WordPress Post Rating and Review plugin <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via class Parameter vulnerability discovered by Gilang in WordPress Plugin Post Rating and Review versions = 1.3.4...

WordPress WP SoundSystem plugin <= 3.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsstm-track Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wpsstm-track Shortcode vulnerability discovered by Gilang in WordPress Plugin WP SoundSystem versions = 3.4.2...

WordPress Homey Theme <= 2.4.5 is vulnerable to Cross Site Scripting (XSS)

Software Homey Type Theme Vulnerable versions = 2.4.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31037 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 23e723348628 Credits Ayoub Nouri Required privilege Unauthenticate...

WordPress Litho Theme <= 3.0 is vulnerable to Arbitrary File Deletion

Software Litho Type Theme Vulnerable versions = 3.0 Fixed in 3.1 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2025-49879 Patch priority High CVSS severity High 8.6 Developer Claim ownership PSID b5c6a3b3bdf8 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Blogvy Theme <= 1.0.7 is vulnerable to Local File Inclusion

Software Blogvy Type Theme Vulnerable versions = 1.0.7 Fixed in 1.0.8 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-49279 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 32ad01b31638 Credits Le Ngoc Anh Required privilege Unauthenticated...

WordPress Aiomatic plugin <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by khanhhnahk1 in WordPress Plugin Aiomatic versions = 2.5.0...

WordPress WP Front User Submit / Front Editor plugin <= 4.9.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin WP Front User Submit / Front Editor versions = 4.9.3...

WordPress Seven Stars Theme <= 1.4.4 is vulnerable to Cross Site Scripting (XSS)

Software Seven Stars Type Theme Vulnerable versions = 1.4.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31067 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 9c2cf87e3798 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Sofass Theme <= 1.3.4 is vulnerable to Local File Inclusion

Software Sofass Type Theme Vulnerable versions = 1.3.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-24760 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 97dd93e076df Credits Phat RiO - BlueRock Required privilege Unauthenticat...

WordPress Amely Theme <= 3.1.4 is vulnerable to SQL Injection

Software Amely Type Theme Vulnerable versions = 3.1.4 Fixed in 3.2.0 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2025-39474 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 14a3ee2aee2f Credits Bonds Required privilege Unauthenticated Published 23 June...

WordPress PowerPress Podcasting plugin <= 11.13.11 - Server Side Request Forgery (SSRF) Vulnerability

Server Side Request Forgery SSRF Vulnerability discovered by Anhchangmutrang in WordPress Plugin PowerPress Podcasting versions = 11.13.11...

WordPress Automatically Hierarchic Categories in Menu plugin <= 2.0.9 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Automatically Hierarchic Categories in Menu versions = 2.0.9...

WordPress Bluff Post plugin <= 1.1.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Bluff Post versions = 1.1.1...

WordPress HUSKY plugin <= 1.3.7 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k in WordPress Plugin HUSKY versions = 1.3.7...

WordPress Spark Multipurpose Theme <= 1.0.7 is vulnerable to Cross Site Scripting (XSS)

Software Spark Multipurpose Type Theme Vulnerable versions = 1.0.7 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-50030 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 093473ec2f16 Credits Peter Thaleikis Required privilege...

WordPress Bulk YouTube Post Creator plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Miki Iwamoto in WordPress Plugin Bulk YouTube Post Creator versions = 1.0...

WordPress tarteaucitron.io plugin < 1.9.5 - Contributor+ Stored XSS vulnerability

Contributor+ Stored XSS vulnerability discovered by Pierre Rudloff in WordPress Plugin tarteaucitron.js – Cookies legislation & GDPR versions 1.9.5...

WordPress Ajax Load More plugin <= 7.4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Ajax Load More versions = 7.4.0.1...

WordPress Simple Logo Carousel plugin <= 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via id Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Simple Logo Carousel versions = 1.9.3...

WordPress Click to Chat plugin <= 4.22 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via data-no_number Parameter vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via data-nonumber Parameter vulnerability discovered by Asaf Mozes in WordPress Plugin Click to Chat versions = 4.22...