Category: Vulnerabilities

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin’s shortcodes in all versions up to, and including, 3.11.14 due to insufficient input sanitization and output...

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in torsteino PostMash allows SQL Injection. This issue affects PostMash: from n/a through 1.0.3. Assigner : audit@patchstack.com More information : https://patchstack.com/database/wordpress/plugin/postmash-custom/vulnerability/wordpress-postmash-1-0-3-sql-injection-vulnerability?_s_id=cve

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Parakoos Image Wall allows Reflected XSS. This issue affects Image Wall: from n/a through 3.0. Assigner : audit@patchstack.com More information : https://patchstack.com/database/wordpress/plugin/image-wall/vulnerability/wordpress-image-wall-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in randyjensen RJ Quickcharts allows SQL Injection. This issue affects RJ Quickcharts: from n/a through 0.6.1. Assigner : audit@patchstack.com More information...

The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks Assigner : contact@wpscan.com More information : https://wpscan.com/vulnerability/f1414750-19ee-4a5d-b255-a9c20168b716/

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Ays Pro Quiz Maker allows SQL Injection. This issue affects Quiz Maker: from n/a through 6.6.8.7. Assigner : audit@patchstack.com More...

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from...

Deserialization of Untrusted Data vulnerability in MDJM MDJM Event Management allows Object Injection. This issue affects MDJM Event Management: from n/a through 1.7.5.2. Assigner : audit@patchstack.com More information : https://patchstack.com/database/wordpress/plugin/mobile-dj-manager/vulnerability/wordpress-mdjm-event-management-plugin-1-7-5-2-php-object-injection-vulnerability?_s_id=cve

The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files...

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in WP Shuffle Subscribe to Download Lite allows PHP Local File Inclusion. This issue affects Subscribe to Download Lite:...

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Ads by WPQuads Ads by WPQuads allows SQL Injection. This issue affects Ads by WPQuads: from n/a through 2.0.87.1. Assigner...

Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart allows Object Injection. This issue affects Sunshine Photo Cart: from n/a through 3.4.10. Assigner : audit@patchstack.com More information : https://patchstack.com/database/wordpress/plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-3-4-10-php-object-injection-vulnerability?_s_id=cve

Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4. Assigner : audit@patchstack.com More information : https://patchstack.com/database/wordpress/plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-1-4-broken-authentication-vulnerability?_s_id=cve

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Property Hive Houzez Property Feed allows Path Traversal. This issue affects Houzez Property Feed: from n/a through 2.5.4. Assigner : audit@patchstack.com...