ays-pro CVE Vulnerabilities & Metrics

Focus on ays-pro vulnerabilities and metrics.

Last updated: 07 Jun 2025, 22:25 UTC

About ays-pro Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with ays-pro. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total ays-pro CVEs: 68
Earliest CVE date: 22 Aug 2019, 13:15 UTC
Latest CVE date: 15 May 2025, 20:16 UTC

Latest CVE reference: CVE-2024-9599

Rolling Stats

30-day Count (Rolling): 2
365-day Count (Rolling): 26

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -33.33%
Year Variation (Calendar): 18.18%

Month Growth Rate (30-day Rolling): -33.33%
Year Growth Rate (365-day Rolling): 18.18%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical ays-pro CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.43

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range Count
0.0-3.9 53
4.0-6.9 13
7.0-8.9 2
9.0-10.0 0

CVSS Distribution Chart

Top 5 Highest CVSS ays-pro CVEs

These are the five CVEs with the highest CVSS scores for ays-pro, sorted by severity first and recency.

All CVEs for ays-pro

CVE-2024-9599 ays-pro vulnerability CVSS: 0 15 May 2025, 20:16 UTC

The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2024-8617 ays-pro vulnerability CVSS: 0 15 May 2025, 20:15 UTC

The Quiz Maker WordPress plugin before 6.5.9.9 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2025-47545 ays-pro vulnerability CVSS: 0 07 May 2025, 15:16 UTC

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Ays Pro Poll Maker allows Leveraging Race Conditions. This issue affects Poll Maker: from n/a through 5.7.7.

CVE-2025-24577 ays-pro vulnerability CVSS: 0 17 Apr 2025, 16:15 UTC

Missing Authorization vulnerability in Ays Pro Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Poll Maker: from n/a through 5.5.0.

CVE-2025-32275 ays-pro vulnerability CVSS: 0 10 Apr 2025, 08:15 UTC

Authentication Bypass by Spoofing vulnerability in Ays Pro Survey Maker allows Identity Spoofing. This issue affects Survey Maker: from n/a through 5.1.5.4.

CVE-2024-13602 ays-pro vulnerability CVSS: 0 16 Mar 2025, 06:15 UTC

The Poll Maker WordPress plugin before 5.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2025-26971 ays-pro vulnerability CVSS: 0 25 Feb 2025, 15:15 UTC

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ays-pro Poll Maker allows Blind SQL Injection. This issue affects Poll Maker: from n/a through 5.6.5.

CVE-2025-22664 ays-pro vulnerability CVSS: 0 04 Feb 2025, 15:15 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Survey Maker team Survey Maker allows Stored XSS. This issue affects Survey Maker: from n/a through 5.1.3.5.

CVE-2024-13505 ays-pro vulnerability CVSS: 0 26 Jan 2025, 12:15 UTC

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ays_sections[5][questions][8][title]’ parameter in all versions up to, and including, 5.1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2024-56295 ays-pro vulnerability CVSS: 0 15 Jan 2025, 16:15 UTC

Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 5.5.6.

CVE-2023-45766 ays-pro vulnerability CVSS: 0 02 Jan 2025, 12:15 UTC

Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 4.7.1.

CVE-2023-22697 ays-pro vulnerability CVSS: 0 13 Dec 2024, 15:15 UTC

Missing Authorization vulnerability in Survey Maker team Survey Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through 3.2.0.

CVE-2023-50904 ays-pro vulnerability CVSS: 0 09 Dec 2024, 13:15 UTC

Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 4.8.0.

CVE-2024-12115 ays-pro vulnerability CVSS: 0 07 Dec 2024, 02:15 UTC

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.4. This is due to missing or incorrect nonce validation on the duplicate_poll() function. This makes it possible for unauthenticated attackers to duplicate polls via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2024-10571 ays-pro vulnerability CVSS: 0 14 Nov 2024, 11:15 UTC

The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CVE-2024-9874 ays-pro vulnerability CVSS: 0 09 Nov 2024, 07:15 UTC

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2024-50426 ays-pro vulnerability CVSS: 0 29 Oct 2024, 09:15 UTC

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Survey Maker team Survey Maker allows Stored XSS.This issue affects Survey Maker: from n/a through 5.0.2.

CVE-2024-9475 ays-pro vulnerability CVSS: 0 26 Oct 2024, 03:15 UTC

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the order_by parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2024-9462 ays-pro vulnerability CVSS: 0 26 Oct 2024, 03:15 UTC

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2024-8488 ays-pro vulnerability CVSS: 0 08 Oct 2024, 11:15 UTC

The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Survey fields in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2024-7714 ays-pro vulnerability CVSS: 0 27 Sep 2024, 06:15 UTC

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback'

CVE-2024-7713 ays-pro vulnerability CVSS: 0 27 Sep 2024, 06:15 UTC

The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it

CVE-2024-6889 ays-pro vulnerability CVSS: 0 04 Sep 2024, 06:15 UTC

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2024-6888 ays-pro vulnerability CVSS: 0 04 Sep 2024, 06:15 UTC

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2024-6138 ays-pro vulnerability CVSS: 0 11 Jul 2024, 06:15 UTC

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2024-37442 ays-pro vulnerability CVSS: 0 09 Jul 2024, 11:15 UTC

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Photo Gallery Team Photo Gallery by Ays allows Code Injection.This issue affects Photo Gallery by Ays: from n/a before 5.7.1.

CVE-2024-4061 ays-pro vulnerability CVSS: 0 21 May 2024, 06:15 UTC

The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2024-3601 ays-pro vulnerability CVSS: 0 02 May 2024, 17:15 UTC

The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to extract email addresses by enumerating them one character at a time.

CVE-2024-3600 ays-pro vulnerability CVSS: 0 19 Apr 2024, 03:15 UTC

The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page.

CVE-2024-29918 ays-pro vulnerability CVSS: 0 27 Mar 2024, 08:15 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Survey Maker team Survey Maker allows Reflected XSS.This issue affects Survey Maker: from n/a through 4.0.6.

CVE-2024-27996 ays-pro vulnerability CVSS: 0 19 Mar 2024, 17:15 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Survey Maker team Survey Maker allows Stored XSS.This issue affects Survey Maker: from n/a through 4.0.5.

CVE-2023-6591 ays-pro vulnerability CVSS: 0 12 Feb 2024, 16:15 UTC

The Popup Box WordPress plugin before 20.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CVE-2023-47526 ays-pro vulnerability CVSS: 0 12 Feb 2024, 07:15 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chart Builder Team Chartify – WordPress Chart Plugin allows Stored XSS.This issue affects Chartify – WordPress Chart Plugin: from n/a through 2.0.6.

CVE-2024-1079 ays-pro vulnerability CVSS: 0 07 Feb 2024, 08:15 UTC

The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_show_results() function in all versions up to, and including, 6.5.2.4. This makes it possible for unauthenticated attackers to fetch arbitrary quiz results which can contain PII.

CVE-2024-1078 ays-pro vulnerability CVSS: 0 07 Feb 2024, 08:15 UTC

The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.

CVE-2024-22027 ays-pro vulnerability CVSS: 0 12 Jan 2024, 07:15 UTC

Improper input validation vulnerability in WordPress Quiz Maker Plugin prior to 6.5.0.6 allows a remote authenticated attacker to perform a Denial of Service (DoS) attack against external services.

CVE-2023-6166 ays-pro vulnerability CVSS: 0 26 Dec 2023, 19:15 UTC

The Quiz Maker WordPress plugin before 6.4.9.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting

CVE-2023-6155 ays-pro vulnerability CVSS: 0 26 Dec 2023, 19:15 UTC

The Quiz Maker WordPress plugin before 6.4.9.5 does not adequately authorize the `ays_quiz_author_user_search` AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses.

CVE-2023-5874 ays-pro vulnerability CVSS: 0 04 Dec 2023, 22:15 UTC

The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-5809 ays-pro vulnerability CVSS: 0 04 Dec 2023, 22:15 UTC

The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-5343 ays-pro vulnerability CVSS: 0 20 Nov 2023, 19:15 UTC

The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

CVE-2023-34013 ays-pro vulnerability CVSS: 0 13 Nov 2023, 03:15 UTC

Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker – Best WordPress Poll Plugin.This issue affects Poll Maker – Best WordPress Poll Plugin: from n/a through 4.6.2.

CVE-2023-4390 ays-pro vulnerability CVSS: 0 31 Oct 2023, 14:15 UTC

The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

CVE-2023-39917 ays-pro vulnerability CVSS: 0 03 Oct 2023, 12:15 UTC

Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery Team Photo Gallery by Ays – Responsive Image Gallery plugin <= 5.2.6 versions.

CVE-2023-41871 ays-pro vulnerability CVSS: 0 25 Sep 2023, 19:15 UTC

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Poll Maker Team Poll Maker plugin <= 4.7.0 versions.

CVE-2023-32107 ays-pro vulnerability CVSS: 0 18 Aug 2023, 14:15 UTC

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Photo Gallery Team Photo Gallery by Ays – Responsive Image Gallery plugin <= 5.1.3 versions.

CVE-2023-27414 ays-pro vulnerability CVSS: 0 21 Jun 2023, 14:15 UTC

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Popup Box Team Popup box plugin <= 3.4.4 versions.

CVE-2023-2568 ays-pro vulnerability CVSS: 0 12 Jun 2023, 18:15 UTC

The Photo Gallery by Ays WordPress plugin before 5.1.7 does not escape some parameters before outputting it back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-2572 ays-pro vulnerability CVSS: 0 05 Jun 2023, 14:15 UTC

The Survey Maker WordPress plugin before 3.4.7 does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-2571 ays-pro vulnerability CVSS: 0 05 Jun 2023, 14:15 UTC

The Quiz Maker WordPress plugin before 6.4.2.7 does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-23490 ays-pro vulnerability CVSS: 0 20 Jan 2023, 19:15 UTC

The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action.

CVE-2023-0038 ays-pro vulnerability CVSS: 0 03 Jan 2023, 14:15 UTC

The "Survey Maker – Best WordPress Survey Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via survey answers in versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts when submitting quizzes that will execute whenever a user accesses the submissions page.

CVE-2022-1456 ays-pro vulnerability CVSS: 3.5 30 May 2022, 09:15 UTC

The Poll Maker WordPress plugin before 4.0.2 does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfiltered_html is disallowed

CVE-2021-26256 ays-pro vulnerability CVSS: 4.3 21 Feb 2022, 18:15 UTC

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Survey Maker WordPress plugin (versions <= 2.0.6).

CVE-2021-24931 ays-pro vulnerability CVSS: 7.5 06 Dec 2021, 16:15 UTC

The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.

CVE-2021-24651 ays-pro vulnerability CVSS: 5.0 11 Oct 2021, 11:15 UTC

The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.

CVE-2021-34635 ays-pro vulnerability CVSS: 4.3 02 Aug 2021, 21:15 UTC

The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the ~/admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8.

CVE-2021-24484 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_reports() function in the Secure Copy Content Protection and Content Locking WordPress plugin before 2.6.7 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24483 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24463 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_sliders() function in the Image Slider by Ays- Responsive Slider and Carousel WordPress plugin before 2.5.0 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24462 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24461 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_faqs() function in the FAQ Builder AYS WordPress plugin before 1.3.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24460 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24459 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_results() and get_items() functions in the Survey Maker WordPress plugin before 1.5.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24458 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24457 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The get_portfolios() and get_portfolio_attributes() functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the Portfolio Responsive Gallery WordPress plugin before 1.1.8 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

CVE-2021-24456 ays-pro vulnerability CVSS: 6.5 02 Aug 2021, 11:15 UTC

The Quiz Maker WordPress plugin before 6.2.0.9 did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard

CVE-2016-10921 ays-pro vulnerability CVSS: 7.5 22 Aug 2019, 13:15 UTC

The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL injection.