Export limit exceeded: 329779 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (329779 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29512 | 1 Nodebb | 1 Nodebb | 2025-04-23 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database. | ||||
| CVE-2024-1720 | 1 Wpeverest | 1 User Registration \& Membership | 2025-04-23 | 4.7 Medium |
| The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution. | ||||
| CVE-2025-29513 | 1 Nodebb | 1 Nodebb | 2025-04-23 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator. | ||||
| CVE-2023-5798 | 1 Fastlinemedia | 1 Assistant | 2025-04-23 | 8.8 High |
| The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks | ||||
| CVE-2023-5561 | 1 Wordpress | 1 Wordpress | 2025-04-23 | 5.3 Medium |
| WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack | ||||
| CVE-2023-5519 | 1 Metagauss | 1 Eventprime | 2025-04-23 | 4.3 Medium |
| The EventPrime WordPress plugin before 3.2.0 does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks. | ||||
| CVE-2023-5243 | 1 Login Screen Manager Project | 1 Login Screen Manager | 2025-04-23 | 4.8 Medium |
| The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-5229 | 1 E2pdf | 1 E2pdf | 2025-04-23 | 4.8 Medium |
| The E2Pdf WordPress plugin before 1.20.20 does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2023-5177 | 1 Maurice | 1 Vrm360 | 2025-04-23 | 5.3 Medium |
| The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode. | ||||
| CVE-2023-5167 | 1 Solwininfotech | 1 User Activity Log | 2025-04-23 | 5.4 Medium |
| The User Activity Log Pro WordPress plugin before 2.3.4 does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks. | ||||
| CVE-2023-5133 | 1 Solwininfotech | 1 User Activity Log | 2025-04-23 | 7.5 High |
| This user-activity-log-pro WordPress plugin before 2.3.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. | ||||
| CVE-2023-5098 | 1 Fatcatapps | 1 Campaign Monitor Optin Cat | 2025-04-23 | 8.1 High |
| The Campaign Monitor Forms by Optin Cat WordPress plugin before 2.5.6 does not prevent users with low privileges (like subscribers) from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS. | ||||
| CVE-2023-5089 | 1 Wpmudev | 1 Defender Security | 2025-04-23 | 5.3 Medium |
| The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled. | ||||
| CVE-2023-5087 | 1 Pagelayer | 1 Pagelayer | 2025-04-23 | 5.4 Medium |
| The Page Builder: Pagelayer WordPress plugin before 1.7.8 doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code. | ||||
| CVE-2023-5003 | 1 Miniorange | 1 Active Directory Integration \/ Ldap Integration | 2025-04-23 | 7.5 High |
| The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so. | ||||
| CVE-2023-51771 | 1 Starnight | 1 Micro Http Server | 2025-04-23 | 9.8 Critical |
| In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _ParseHeader in lib/server.c allows a one-byte recv buffer overflow via a long URI. | ||||
| CVE-2023-51707 | 1 Arraynetworks | 3 Ag, Arrayos Ag, Vxag | 2025-04-23 | 9.8 Critical |
| MotionPro in Array ArrayOS AG before 9.4.0.505 on AG and vxAG allows remote command execution via crafted packets. AG and vxAG 9.3.0.259.x are unaffected. | ||||
| CVE-2023-51104 | 1 Artifex | 1 Mupdf | 2025-04-23 | 7.5 High |
| A floating point exception (divide-by-zero) vulnerability was discovered in Artifex MuPDF 1.23.4 in function pnm_binary_read_image() of load-pnm.c when span equals zero. | ||||
| CVE-2023-4971 | 1 Weavertheme | 1 Weaver Xtreme Theme Support | 2025-04-23 | 7.2 High |
| The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog. | ||||
| CVE-2023-4950 | 1 Funnelforms | 1 Funnelforms | 2025-04-23 | 6.1 Medium |
| The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks | ||||