WordPress ReachShip WooCommerce Multi-Carrier & Conditional Shipping <= 4.3.1 - Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin ReachShip WooCommerce Multi-Carrier & Conditional Shipping versions = 4.3.1...

WordPress Extensions For CF7 plugin <= 3.2.8 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion vulnerability

Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Extensions For CF7 versions = 3.2.8...

WordPress SureForms plugin < 1.7.2 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin SureForms versions 1.7.2...

WordPress Malcure Malware Scanner plugin <= 16.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary File Read vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin Malcure Malware Scanner versions = 16.8...

WordPress MasterStudy LMS Pro plugin <= 4.7.9 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Thái An in WordPress Plugin MasterStudy LMS Pro versions = 4.7.9...

WordPress B1.lt for WooCommerce plugin <= 2.2.56 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Injection vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary SQL Injection vulnerability discovered by Aurélien BOURDOIS Elymaro in WordPress Plugin B1.lt for WooCommerce versions = 2.2.56...

WordPress Responsive Addons for Elementor plugin <= 1.7.3 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Prissy in WordPress Plugin Responsive Addons for Elementor versions = 1.7.3...

WordPress GymBase Theme Classes plugin <= 1.4 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin GymBase Theme Classes versions = 1.4...

WordPress WP Delicious plugin <= 1.8.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by zaim in WordPress Plugin WP Delicious versions = 1.8.4...

WordPress Webba Booking <= 5.1.20 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Hiro Code016Hiro in WordPress Plugin Webba Booking versions = 5.1.20...

WordPress Maya Business <= 1.2.0 - Insecure Direct Object References (IDOR) Vulnerability

Insecure Direct Object References IDOR Vulnerability discovered by ch4r0n in WordPress Plugin Maya Business versions = 1.2.0...

WordPress WP Event Manager plugin <= 3.1.50 - Unauthenticated Stored Cross-Site Scripting via 'organizer_name' vulnerability

Unauthenticated Stored Cross-Site Scripting via 'organizername' vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin WP Event Manager versions = 3.1.50...

WordPress Custom Post Carousels with Owl plugin < 1.4.12 - Contributor+ Stored XSS vulnerability

Contributor+ Stored XSS vulnerability discovered by Pierre Rudloff in WordPress Plugin Custom Post Carousels with Owl versions 1.4.12...

WordPress wpForo Forum plugin <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Profile Avatar vulnerability discovered by Muhan Luo in WordPress Plugin wpForo Forum versions = 2.4.5...

WordPress Support Board plugin <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key vulnerability

Unauthenticated Authorization Bypass due to Use of Default Secret Key vulnerability discovered by Foxyyy in WordPress Plugin Support Board versions = 3.8.0...

WordPress Invico - WordPress Consulting Business Theme Theme <= 1.9 is vulnerable to Cross Site Scripting (XSS)

Software Invico - WordPress Consulting Business Theme Type Theme Vulnerable versions = 1.9 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31427 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 9e4642f9ea67 Credits Tran...

WordPress All In One Slider Responsive plugin <= 3.7.9 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin All In One Slider Responsive versions = 3.7.9...

WordPress Radio Station plugin <= 2.5.12 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Radio Station versions = 2.5.12...

WordPress EventON plugin <= 4.9.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyễn Trung Kiên anhchangmutrang in WordPress Plugin EventON versions = 4.9.9...

WordPress Home Villas Theme <= 2.8 is vulnerable to Arbitrary File Deletion

Software Home Villas Type Theme Vulnerable versions = 2.8 Fixed in N/A OWASP Top 10 A1: Injection Classification Arbitrary File Deletion CVE CVE-2025-5014 Patch priority High CVSS severity High 7.7 Developer Claim ownership PSID cba250cec63a Credits Thái An Required privilege Subscriber Published...