cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2025-0215,https://securityvulnerability.io/vulnerability/CVE-2025-0215,Reflected Cross-Site Scripting Vulnerability in UpdraftPlus Backup Plugin for WordPress,"The UpdraftPlus: WP Backup & Migration Plugin for WordPress is vulnerable to reflected cross-site scripting due to inadequate input sanitization and output escaping. Specifically, the safety of the showdata and initiate_restore parameters is compromised across all versions up to and including 1.24.12. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into webpages. These scripts could be executed if an admin user is lured into clicking a malicious link, potentially leading to unauthorized actions and data breaches.",Wordpress,Updraftplus: WP Backup & Migration Plugin,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,false,,2025-01-15T22:23:32.852Z,0 CVE-2024-10957,https://securityvulnerability.io/vulnerability/CVE-2024-10957,PHP Object Injection Vulnerability in UpdraftPlus WordPress Backup & Migration Plugin,"The UpdraftPlus: WP Backup & Migration Plugin for WordPress contains a vulnerability associated with PHP Object Injection that affects all versions up to and including 1.24.11. The flaw arises from the deserialization of untrusted input in the 'recursive_unserialized_replace' function. Unauthenticated attackers can exploit this vulnerability, potentially enabling them to inject a malicious PHP object. The exploitation necessitates that an administrator performs a search and replace action, which can lead to the deletion of arbitrary files, retrieval of sensitive data, or code execution if any additional plugins or themes create a viable payload operation chain.",Wordpress,Updraftplus: WP Backup & Migration Plugin,8.8,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,false,,2025-01-04T13:41:07.531Z,835 CVE-2023-32960,https://securityvulnerability.io/vulnerability/CVE-2023-32960,WordPress UpdraftPlus Plugin <= 1.23.3 is vulnerable to Cross Site Request Forgery (CSRF),"Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting (XSS).",Wordpress,UpdraftPlus WordPress Backup Plugin,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2023-06-22T13:15:00.000Z,0 CVE-2022-0864,https://securityvulnerability.io/vulnerability/CVE-2022-0864,UpdraftPlus < 1.22.9 - Reflected Cross-Site Scripting,"The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.",Wordpress,UpdraftPlus WordPress Backup Plugin,6.1,MEDIUM,0.005510000046342611,false,,false,false,false,,,false,false,,2022-04-04T15:35:53.000Z,0 CVE-2022-0633,https://securityvulnerability.io/vulnerability/CVE-2022-0633,UpdraftPlus Free < 1.22.3 & Premium < 2.22.3 - Subscriber+ Backup Download,"The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.",Wordpress,"UpdraftPlus WordPress Backup Plugin (Free),UpdraftPlus WordPress Backup Plugin (Premium)",6.5,MEDIUM,0.005880000069737434,false,,false,false,false,,,false,false,,2022-02-17T18:45:11.000Z,0 CVE-2021-25089,https://securityvulnerability.io/vulnerability/CVE-2021-25089,UpdraftPlus < 1.16.69 - Reflected Cross-Site Scripting,"The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.69 does not sanitise and escape the updraft_restore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting",Wordpress,Updraftplus WordPress Backup Plugin,6.1,MEDIUM,0.0007999999797903001,false,,false,false,false,,,false,false,,2022-02-01T12:21:37.000Z,0 CVE-2021-24423,https://securityvulnerability.io/vulnerability/CVE-2021-24423,UpdraftPlus < 1.16.59 - Admin+ Stored Cross-Site Scripting,"The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue",Wordpress,Updraftplus WordPress Backup Plugin,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2022-01-24T08:00:45.000Z,0 CVE-2021-25022,https://securityvulnerability.io/vulnerability/CVE-2021-25022,UpdraftPlus < 1.16.66 - Reflected Cross-Site Scripting,"The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues",Wordpress,Updraftplus WordPress Backup Plugin,6.1,MEDIUM,0.0008500000112690032,false,,false,false,false,,,false,false,,2022-01-03T12:49:15.000Z,0 CVE-2015-9360,https://securityvulnerability.io/vulnerability/CVE-2015-9360,Cross-Site Scripting Vulnerability in UpdraftPlus Plugin for WordPress,"The UpdraftPlus plugin for WordPress, prior to version 1.9.64, is susceptible to a Cross-Site Scripting (XSS) vulnerability. This issue arises from improper handling of parameters in the add_query_arg() and remove_query_arg() functions, allowing attackers to inject malicious scripts into the input fields. Exploiting this vulnerability can lead to unauthorized actions being executed in the context of another user, ultimately compromising the integrity of web applications using this plugin. Users are strongly advised to update to the latest version to mitigate this risk.",Wordpress,Updraftplus,6.1,MEDIUM,0.0006600000197067857,false,,false,false,false,,,false,false,,2019-08-28T11:50:44.000Z,0 CVE-2017-18593,https://securityvulnerability.io/vulnerability/CVE-2017-18593,Cross-Site Scripting in UpdraftPlus Plugin Affects WordPress,"The UpdraftPlus plugin for WordPress, specifically versions prior to 1.13.5, is susceptible to a Cross-Site Scripting (XSS) vulnerability. In certain scenarios, an attacker can manipulate a string that is logged to the log file, allowing for the injection of malicious scripts. If exploited, this vulnerability could enable an attacker to execute arbitrary scripts in the context of the user's browser, potentially leading to session hijacking or other attacks against users accessing the affected site.",Wordpress,Updraftplus,6.1,MEDIUM,0.0006200000061653554,false,,false,false,false,,,false,false,,2019-08-28T11:18:17.000Z,0 CVE-2017-16870,https://securityvulnerability.io/vulnerability/CVE-2017-16870,,The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF in the updraft_ajax_handler function in /wp-content/plugins/updraftplus/admin.php via an httpget subaction. NOTE: the vendor reports that this does not cross a privilege boundary,Wordpress,Updraftplus,8.1,HIGH,0.004689999856054783,false,,false,false,false,,,false,false,,2017-11-17T09:00:00.000Z,0 CVE-2017-16871,https://securityvulnerability.io/vulnerability/CVE-2017-16871,,The UpdraftPlus plugin through 1.13.12 for WordPress allows remote PHP code execution because the plupload_action function in /wp-content/plugins/updraftplus/admin.php has a race condition before deleting a file associated with the name parameter. NOTE: the vendor reports that this does not cross a privilege boundary,Wordpress,Updraftplus,8.1,HIGH,0.00443999981507659,false,,false,false,false,,,false,false,,2017-11-17T09:00:00.000Z,0