WordPress MasterStudy LMS Pro plugin <= 4.8.20 - Authenticated (Instructor+) SQL Injection vulnerability

Authenticated Instructor+ SQL Injection vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin MasterStudy LMS Pro versions = 4.8.20...

WordPress Avada (Fusion) Builder plugin <= 3.15.1 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin Fusion Builder versions = 3.15.1...

WordPress Avada (Fusion) Builder plugin <= 3.15.2 - Authenticated (Subscriber+) Arbitrary File Read vulnerability

Authenticated Subscriber+ Arbitrary File Read vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin Fusion Builder versions = 3.15.2...

1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder WordPress Plugin

On March 21st, 2026, we received a submission for an Arbitrary File Read and an SQL Injection vulnerability in Avada Builder, a WordPress plugin with an estimated 1,000,000 active installations. The arbitrary file read vulnerability can be used by authenticated attackers, with subscriber-level...

WordPress Ave Core plugin <= 2.9.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Ave Core versions = 2.9.1...

WordPress pixfort Core plugin <= 3.2.22 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin pixfort Core versions = 3.2.22...

WordPress UDesign theme <= 4.14.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme UDesign versions = 4.14.0...

WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Sober versions = 3.5.12...

WordPress JNews - Pay Writer plugin <= 11.0.0 - Local File Inclusion vulnerability

WordPress JNews - Pay Writer plugin = 11.0.0 - Local File Inclusion vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin JNews - Pay Writer versions = 11.0.0...

WordPress REHub Framework plugin <= 19.9.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin REHub Framework versions = 19.9.5...

WordPress Woffice Core plugin <= 5.4.30 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Woffice Core versions = 5.4.30...

WordPress Woffice theme <= 5.4.30 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Woffice versions = 5.4.30...

WordPress Photography theme < 7.7.5 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Photography versions 7.7.5...

WordPress Kallyas theme <= 4.22.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme KALLYAS versions = 4.22.0...

WordPress Masterstudy Elementor Widgets plugin <= 1.2.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Masterstudy Elementor Widgets versions = 1.2.4...

WordPress Masterstudy theme < 4.8.122 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Masterstudy versions 4.8.122...

WordPress XStore theme < 9.6 - Content Injection vulnerability

Content Injection vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions 9.6...

WordPress TheGem Theme <= 5.10.5 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme TheGem versions = 5.10.5...

WordPress TheGem (Elementor) Theme <= 5.10.5 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme TheGem Elementor versions = 5.10.5...

WordPress WPLMS theme <= 4.970 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme WPLMS versions = 4.970...