These scripts can execute whenever other users access the manipulated pages, creating significant security risks and potential exploits.",Wordpress,"Prime Slider – Addons For Elementor (revolution Of A Slider, Hero Slider, Post Slider And Ecommerce Slider)",6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-23T11:13:27.032Z,0
CVE-2024-9020,https://securityvulnerability.io/vulnerability/CVE-2024-9020,Stored Cross-Site Scripting Vulnerability in List Category Posts Plugin for WordPress,"The List Category Posts Plugin for WordPress, prior to version 0.90.3, is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. This issue arises because the plugin fails to properly validate and escape certain shortcode attributes when rendering pages or posts that incorporate these shortcodes. As a result, users with contributor roles or higher could exploit this flaw, executing arbitrary JavaScript code when other users view the affected content. Such attacks can lead to unauthorized actions on behalf of users or disclosure of sensitive information, underscoring the importance of updating to a secured version of the plugin.",Wordpress,List Category Posts,5.4,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-18T06:00:05.173Z,0
CVE-2024-12071,https://securityvulnerability.io/vulnerability/CVE-2024-12071,Unauthorized Data Loss Vulnerability in Evergreen Content Poster Plugin for WordPress,"The Evergreen Content Poster plugin for WordPress has a security flaw that allows unauthorized individuals to delete posts and pages without proper authentication. This vulnerability arises from a missing capability check within the delete_network_post() function. As a result, unauthenticated users can exploit this flaw to manipulate content, posing significant risks to the integrity of the website. It is essential for users of the plugin to apply updates and follow security best practices to safeguard their content.",Wordpress,Evergreen Content Poster – Auto Post And Schedule Your Best Content To Social Media,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-18T03:21:12.989Z,0
CVE-2024-9636,https://securityvulnerability.io/vulnerability/CVE-2024-9636,Privilege Escalation in Post Grid and Gutenberg Blocks Plugin for WordPress,"The Post Grid and Gutenberg Blocks plugin for WordPress has a privilege escalation vulnerability that affects versions 2.2.85 through 2.3.3. This vulnerability stems from inadequate restrictions on user meta updates during registration. As a consequence, unauthenticated attackers can exploit this flaw to register as administrators on affected websites, potentially allowing them full control over the site.",Wordpress,Post Grid And Gutenberg Blocks – Comboblocks,9.8,CRITICAL,0.0006300000241026282,false,,false,false,false,false,false,false,2025-01-15T09:25:53.837Z,128
CVE-2024-12407,https://securityvulnerability.io/vulnerability/CVE-2024-12407,Reflected Cross-Site Scripting in Push Notification for Post and BuddyPress Plugin by WordPress,"The Push Notification for Post and BuddyPress plugin for WordPress suffers from a Reflected Cross-Site Scripting vulnerability through the 'pushnotificationid' parameter in all versions up to 2.06. This flaw exists due to inadequate input validation and output encoding, allowing unauthenticated attackers to craft malicious web scripts. If a user is tricked into clicking a malicious link, those scripts can be executed within their browser context, potentially leading to unauthorized access or information disclosure.",Wordpress,Push Notification For Post And Buddypress,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-11T07:21:54.994Z,0
CVE-2024-11642,https://securityvulnerability.io/vulnerability/CVE-2024-11642,Local File Inclusion Vulnerability in Post Grid Master Plugin for WordPress,"The Post Grid Master plugin for WordPress is prone to a Local File Inclusion vulnerability via the 'locate_template' function. This flaw allows unauthorized attackers to incorporate and execute arbitrary files on the server, leading to potential execution of malicious PHP code. Attackers may leverage this vulnerability to bypass access restrictions, extract sensitive data, or perform code execution when legitimate file types such as images can be uploaded and included. The impacted .php files pose a significant risk, and users are urged to update to more secure versions promptly.",Wordpress,"Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything With Infinite Scroll, Load More, Pagination & Shortcode Builder",9.8,CRITICAL,0.000910000002477318,false,,false,false,false,false,false,false,2025-01-09T11:11:03.716Z,0
CVE-2024-9638,https://securityvulnerability.io/vulnerability/CVE-2024-9638,Stored Cross-Site Scripting Vulnerability in Category Posts Widget by WordPress,"The Category Posts Widget WordPress plugin before version 4.9.18 is susceptible to Stored Cross-Site Scripting due to inadequate sanitization and escaping of certain settings. This vulnerability enables high privilege users, including administrators, to execute malicious scripts, potentially compromising the site's security, even in environments where the unfiltered_html capability is restricted, such as multisite configurations.",Wordpress,Category Posts Widget,4.8,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-07T06:00:06.592Z,0
CVE-2024-10536,https://securityvulnerability.io/vulnerability/CVE-2024-10536,Unauthorized Data Access in FancyPost Plugin for WordPress,"The FancyPost plugin for WordPress is susceptible to unauthorized access, enabling attackers with Subscriber-level access and above to exploit a missing capability check in the handle_block_shortcode_export() function. This oversight allows them to export sensitive shortcodes, potentially compromising user data. All versions of the plugin up to 6.0.0 are affected, highlighting the critical need for users to update and mitigate this security risk.",Wordpress,"Fancypost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-07T05:24:09.055Z,0
CVE-2024-12471,https://securityvulnerability.io/vulnerability/CVE-2024-12471,Arbitrary File Upload Vulnerability in Post Saint Plugin for WordPress,"The Post Saint plugin for WordPress is susceptible to arbitrary file uploads due to insufficient capability checks and inadequate file type validation within the add_image_to_library AJAX action. This vulnerability allows authenticated attackers with subscriber-level access or above to upload malicious files, potentially enabling remote code execution. All versions up to and including 1.3.1 are affected, highlighting the critical need for users to update their plugins to prevent unauthorized access and protect their platforms.",Wordpress,"Post Saint: Chatgpt, Gpt4, Dall-e, Stable Diffusion, Pexels, Dezgo Ai Text & Image Generator",8.8,HIGH,0.0004900000058114529,false,,false,false,true,true,false,false,2025-01-07T05:23:57.597Z,0
CVE-2024-11363,https://securityvulnerability.io/vulnerability/CVE-2024-11363,Reflected Cross-Site Scripting in Related Posts by Taxonomy Plugin for WordPress,"The Related Posts by Taxonomy plugin for WordPress is susceptible to a Reflected Cross-Site Scripting vulnerability due to improper use of functions that modify URL parameters without adequate escaping. This issue affects all versions up to and including 1.0.16. Attackers can exploit this vulnerability to inject malicious scripts into the application if they can manipulate users into clicking crafted links, potentially leading to unauthorized actions on the victim's browser.",Wordpress,Same But Different – Related Posts By Taxonomy,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-07T04:22:15.755Z,0
CVE-2024-12252,https://securityvulnerability.io/vulnerability/CVE-2024-12252,File Overwrite Vulnerability in SEO LAT Auto Post Plugin for WordPress,"The SEO LAT Auto Post plugin for WordPress suffers from a serious file overwrite vulnerability due to the absence of necessary capability checks on the remote_update AJAX action. All versions up to and including 2.2.1 are impacted, allowing unauthenticated attackers to overwrite critical files, such as seo-beginner-auto-post.php. This exploitation can lead to remote code execution, posing significant risks to websites utilizing this plugin. It is crucial for site administrators to update their installations promptly to mitigate potential threats.",Wordpress,Seo Lat Auto Post,9.8,CRITICAL,0.0009299999801442027,false,,false,false,true,true,false,false,2025-01-07T04:22:02.465Z,0
CVE-2024-12288,https://securityvulnerability.io/vulnerability/CVE-2024-12288,Cross-Site Request Forgery in Simple Add Pages or Posts Plugin for WordPress,"The Simple Add Pages or Posts Plugin for WordPress is affected by a Cross-Site Request Forgery vulnerability due to inadequate nonce validation. This flaw allows unauthenticated attackers to potentially manipulate plugin settings and inject harmful scripts by convincing an administrator to execute a malicious request, thereby compromising the site's security.",Wordpress,Simple Add Pages Or Posts,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-07T04:21:59.023Z,0
CVE-2024-12538,https://securityvulnerability.io/vulnerability/CVE-2024-12538,Sensitive Information Exposure in Duplicate Post Plugin for WordPress,"The Duplicate Post, Page and Any Custom Post plugin for WordPress is susceptible to Sensitive Information Exposure due to how it handles the 'dpp_duplicate_as_draft' function. Authenticated users with Contributor-level permissions and above can access sensitive information from drafts, scheduled, private, and password protected posts, potentially leading to unauthorized data disclosure. This vulnerability affects all versions up to and including 3.5.3, posing a significant risk to data security within affected WordPress installations.",Wordpress,"Duplicate Post, Page And Any Custom Post",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-07T03:21:59.599Z,0
CVE-2024-11938,https://securityvulnerability.io/vulnerability/CVE-2024-11938,Stored Cross-Site Scripting in One Click Upsell Funnel Plugin for WordPress,"CVE-2024-11938 exposes a serious stored cross-site scripting (XSS) vulnerability in the One Click Upsell Funnel plugin for WooCommerce, specifically through the 'wps_wocuf_pro_yes' shortcode. This vulnerability impacts all versions up to and including 3.4.9 due to inadequate input sanitization and output escaping of user-supplied attributes. As a result, authenticated attackers with contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages. These scripts will execute when users access the affected pages, potentially compromising sensitive data and jeopardizing site integrity. It is crucial for users of this plugin to update to the latest version immediately to mitigate the risk.",Wordpress,"One Click Upsell Funnel For WooCommerce –  Funnel Builder For WordPress, Create WooCommerce Upsell, Post-purchase Upsell & Cross Sell Offers That Boost Sales & Increase Profits With Sales Funnel Builder",6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-21T07:03:00.273Z,0
CVE-2024-11977,https://securityvulnerability.io/vulnerability/CVE-2024-11977,Arbitrary Shortcode Execution Vulnerability in kk Star Ratings Plugin for WordPress,"CVE-2024-11977 is a high-risk vulnerability in the kk Star Ratings plugin for WordPress that allows unauthenticated attackers to execute arbitrary shortcodes. This vulnerability arises from a lack of proper value validation in the plugin's handling of executed actions, which affects all versions up to and including 5.4.10. When exploited, this could enable attackers to manipulate website content or perform unauthorized actions, putting user data at risk. Website owners using this plugin should update immediately to secured versions to prevent potential exploits.",Wordpress,Kk Star Ratings – Rate Post & Collect User Feedbacks,7.3,HIGH,0.0004600000102072954,false,,false,false,false,,false,false,2024-12-21T05:31:02.179Z,0
CVE-2024-11878,https://securityvulnerability.io/vulnerability/CVE-2024-11878,Stored Cross-Site Scripting Vulnerability in Category Post Slider Plugin for WordPress,"CVE-2024-11878 identifies a stored cross-site scripting (XSS) vulnerability present in the Category Post Slider plugin for WordPress. This issue arises from inadequate input sanitization and output escaping within the plugin's 'category-post-slider' shortcode. As a result, authenticated attackers with contributor-level access or higher could exploit this vulnerability to inject arbitrary web scripts into affected pages. These scripts would execute whenever a user views the compromised page, potentially leading to unauthorized actions and exposure of sensitive information. Website administrators are strongly advised to update to the latest version of the plugin to mitigate this risk.",Wordpress,Category Post Slider,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-20T06:59:11.219Z,0
CVE-2024-11906,https://securityvulnerability.io/vulnerability/CVE-2024-11906,Stored Cross-Site Scripting Vulnerability in TPG Get Posts Plugin for WordPress,"The TPG Get Posts plugin for WordPress is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the 'tpg_get_posts' shortcode in all versions up to and including 3.6.5. This vulnerability arises from inadequate input sanitization and output escaping on user-supplied attributes. As a result, authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These injected scripts execute each time the compromised page is accessed, posing significant security risks to users and potentially compromising sensitive information.",Wordpress,Tpg Get Posts,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-17T00:15:00.000Z,0
CVE-2024-12446,https://securityvulnerability.io/vulnerability/CVE-2024-12446,Plugin Vulnerable to Stored Cross-Site Scripting,"The Post to Pdf plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping of user-supplied attributes in the 'gmptp_single_post' shortcode. This issue permits authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. Such scripts could execute when users access a compromised page, potentially leading to unauthorized actions or data exposure.",Wordpress,Post To PDF,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-14T06:45:14.359Z,0
CVE-2024-12447,https://securityvulnerability.io/vulnerability/CVE-2024-12447,Vulnerability in Get Post Content Shortcode Plugin Allows Authenticated Attackers to Read Private Post Content,"The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of password-protected, private, draft, and pending posts.",Wordpress,Get Post Content Shortcode,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-14T04:23:45.742Z,0
CVE-2024-12448,https://securityvulnerability.io/vulnerability/CVE-2024-12448,WooCommerce Plugin Vulnerable to Stored Cross-Site Scripting,"The Posts and Products Views for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'papvfwc_views' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Posts And Products Views For WooCommerce,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-14T04:23:44.119Z,0
CVE-2024-11770,https://securityvulnerability.io/vulnerability/CVE-2024-11770,Stored Cross-Site Scripting Vulnerability in Post Carousel & Slider Plugin,"The Post Carousel & Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'post-cs' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Post Carousel & Slider,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-14T04:23:42.330Z,0
CVE-2024-12309,https://securityvulnerability.io/vulnerability/CVE-2024-12309,Unpublished Posts Vulnerable to Unauthenticated Voting Due to IDOR in Rate My Post Plugin,"The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts.",Wordpress,Rate My Post – Star Rating Plugin By FeedbackWP,5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-12-13T08:24:51.699Z,0
CVE-2024-11709,https://securityvulnerability.io/vulnerability/CVE-2024-11709,Unauthorized Modification of Data in AI Post Generator AutoWriter plugin for WordPress,"The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ai_post_generator_delete_Post AJAX action in all versions up to, and including, 3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary pages and posts.",Wordpress,Ai Post Generator | Autowriter,4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-12T04:23:15.579Z,0
CVE-2024-12156,https://securityvulnerability.io/vulnerability/CVE-2024-12156,Reflected Cross-Site Scripting Vulnerability in RSS Feed to Post,"The AI Content Writer, RSS Feed to Post, Autoblogging SEO Help plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,"Ai Content Writer, Rss Feed To Post, Autoblogging Seo Help",6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-12-12T04:23:14.700Z,0
CVE-2024-12294,https://securityvulnerability.io/vulnerability/CVE-2024-12294,Sensitive Information Exposure Vulnerability in The Last Viewed Posts Plugin,"The Last Viewed Posts by WPBeginner plugin for WordPress is susceptible to a vulnerability that allows unauthenticated attackers to gain access to sensitive information. This includes titles and permalinks of posts that are private, password-protected, pending, or in draft status. The vulnerability lies within the 'get_legacy_cookies' function, which fails to properly secure sensitive data, resulting in potential data exposure for website administrators and users. Users who have installed versions of the plugin up to and including 1.0.1 should take immediate action to secure their sites against possible data breaches.",Wordpress,Last Viewed Posts By WPbeginner,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-12-11T10:57:30.270Z,0