CVE-2024-4902

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘courseid’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existi...

CVE-2024-4779

The Unlimited Elements For Elementor Free Widgets, Addons, Templates plugin for WordPress is vulnerable to SQL Injection via the ‘datapostids0’ parameter in all versions up to, and including, 1.5.107 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on...

CVE-2024-4742

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the orderby shortcode attribute in all versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and la...

CVE-2024-4295

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes i...

CVE-2024-13184

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to time-based SQL Injection via the Login Attempts module in all versions up to, and including, 3.0.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

CVE-2024-13562

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.5 via the uploads directory. This makes it possible for unauthenticated attackers to extract sensitive data stored...

CVE-2024-8275

The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribehasnextevent' function in all versions up to, and including, 6.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

CVE-2024-13514

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.5 via the 'bsb-slider' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, wi...

CVE-2024-13341

CVE-2024-13341 affects the WordPress plugin “MultiLoca - WooCommerce Multi Locations Inventory Management” (WordPress/WooCommerce). The vulnerability is a SQL Injection via the data-id parameter in all versions up to and including 4.1.11, caused by insufficient escaping and unsafe handling of the...

CVE-2024-13216

The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via the 'render' function in /includes/widgets/hteventsponsor.php. This makes it possible for authenticated attackers, with...

ZZCMS 安全漏洞

ZZCMS is a content management system CMS from the ZZCMS team in China. A security vulnerability exists in ZZCMS version 2023 and earlier versions. The vulnerability stems from the front-end website not being effectively protected against SQL injection, which allows attackers to gain unauthorized...

CVE-2024-12102 Typer Core <= 1.9.6 - Authenticated (Contributor+) Post Disclosure

The Typer Core plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.6 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2024-13694

The WooCommerce Wishlist High customization, fast setup,Free Elementor Wishlist, most features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the downloadpdffile function due to missing validation on a user controlled key. Th...

CVE-2024-13694

CVE-2024-13694 : The WooCommerce Wishlist plugin for WordPress (versions up to and including 1.8.7) is vulnerable to an insecure direct object reference via the download_pdf_file() function due to missing validation on a user-controlled key. This allows unauthenticated attackers to disclose wishl...

CVE-2024-13694 WooCommerce Wishlist <= 1.8.7 - Unauthenticated Wishlist Disclosure via download_pdf_file Function

The WooCommerce Wishlist High customization, fast setup,Free Elementor Wishlist, most features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the downloadpdffile function due to missing validation on a user controlled key. Th...

PT-2025-4077 · WordPress · Vr-Frases

Name of the Vulnerable Software and Affected Versions: VR-Frases plugin for WordPress versions up to, and including, 3.0.1 Description: The issue is related to SQL Injection via several parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on th...

Cross-site Scripting (XSS)

YesWiki is vulnerable to a Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user input in the search by tag feature, allowing a malicious user to craft a link that triggers an XSS when clicked. This results in potential account takeover, stealing other accounts,...

CVE-2024-11090

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.13 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have bee...

CVE-2024-10628 Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated SQL Injection via id

The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 Business, up to, and including, 21.8.0 Developer, and up to, and including, 31.8.0 Agency due to insufficient escaping on the user...

CVE-2024-13680 Form Builder CP <= 1.2.41 - Authenticated (Contributor+) SQL Injection

The Form Builder CP plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'CPEASYFORMWILLAPPEARHERE' shortcode in all versions up to, and including, 1.2.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...