PT-2026-33262

Name of the Vulnerable Software and Affected Versions Custom New User Notification plugin for WordPress versions prior to 1.2.1 Description Stored Cross-Site Scripting is possible via the admin settings due to insufficient input sanitization and output escaping on multiple settings fields. The...

CVE-2025-14509 Lucky Wheel for WooCommerce – Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

📄 WordPress WP Publications 1.2 Cross Site Scripting

WordPress WP Publication plugin version 1.2 suffers from a persistent cross site scripting vulnerability. Exploit Title: WP Publications WordPress Plugin 1.2 - Stored XSS Google Dork: inurl:/wp-content/plugins/wp-publications/ Date: 2025-07-15 Exploit Author: Zeynalxan Quliyev Vendor Homepage:...

CVE-2022-2046

The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite...

PT-2025-7369 · WordPress · Ajax Search Lite

Name of the Vulnerable Software and Affected Versions: Ajax Search Lite WordPress plugin version 4.12.4 and earlier Description: The issue concerns the Ajax Search Lite WordPress plugin, which does not properly sanitize and escape some of its settings. This could allow high-privilege users, such ...

PT-2025-6531 · WordPress · Paid Membership Plugin

Name of the Vulnerable Software and Affected Versions: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin versions prior to 4.15.20 Description: The issue concerns the Paid Membership Plugin, Ecommerce, User Registration Form,...

CVE-2024-10903

The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation...

PT-2024-11596 · WordPress · Cab Fare Calculator

Name of the Vulnerable Software and Affected Versions: The Cab fare calculator plugin for WordPress versions up to, and including, 1.1.6 Description: The issue is related to Stored Cross-Site Scripting via the vehicle title setting due to insufficient input sanitization and output escaping. This...

PT-2024-23788 · Bestwebsoft · The Quotes/Tips By Bestwebsoft Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: The Quotes and Tips by BestWebSoft WordPress plugin versions prior to 1.45 Description: The issue concerns the improper validation of image files uploaded by high privilege users, such as admins, allowing them to upload arbitrary files on the...

PT-2024-18243 · WordPress · Carousel Slider

Name of the Vulnerable Software and Affected Versions: Carousel Slider WordPress plugin versions prior to 2.2.7 Description: The Carousel Slider WordPress plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site...

CVE-2023-4314

The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in...

PT-2023-20098 · WordPress · Registrationmagic

Name of the Vulnerable Software and Affected Versions: RegistrationMagic plugin for WordPress versions up to, and including, 5.2.0.5 Description: The issue allows authenticated attackers with administrator-level permissions and above to bypass authorization and access system resources due to...

CVE-2022-3441

The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...