Pular para o conteúdo

FULL. scan security - faça o scan do seu wordpress e encontre vulnerabilidades

Exibindo 100 de 701 ameaças
Tema ×
Tipo Software Vulnerabilidade Descoberta Gravidade
Tema Não informado
CVE-2024-4943
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘has_field_link_rel’ parameter in all versions up to, and including, 2.0.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Ver mais
21/05/2024
Médio
6.4
Tema Não informado
CVE-2024-4158
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in versions up to, and including, 2.0.42 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Ver mais
14/05/2024
Médio
6.4
Tema Não informado
CVE-2024-3806
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Ver mais
14/05/2024
Crítico
9.8
Tema Não informado
CVE-2024-3807
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. This was partially patched in version 7.1.0 and fully patched in version 7.1.1.
Ver mais
14/05/2024
Alto
8.8
Tema Não informado
CVE-2024-4034
The Virtue theme for WordPress is vulnerable to Stored Cross-Site Scripting via a Post Author's name in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping when the latest posts feature is enabled on the homepage. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Ver mais
02/05/2024
Médio
6.4
Tema Não informado
CVE-2024-3747
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the className parameter in the About Me block in all versions up to, and including, 2.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Ver mais
02/05/2024
Médio
6.4
Tema Não informado
CVE-2024-3867
The archive-tainacan-collection theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in version 2.7.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Ver mais
16/04/2024
Médio
6.1
Tema Não informado
CVE-2024-2343
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.11.6 via the form_to_url_action function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Ver mais
09/04/2024
Médio
6.4
Tema Não informado
CVE-2024-2344
The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticted attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Ver mais
09/04/2024
Alto
7.2
Tema Não informado
CVE-2024-2347
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Ver mais
09/04/2024
Médio
6.4
Tema Não informado
CVE-2024-2340
The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism.
Ver mais
09/04/2024
Médio
5.3
Tema Não informado
CVE-2024-1984
The Graphene theme for WordPress is vulnerable to unauthorized access of data via meta tag in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated individuals to obtain post contents of password protected posts via the generated source.
Ver mais
09/04/2024
Médio
5.3
Tema Não informado
CVE-2024-1587
The Newsmatic theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via the 'newsmatic_filter_posts_load_tab_content'. This makes it possible for unauthenticated attackers to view draft posts and post content.
Ver mais
09/04/2024
Médio
5.3
Tema Não informado
CVE-2024-2848
The Responsive theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_footer_text_callback function in all versions up to, and including, 5.0.2. This makes it possible for unauthenticated attackers to inject arbitrary HTML content into the site's footer.
Ver mais
29/03/2024
Alto
7.5
Tema Não informado
CVE-2024-2476
The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys.
Ver mais
29/03/2024
Médio
4.3
Tema Não informado
CVE-2024-2962
The Networker - Tech News WordPress Theme with Dark Mode theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_reload_nav_menu() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to modify the location of display menus.
Ver mais
27/03/2024
Médio
5.3
Tema Não informado
CVE-2024-2500
The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authentciated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Ver mais
21/03/2024
Médio
6.4
Tema Não informado
CVE-2024-1668
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view the contents of all form submissions, including fields that are obfuscated (such as the contact form's "password" field).
Ver mais
13/03/2024
Médio
6.5
Tema Não informado
CVE-2024-2107
The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.4 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts.
Ver mais
12/03/2024
Médio
5.8
Tema Não informado
CVE-2024-1771
The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage.
Ver mais
06/03/2024
Médio
5.3
Tema Não informado
CVE-2024-1468
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Ver mais
29/02/2024
Alto
8.8
Tema Não informado
CVE-2024-1943
The Yuki theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 1.3.14. This is due to missing or incorrect nonce validation on the reset_customizer_options() function. This makes it possible for unauthenticated attackers to reset the themes settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Ver mais
28/02/2024
Médio
4.3
Tema Não informado
CVE-2024-1388
The Yuki theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_customizer_options() function in all versions up to, and including, 1.3.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the theme's settings.
Ver mais
28/02/2024
Médio
4.3
Tema Não informado
CVE-2023-4826
The SocialDriver WordPress theme before version 2024 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting (XSS) attack.
Ver mais
23/02/2024
Não medido
---
Tema Não informado
CVE-2024-0835
The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissed_handler function in all versions up to, and including, 1.0.116. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to true and not arbitrary values.
Ver mais
05/02/2024
Médio
4.3
Tema Não informado
CVE-2023-3771
The T1 WordPress theme through 19.0 is vulnerable to unauthenticated open redirect with which any attacker and redirect users to arbitrary websites.
Ver mais
16/01/2024
Médio
6.1
Tema Não informado
CVE-2023-49187
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spoonthemes Adifier - Classified Ads WordPress Theme allows Reflected XSS.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4.
Ver mais
15/12/2023
Médio
6.1
Tema Não informado
CVE-2023-36529
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme allows SQL Injection.This issue affects Houzez - Real Estate WordPress Theme: from n/a through 1.3.4.
Ver mais
03/11/2023
Crítico
9.8
Tema Não informado
CVE-2023-3933
The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Ver mais
20/10/2023
Médio
6.1
Tema Não informado
CVE-2023-3962
The Winters theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Ver mais
20/10/2023
Médio
6.1
Tema Não informado
CVE-2023-3965
The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Ver mais
20/10/2023
Médio
6.1
Tema Não informado
CVE-2020-36753
The Hueman theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation on the save_meta_box() function. This makes it possible for unauthenticated attackers to save metabox data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Ver mais
20/10/2023
Médio
4.3
Tema Não informado
CVE-2020-36755
The Customizr theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.0. This is due to missing or incorrect nonce validation on the czr_fn_post_fields_save() function. This makes it possible for unauthenticated attackers to post fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Ver mais
20/10/2023
Médio
4.3
Tema Não informado
CVE-2023-2813
All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before 1.8.6, Brain Power WordPress theme through 1.2, BunnyPressLite WordPress theme before 2.1, Cafe Bistro WordPress theme before 1.1.4, College WordPress theme before 1.5.1, Connections Reloaded WordPress theme through 3.1, Counterpoint WordPress theme through 1.8.1, Digitally WordPress theme through 1.0.8, Directory WordPress theme before 3.0.2, Drop WordPress theme before 1.22, Everse WordPress theme before 1.2.4, Fashionable Store WordPress theme through 1.3.4, Fullbase WordPress theme before 1.2.1, Ilex WordPress theme before 1.4.2, Js O3 Lite WordPress theme through 1.5.8.2, Js Paper WordPress theme through 2.5.7, Kata WordPress theme before 1.2.9, Kata App WordPress theme through 1.0.5, Kata Business WordPress theme through 1.0.2, Looki Lite WordPress theme before 1.3.0, moseter WordPress theme through 1.3.1, Nokke WordPress theme before 1.2.4, Nothing Personal WordPress theme through 1.0.7, Offset Writing WordPress theme through 1.2, Opor Ayam WordPress theme through 18, Pinzolo WordPress theme before 1.2.10, Plato WordPress theme before 1.1.9, Polka Dots WordPress theme through 1.2, Purity Of Soul WordPress theme through 1.9, Restaurant PT WordPress theme before 1.1.3, Saul WordPress theme before 1.1.0, Sean Lite WordPress theme before 1.4.6, Tantyyellow WordPress theme through 1.0.0.5, TIJAJI WordPress theme through 1.43, Tiki Time WordPress theme through 1.3, Tuaug4 WordPress theme through 1.4, Tydskrif WordPress theme through 1.1.3, UltraLight WordPress theme through 1.2, Venice Lite WordPress theme before 1.5.5, Viala WordPress theme through 1.3.1, viburno WordPress theme before 1.3.2, Wedding Bride WordPress theme before 1.0.2, Wlow WordPress theme before 1.2.7 suffer from the same issue about the search box reflecting the results causing XSS which allows an unauthenticated attacker to exploit against users if they click a malicious link.
Ver mais
04/09/2023
Médio
6.1
Tema Não informado
CVE-2023-3708
Several themes for WordPress by DeoThemes are vulnerable to Reflected Cross-Site Scripting via breadcrumbs in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Ver mais
18/07/2023
Médio
6.1
Tema Não informado
CVE-2023-29430
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CTHthemes TheRoof theme <= 1.0.3 versions.
Ver mais
26/06/2023
Médio
6.1
Tema Não informado
CVE-2023-28418
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Yudlee themes Mediciti Lite theme <= 1.3.0 versions.
Ver mais
22/06/2023
Médio
5.4
Tema Não informado
CVE-2023-32239
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in xtemos WoodMart theme <= 7.2.1 versions.
Ver mais
22/06/2023
Médio
5.4
Tema Não informado
CVE-2023-28171
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in WP Chill Brilliance theme <= 1.3.1 versions.
Ver mais
22/06/2023
Médio
5.4
Tema Não informado
CVE-2023-27420
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Everest Themes Arya Multipurpose theme <= 1.0.5 versions.
Ver mais
16/06/2023
Médio
6.1
Tema Não informado
CVE-2020-36704
The Fruitful Theme for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters stored via the fruitful_theme_options_action AJAX action in versions up to, and including, 3.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Ver mais
06/06/2023
Médio
5.4
Tema Não informado
CVE-2020-36708
The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution.
Ver mais
06/06/2023
Crítico
9.8
Tema Não informado
CVE-2020-36711
The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the update_layout function in versions up to, and including, 6.2.3 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers, and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Ver mais
06/06/2023
Médio
5.4
Tema Não informado
CVE-2019-25142
The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options.
Ver mais
06/06/2023
Alto
8.8
Tema Não informado
CVE-2023-25447
Cross-Site Request Forgery (CSRF) vulnerability in Inkthemescom ColorWay theme <= 4.2.3 versions.
Ver mais
22/05/2023
Alto
8.8
Tema Não informado
CVE-2023-29101
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Muffingroup Betheme theme <= 26.7.5 versions.
Ver mais
10/05/2023
Médio
6.1
Tema Não informado
CVE-2023-27419
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Everest themes Viable Blog theme <= 1.1.4 versions.
Ver mais
10/05/2023
Médio
6.1
Tema Não informado
CVE-2023-28493
Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Macho Themes NewsMag theme <= 2.4.4 versions.
Ver mais
08/05/2023
Médio
5.4
Tema Não informado
CVE-2023-25961
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Catch Themes Darcie theme <= 1.1.5 versions.
Ver mais
04/05/2023
Médio
6.1
Tema Não informado
CVE-2023-27619
Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Macho Themes Regina Lite theme <= 2.0.7 versions.
Ver mais
25/04/2023
Médio
5.4
Tema Não informado
CVE-2022-45849
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.
Ver mais
16/04/2023
Médio
5.4
Tema Não informado
CVE-2022-45358
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.
Ver mais
13/04/2023
Médio
5.4
Tema Não informado
CVE-2023-25041
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Cththemes Monolit theme <= 2.0.6 versions.
Ver mais
07/04/2023
Médio
6.1
Tema Não informado
CVE-2023-29236
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Cththemes Outdoor theme <= 3.9.6 versions.
Ver mais
07/04/2023
Médio
6.1
Tema Não informado
CVE-2022-47146
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contempoinc Real Estate 7 WordPress theme <= 3.3.1 versions.
Ver mais
27/03/2023
Médio
6.1
Tema Não informado
CVE-2022-0316
The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordPress theme, club-theme WordPress theme, kingclub-theme WordPress theme, spikes WordPress theme, spikes-black WordPress theme, soundblast WordPress theme, bolster WordPress theme from ChimpStudio and PixFill does not have any authorisation and upload validation in the lang_upload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server.
Ver mais
23/01/2023
Crítico
9.8
Tema Não informado
CVE-2022-45353
Broken Access Control in Betheme theme <= 26.6.1 on WordPress.
Ver mais
14/01/2023
Alto
8.1
Tema Não informado
CVE-2022-4114
The Superio WordPress theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Cross-Site Scripting attacks.
Ver mais
02/01/2023
Médio
5.4
Tema Não informado
CVE-2022-4239
The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id.
Ver mais
26/12/2022
Médio
6.5
Tema Não informado
CVE-2022-3921
The Listingo WordPress theme before 3.2.7 does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE
Ver mais
12/12/2022
Crítico
9.8
Tema Não informado
CVE-2022-3846
The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.
Ver mais
05/12/2022
Alto
7.5
Tema Não informado
CVE-2022-45363
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) in Muffingroup Betheme theme <= 26.6.1 on WordPress.
Ver mais
22/11/2022
Médio
5.4
Tema Não informado
CVE-2022-3861
The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..
Ver mais
21/11/2022
Alto
8.8
Tema Não informado
CVE-2022-3401
The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.
Ver mais
28/10/2022
Alto
8.8
Tema Não informado
CVE-2022-3400
The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website.
Ver mais
28/10/2022
Médio
6.5
Tema Não informado
CVE-2022-1323
The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a crafted POST request.
Ver mais
08/08/2022
Médio
6.5
Tema Não informado
CVE-2022-1167
There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters.
Ver mais
04/04/2022
Médio
6.1
Tema Não informado
CVE-2022-1170
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests.
Ver mais
04/04/2022
Médio
6.1
Tema Não informado
CVE-2020-36510
The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting
Ver mais
28/02/2022
Médio
6.1
Tema Não informado
CVE-2021-24840
The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.
Ver mais
08/11/2021
Médio
5.3
Tema Não informado
CVE-2021-24719
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
Ver mais
11/10/2021
Médio
6.1
Tema Não informado
CVE-2021-24499
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
Ver mais
09/08/2021
Crítico
9.8
Tema Não informado
CVE-2021-24304
The Newsmag WordPress theme before 5.0 does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.
Ver mais
09/08/2021
Médio
6.1
Tema Não informado
CVE-2021-3135
An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php td_block_id parameter in a td_ajax_block API call.
Ver mais
19/07/2021
Médio
6.1
Tema Não informado
CVE-2021-24387
The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context
Ver mais
06/07/2021
Médio
6.1
Tema Workreap
Workreap - CVE-2021-24500
Múltiplos scripts transversais (CSRF) + Referências de objeto direto inseguro (IDOR) descobertas por Harald Eilertsen (Jetpack) no Tema Premium WordPress Workreap (versões <= 2.2.1).
Ver mais
02/07/2021
Não medido
8.1
Tema Workreap
Workreap - CVE-2021-24501
Verificações de autorização ausentes na vulnerabilidade AJAX Ações descobertas por Harald Eilertsen (Jetpack) no Tema Premium do WorkRop WorkReap (versões <= 2.2.1).
Ver mais
02/07/2021
Não medido
8.1
Tema Não informado
CVE-2013-20002
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
Ver mais
17/06/2021
Crítico
9.8
Tema Jannah
Jannah - CVE-2021-24407
Refletiu a vulnerabilidade de scripts transversais (XSS) descoberta por Truoc Phan no WordPress Jannah Premium tema (versões <= 5.4.4).
Ver mais
14/06/2021
Não medido
4.7
Tema FoodBakery
FoodBakery - CVE-2021-24389
Vulnerabilidade refletida do script (XSS) descoberta por Truoc Phan no tema do WordPress Foodbakery Premium (versões <= 2.1).
Ver mais
10/06/2021
Não medido
4.7
Tema Muza
Muza - FLL-64F391C5
Não autenticado refletiu a vulnerabilidade do script (XSS) descoberta por m0ze no tema do WordPress Muza Premium (versões <= 1,26).
Ver mais
09/06/2021
Não medido
7.2
Tema FoodPicky
FoodPicky - FLL-E92CB555
Não autenticado refletiu a vulnerabilidade de scripts de localização cruzada (XSS) descoberta por m0ze no tema do WordPress FoodPicky Premium (versões <= 1,27).
Ver mais
09/06/2021
Não medido
7.2
Tema Kupon
Kupon - FLL-1BC1E891
Não autenticado refletiu a vulnerabilidade de scripts de local (XSS) descoberta por m0ze no tema WordPress Kupon Premium (versões <= 1,27).
Ver mais
09/06/2021
Não medido
7.2
Tema Doo
Doo - FLL-2F9A593F
Não autenticado refletiu a vulnerabilidade de scripts de localização cruzada (XSS) descoberta por m0ze no tema do WordPress Doo Premium (versões <= 1,25).
Ver mais
09/06/2021
Não medido
7.2
Tema Motor
Motor - CVE-2021-24375
Vulnerabilidade de inclusão de arquivos locais não autenticados (LFI) descoberta por Harald Eilertsen (Jetpack) no tema do WordPress Motor Premium (versões <= 3.0).
Ver mais
09/06/2021
Não medido
8.6
Tema Strong
Strong - FLL-5A98EAA3
Não autenticado refletiu a vulnerabilidade de scripts de localização cruzada (XSS) descoberta por m0ze no tema premium forte WordPress (versões <= 1,25).
Ver mais
09/06/2021
Não medido
7.2
Tema Medican
Medican - FLL-26B281A5
Não autenticada refletiu a vulnerabilidade de scripts de local (XSS) descoberta por m0ze no tema do WordPress Medican Premium (versões <= 1,27).
Ver mais
09/06/2021
Não medido
7.2
Tema Wisem
Wisem - FLL-A2B95333
Não autenticado refletiu a vulnerabilidade do script (XSS) descoberta por m0ze no tema Premium WordPress Wisem (versões <= 1,26).
Ver mais
09/06/2021
Não medido
7.2
Tema Loocall
Loocall - FLL-89298926
Não autenticado refletiu a vulnerabilidade de scripts de localização cruzada (XSS) descoberta por m0ze no tema do WordPress Loocall Premium (versões <= 1,23).
Ver mais
09/06/2021
Não medido
7.2
Tema Jannah
Jannah - CVE-2021-24364
Refletiu a vulnerabilidade de scripts de localização cruzada (XSS) descoberta por Truoc Phan no tema do WordPress Jannah Premium (versões <= 5.4.3).
Ver mais
07/06/2021
Não medido
4.7
Tema Real Estate 7
Real Estate 7 - FLL-B358C82F
Não autenticado refletiu a vulnerabilidade de scripts de localização cruzada (XSS) descoberta por M0ZE (Patchstack Red Team) no Tema Premium do WordPress Real Estate 7 (versões <= 3.1.0). Parâmetro vulnerável: "& ct_community =".
Ver mais
03/06/2021
Não medido
7.2
Tema Não informado
CVE-2021-24335
The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue
Ver mais
01/06/2021
Médio
6.1
Tema Não informado
CVE-2021-24318
The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.
Ver mais
01/06/2021
Médio
6.5
Tema Não informado
CVE-2021-24317
The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues
Ver mais
01/06/2021
Médio
6.1
Tema Não informado
CVE-2021-24321
The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the bt_bb_listing_field_price_range_to, bt_bb_listing_field_now_open, bt_bb_listing_field_my_lng, listing_list_view and bt_bb_listing_field_my_lat parameters before using them in a SQL statement, leading to SQL Injection issues
Ver mais
01/06/2021
Crítico
9.8
Tema Não informado
CVE-2021-24319
The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise its post_excerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue
Ver mais
01/06/2021
Médio
5.4
Tema JNews
JNews - CVE-2021-24342
Refletiu a vulnerabilidade de scripts transversais (XSS) descoberta por Truoc Phan no Tema Premium do WordPress Jnews (versões <= 8.0.5).
Ver mais
24/05/2021
Não medido
4.7
Tema Não informado
CVE-2021-24297
The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.
Ver mais
24/05/2021
Médio
6.1
Tema Não informado
CVE-2021-24314
The Goto WordPress theme before 2.1 did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue
Ver mais
17/05/2021
Crítico
9.8
Tema Goto
Goto - FLL-DDD2FD08
Vulnerabilidade não autenticada do SQL Injection (SQLI) descoberta por M0ZE (Patchstack Red Team) no tema WordPress Goto Premium (versões <= 2.0).
Ver mais
28/04/2021
Crítico
9.8
plugins premium WordPress