Wpengine

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-3901 1Wpengine 1Genesis Blocks Nov 13, 2025 May 15, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to c...Show more The Genesis Blocks WordPress plugin through 3.1.3 does not properly escape attributes provided to some of its custom blocks, making it possible for users allowed to write posts (like those with the contributor role) to conduct Stored XSS attacks.Show less
CVE-2024-45429 1Wpengine 1Advanced Custom Fields Mar 25, 2025 Sep 4, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is se...Show more Cross-site scripting vulnerability exists in Advanced Custom Fields versions 6.3.5 and earlier and Advanced Custom Fields Pro versions 6.3.5 and earlier. If an attacker with the 'capability' setting privilege which is set in the product settings stores an arbitrary script in the field label, the script may be executed on the web browser of the logged-in user with the same privilege as the attacker's.Show less
CVE-2024-3563 1Wpengine 1Genesis Blocks Apr 8, 2026 Jul 9, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Genesis Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sharing block in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping o...Show more The Genesis Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sharing block in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-3901 is a duplicate of this issue.Show less
CVE-2024-2761 1Wpengine 1Genesis Blocks May 30, 2025 Apr 19, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 The Genesis Blocks WordPress plugin before 3.1.3 does not properly escape data input provided to some of its blocks, allowing using with at least contributor privileges to conduct Stored XSS attacks.
CVE-2023-6933 1Wpengine 1Better Search Replace Apr 8, 2026 Feb 5, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attacker...Show more The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.Show less
CVE-2022-1563 1Wpengine 1Wpgraphql Jun 20, 2025 Jan 16, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.
CVE-2023-23684 1Wpengine 1Wpgraphql Apr 28, 2026 Nov 13, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.
CVE-2023-24421 1Wpengine 1Php Compatibility Checker Nov 21, 2024 Jul 11, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in WP Engine PHP Compatibility Checker plugin <= 1.5.2 versions.
CVE-2019-9881 1Wpengine 1Wpgraphql Nov 21, 2024 Jun 10, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
CVE-2019-9880 1Wpengine 1Wpgraphql Nov 21, 2024 Jun 10, 2019 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role...Show more An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.Show less
CVE-2019-9879 1Wpengine 1Wpgraphql Nov 21, 2024 Jun 10, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.