These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2021-47979 describes an authenticated arbitrary file deletion issue in the WordPress plugin Backup and Restore 1.0.3. According to the supplied CVE description and NVD data, an attacker can send crafted POST requests to admin-ajax.php and manipulate the file_name and folder_name parameters to delete files from the WordPress installation directory. Because file deletion can damage site availability and [truncated]
CVE-2021-47975 describes a stored cross-site scripting issue in WP Learn Manager 1.1.2. The supplied record says attacker-supplied content in the fieldtitle parameter can be posted to the jslm_fieldordering page and later execute in an administrator’s browser when the field ordering interface is viewed.
CVE-2021-47957 describes a stored cross-site scripting issue in the Cookie Law Bar WordPress plugin version 1.2.1. An authenticated attacker who can submit the plugin’s Bar Message content may store malicious script that later runs in the browsers of site visitors, creating risk to sessions and data shown in the affected page.
CVE-2020-37233 describes a persistent cross-site scripting issue in the WordPress BuddyPress plugin, version 6.2.0. The supplied record indicates that an authenticated attacker with moderator privileges can place malicious script content into wp:html blocks via the figure parameter, and that the payload can execute when an administrator or other privileged user previews or views the affected content. Beca [truncated]
CVE-2022-50961 affects the WordPress IP2Location Country Blocker plugin 2.26.7 and is described as a stored cross-site scripting issue in the Frontend Settings interface. An authenticated user can place malicious JavaScript in the Display page settings URL field, and the script may execute when an administrator or other authenticated user opens the plugin settings page. The supplied NVD record classifies [truncated]
CVE-2022-50960 covers a reflected cross-site scripting issue in the WordPress plugin International Sms For Contact Form 7 Integration version 1.2. The supplied description says attacker-controlled input in the page parameter of class-sms-log-display.php can be used to execute arbitrary JavaScript in an administrator’s browser.
CVE-2022-50959 describes a reflected cross-site scripting issue in the WordPress Contact Form Builder plugin, version 1.6.1. The vulnerable behavior is tied to the form_id parameter in code_generator.php, where an attacker can supply a crafted URL that causes arbitrary JavaScript to run in a victim’s browser. Because the issue is unauthenticated and browser-triggered, the main risk is session theft, accou [truncated]
CVE-2022-50958 describes a reflected cross-site scripting issue in the WordPress Jetpack plugin, specifically at the grunion-form-view.php endpoint. The source record states that Jetpack 9.1 can be abused by unauthenticated attackers who manipulate the post_id parameter to inject script content that executes in a victim’s browser. Because this is a browser-side issue, the main exposure is session theft, c [truncated]
CVE-2022-50956 is an unauthenticated local file read affecting WordPress plugin amministrazione-aperta 3.7.3. The supplied record says insufficient validation of the open GET parameter in dispatcher.php lets an attacker supply file paths and read sensitive files accessible to the web server. Any deployment still using the plugin should treat this as a serious exposure risk because file disclosure can reve [truncated]
CVE-2022-50955 affects the WordPress Curtain plugin 1.0.2 and is described as a cross-site request forgery issue that can let an attacker toggle site maintenance mode by inducing an authenticated administrator to submit a forged request. The supplied corpus ties the issue to missing nonce validation on the options-general.php page and rates it Medium severity (CVSS 5.3).
CVE-2022-50954 is a local file inclusion flaw in the WordPress plugin cab-fare-calculator version 1.0.3. An unauthenticated attacker can manipulate the controller parameter in tblight.php to traverse paths outside the intended controllers directory and include unintended files. In practical terms, this can expose sensitive local files on the server and may also enable file inclusion behavior beyond normal [truncated]
CVE-2022-50947 is a stored cross-site scripting issue in the WordPress plugin Testimonial Slider and Showcase 2.2.6. According to the supplied record, an authenticated editor can place malicious script into the testimonial title field because the post_title parameter is not properly sanitized. When affected content is viewed, the script can execute in a browser, creating a risk of session abuse and other [truncated]
CVE-2021-47951 describes a stored cross-site scripting issue in WordPress Picture Gallery 1.4.2. An authenticated attacker can place malicious script content in the plugin’s Access Control settings via the Edit Content URL field, where it is stored and later executed when the affected functionality is used. The main security impact is browser-side compromise of other users’ sessions or credentials, especi [truncated]
CVE-2021-47948 affects the WordPress GetPaid plugin 2.4.6 and allows authenticated HTML injection through the Help Text field in payment forms. Because the content is stored and later rendered in the browser, malicious markup can execute when the form is viewed, which raises the risk of stored cross-site scripting behavior.
CVE-2021-47940 describes an unauthenticated arbitrary file upload issue in the WordPress plugin Download From Files version 1.48 and earlier. The vulnerable AJAX upload flow can be abused through the admin-ajax.php endpoint by manipulating the allowExt parameter to bypass file-type restrictions and place attacker-controlled files in the web root. Because the disclosed behavior includes uploading executabl [truncated]
CVE-2021-47933 is a critical unauthenticated arbitrary file upload issue affecting the MStore API WordPress plugin, described as allowing attackers to POST malicious files to a REST API endpoint and potentially reach remote code execution on vulnerable servers. The supplied NVD record maps the issue to CWE-306, and the record’s references point to the plugin page plus external VulnCheck and Exploit-DB mat [truncated]
CVE-2021-47924 describes a stored cross-site scripting issue in Ultimate Product Catalog 5.8.2. According to the supplied record, an authenticated attacker can submit a malicious value through the price parameter and have it execute when the affected product is viewed. The CVE entry was published and modified on 2026-05-10 in the supplied timeline.
CVE-2020-25213 is a remote code execution vulnerability in the WordPress File Manager Plugin that CISA included in its Known Exploited Vulnerabilities catalog on 2021-11-03. Because it is listed as actively exploited, organizations should treat exposed or unpatched installations as urgent remediation candidates and follow vendor update guidance.
CVE-2020-11738 is a file download vulnerability affecting the WordPress Snap Creek Duplicator Plugin. CISA added it to the Known Exploited Vulnerabilities catalog on 2021-11-03, which indicates confirmed exploitation and makes remediation a priority for any environment using the plugin.
CVE-2019-9978 is a Cross-Site Scripting (XSS) issue affecting the WordPress Social Warfare Plugin. CISA added it to the Known Exploited Vulnerabilities catalog on 2021-11-03, which indicates known exploitation and makes remediation urgent. CISA’s listed action is to apply updates per vendor instructions.
CVE-2016-6897 is a WordPress core cross-site request forgery (CSRF) issue in the wp_ajax_update_plugin handler. According to the CVE record, the bug could let a remote attacker abuse an authenticated browser session because the nonce check was performed too late in the request flow. NVD rates the issue at CVSS 6.5 (medium) and maps it to CWE-352. WordPress versions before 4.6 are listed as affected.
CVE-2016-6896 is an authenticated directory traversal issue in WordPress’s wp_ajax_update_plugin handler. The flaw lets a remote user with the required login context supply traversal sequences in the plugin parameter to wp-admin/admin-ajax.php, which can lead to reading certain text files or triggering denial-of-service conditions. The supplied NVD record classifies the issue as CWE-22 and rates it CVSS 7.1 High.
CVE-2016-10148 is an access-control flaw in WordPress core’s wp_ajax_update_plugin handler. In affected versions before 4.6, the code called get_plugin_data before checking the update_plugins capability, which could let authenticated users access plugin information they should not have been able to read. NVD classifies affected WordPress versions through 4.5.5 and assigns a CVSS v3.0 score of 4.3 (MEDIUM) [truncated]
CVE-2017-5493 is a WordPress Multisite vulnerability in which key generation in wp-includes/ms-functions.php did not use sufficiently random numbers. In affected WordPress versions before 4.7.1, a remote attacker could abuse crafted site or user signup flows to bypass intended access restrictions. WordPress addressed the issue in the 4.7.1 security and maintenance release.
CVE-2017-5492 is a cross-site request forgery issue in WordPress widget-editing accessibility mode. A remote attacker could trick an authenticated victim into submitting a widgets-access request without consent, potentially changing widget settings in the victim's session. WordPress addressed the issue in version 4.7.1.
CVE-2017-5491 affects WordPress versions before 4.7.1. The issue is described as a possible bypass of intended posting restrictions in wp-mail.php when an attacker uses a spoofed mail server name matching mail.example.com. In practice, this means mail-based posting controls could be weakened under the documented conditions. WordPress addressed the issue in the 4.7.1 security and maintenance release.
CVE-2017-5490 is a cross-site scripting (XSS) issue in WordPress versions before 4.7.1. The vulnerable path involves theme-name fallback handling in wp-includes/class-wp-theme.php, with related admin-side theme installer logic noted in wp-admin/includes/class-theme-installer-skin.php. A crafted theme directory name could be rendered into web output and allow arbitrary script or HTML injection. The NVD rec [truncated]
CVE-2017-5489 is a high-severity Cross-Site Request Forgery issue in WordPress versions before 4.7.1. The published record describes remote attackers potentially hijacking a victim’s authentication through vectors involving a Flash file upload. The NVD entry maps the issue to CWE-352 and a network-reachable, user-interaction-required attack surface, with vendor references pointing to the WordPress 4.7.1 s [truncated]
CVE-2017-5488 covers multiple cross-site scripting (XSS) issues in WordPress’s admin update flow. The vulnerable area is wp-admin/update-core.php, where plugin name or version header data could be injected into an admin-facing page; WordPress addressed the issue in 4.7.1.
CVE-2017-5487 is a WordPress 4.7 REST API information disclosure issue. According to the CVE record, the users controller did not properly restrict listings of post authors, allowing a remote attacker to obtain sensitive information through a wp-json/wp/v2/users request. The issue is rated medium severity and is fixed in WordPress 4.7.1.