WordPress WP2LEADS plugin <= 3.5.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by johska in WordPress Plugin WP2LEADS versions = 3.5.0...

WordPress Yougler Blogger Profile Page plugin <= v1.01 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by johska in WordPress Plugin Yougler Blogger Profile Page versions v1.01...

WordPress File Manager Pro – Filester plugin <= 1.8.8 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by TANG Cheuk Hei siunam in WordPress Plugin File Manager Pro versions = 1.8.8...

WordPress Game Review Block plugin <= 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via className Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Game Review Block versions = 4.8.1...

WordPress myCred plugin <= 2.9.4.2 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Marek Mikita in WordPress Plugin myCred versions = 2.9.4.2...

WordPress MapSVG plugin < 8.7.4 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Anhchangmutrang in WordPress Plugin MapSVG versions 8.7.4...

WordPress eForm - WordPress Form Builder < 4.19.1 - Cross Site Scripting (XSS) Vulnerability

WordPress eForm - WordPress Form Builder 4.19.1 - Cross Site Scripting XSS Vulnerability discovered by Dave Jong Patchstack in WordPress Plugin eForm - WordPress Form Builder versions 4.19.1...

WordPress Elite Video Player plugin <= 10.0.5 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Anhchangmutrang in WordPress Plugin Elite Video Player versions = 10.0.5...

WordPress Axle Demo Importer plugin <= 1.0.3 - Author+ Arbitrary File Upload vulnerability

Author+ Arbitrary File Upload vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Axle Demo Importer versions = 1.0.3...

WordPress Premium Addons for Elementor plugin <= 4.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Countdown Widget vulnerability discovered by Asaf Mozes in WordPress Plugin Premium Addons for Elementor versions = 4.11.8...

WordPress Lasa Theme <= 1.1 is vulnerable to Local File Inclusion

Software Lasa Type Theme Vulnerable versions = 1.1 Fixed in 1.1.1 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2025-49253 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 146f1b55407b Credits Phat RiO - BlueRock Required privilege...

WordPress Maia Theme <= 1.1.15 is vulnerable to Local File Inclusion

Software Maia Type Theme Vulnerable versions = 1.1.15 Fixed in 1.1.16 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2025-49258 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 17919a5d64c7 Credits Phat RiO - BlueRock Required privilege...

WordPress Sapa Theme <= 1.1.14 is vulnerable to Local File Inclusion

Software Sapa Type Theme Vulnerable versions = 1.1.14 Fixed in 1.1.15 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2025-49256 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 8d080f77bafd Credits Phat RiO - BlueRock Required privilege...

WordPress Flozen Theme < 1.5.1 is vulnerable to Arbitrary File Upload

Software Flozen Type Theme Vulnerable versions 1.5.1 Fixed in 1.5.1 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2025-49071 Patch priority High CVSS severity High 10 Developer Claim ownership PSID b0bba867fa7b Credits Phat RiO - BlueRock Required privilege Unauthenticat...

WordPress FW Gallery plugin <= 8.0.0 - Arbitrary File Deletion Vulnerability

Arbitrary File Deletion Vulnerability discovered by LVT-tholv2k in WordPress Plugin FW Gallery versions = 8.0.0...

WordPress Nitan Theme <= 2.9 is vulnerable to Local File Inclusion

Software Nitan Type Theme Vulnerable versions = 2.9 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-24768 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID ec6d95e09a1c Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity Require...

WordPress LTL Freight Quotes – Daylight Edition plugin <= 2.2.6 - Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter vulnerability

Unauthenticated Stored Cross-Site Scripting via expirydate Parameter vulnerability discovered by sterva in WordPress Plugin LTL Freight Quotes – Daylight Edition versions = 2.2.6...

WordPress Civi Framework plugin <= 2.1.6 - Cross Site Request Forgery (CSRF) to User Deactivation vulnerability

Cross Site Request Forgery CSRF to User Deactivation vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Civi Framework versions = 2.1.6...

WordPress Knowledge Base plugin <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Knowledge Base versions = 2.3.0...

WordPress Video Embeds plugin <= 0.1.1 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Chu The Anh Fore-Z co.ltd in WordPress Plugin Video Embeds versions = 0.1.1...