Wpexperts

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-6621 1Wpexperts 1Post Smtp Jun 18, 2025 Jan 3, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege use...Show more The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.Show less
CVE-2023-7027 1Wpexperts 1Post Smtp Apr 8, 2026 Jan 3, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and inclu...Show more The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2023-6629 1Wpexperts 1Post Smtp Apr 8, 2026 Jan 3, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and in...Show more The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2023-6621 appears to be a duplicate of this issue. CVE-2024-29128 appears to be a duplicate of this issue.Show less
CVE-2023-50902 1Wpexperts 1New User Approve Apr 28, 2026 Dec 29, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in WPExpertsio New User Approve.This issue affects New User Approve: from n/a through 2.5.1.
CVE-2023-49842 1Wpexperts 1Rocket Maintenance Mode & Coming Soon Page Apr 28, 2026 Dec 14, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpexpertsio Rocket Maintenance Mode & Coming Soon Page allows Stored XSS.This issue affects Rocket Maintenance Mode &...Show more Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpexpertsio Rocket Maintenance Mode & Coming Soon Page allows Stored XSS.This issue affects Rocket Maintenance Mode & Coming Soon Page: from n/a through 4.3.Show less
CVE-2023-47853 1Wpexperts 1Mycred Apr 28, 2026 Nov 30, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored XSS.This issue affects myC...Show more Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored XSS.This issue affects myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin: from n/a through 2.6.1.Show less
CVE-2023-48742 1Wpexperts 1License Manager For Woocommerce Apr 28, 2026 Nov 30, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LicenseManager License Manager for WooCommerce license-manager-for-woocommerce allows SQL Injection.This issue affects...Show more Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LicenseManager License Manager for WooCommerce license-manager-for-woocommerce allows SQL Injection.This issue affects License Manager for WooCommerce: from n/a through 2.2.10.Show less
CVE-2023-5958 1Wpexperts 1Post Smtp Jun 4, 2025 Nov 27, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.
CVE-2022-47181 1Wpexperts 1Email Templates Customizer And Designer Apr 28, 2026 Nov 7, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in wpexpertsio Email Templates Customizer and Designer for WordPress and WooCommerce email-templates allows Cross Site Request Forgery.This issue affects Email Templates Cu...Show more Cross-Site Request Forgery (CSRF) vulnerability in wpexpertsio Email Templates Customizer and Designer for WordPress and WooCommerce email-templates allows Cross Site Request Forgery.This issue affects Email Templates Customizer and Designer for WordPress and WooCommerce: from n/a through 1.4.2.Show less
CVE-2023-4798 1Wpexperts 1User Avatar Reloaded Nov 21, 2024 Oct 16, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.
CVE-2023-3604 1Wpexperts 1All In One Login Jan 16, 2026 Aug 21, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The Change WP Admin Login WordPress plugin before 1.1.4 discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered.
CVE-2023-3179 1Wpexperts 1Post Smtp Jun 4, 2025 Jul 17, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability resend an email to an...Show more The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability resend an email to an arbitrary address (for example a password reset email could be resent to an attacker controlled email, and allow them to take over an account).Show less
CVE-2023-35096 1Wpexperts 1Mycred Apr 28, 2026 Jul 17, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions.
CVE-2023-35038 1Wpexperts 1Wp Pdf Generator Nov 21, 2024 Jul 17, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in wpexperts.Io WP PDF Generator plugin <= 1.2.2 versions.
CVE-2021-4422 1Wpexperts 1Post Smtp Apr 8, 2026 Jul 12, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This...Show more The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible for unauthenticated attackers to trigger a CSV export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
CVE-2023-3082 1Wpexperts 1Post Smtp Apr 8, 2026 Jul 12, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping. This makes it possibl...Show more The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2023-32580 1Wpexperts 1Password Protected Nov 21, 2024 Jun 23, 2023 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPExperts Password Protected plugin <= 2.6.2 versions.
CVE-2019-25150 1Wpexperts 1Email Templates Apr 8, 2026 Jun 7, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.3. This makes it possible for attackers to present phishing forms or conduct cross-site request forgery attacks...Show more The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.3. This makes it possible for attackers to present phishing forms or conduct cross-site request forgery attacks against site administrators.Show less
CVE-2023-0152 1Wpexperts 1Wp Multi Store Locator Jan 8, 2025 Jun 5, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The WP Multi Store Locator WordPress plugin through 2.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with...Show more The WP Multi Store Locator WordPress plugin through 2.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksShow less
CVE-2022-3237 1Wpexperts 1Wp Contact Slider May 6, 2025 Oct 31, 2022 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The WP Contact Slider WordPress plugin before 2.4.8 does not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability...Show more The WP Contact Slider WordPress plugin before 2.4.8 does not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.Show less

Previous 123 Next