WordPress LA-Studio Element Kit for Elementor plugin <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Compare and Google Maps Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Image Compare and Google Maps Widgets vulnerability discovered by Robert DeVore in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.5.2...

WordPress LA-Studio Element Kit for Elementor plugin <= 1.5.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-lakit-element-link Parameter vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting via data-lakit-element-link Parameter vulnerability discovered by Webbernaut in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.5.2...

WordPress WP Pipes plugin <= 1.4.2 - Arbitrary File Deletion Vulnerability

Arbitrary File Deletion Vulnerability discovered by timomangcut in WordPress Plugin WP Pipes versions = 1.4.2...

WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin <= 2.4.37 - Arbitrary File Download Vulnerability

Arbitrary File Download Vulnerability discovered by ch4r0n in WordPress Plugin Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light versions = 2.4.37...

WordPress Solar Energy Theme <= 3.5 is vulnerable to PHP Object Injection

Software Solar Energy Type Theme Vulnerable versions = 3.5 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-32283 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 835d026bbefc Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Featured Image Plus plugin <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update vulnerability

Missing Authorization to Authenticated Subscriber+ Featured Image Update vulnerability discovered by Kishan Vyas in WordPress Plugin Featured Image Plus versions = 1.6.4...

WordPress Infility Global plugin <= 2.14.51 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin Infility Global versions = 2.14.51...

WordPress Bold Page Builder plugin <= 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via additional_settings Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via additionalsettings Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Bold Page Builder versions = 5.3.6...

WordPress Smash Balloon Instagram Feed plugin <= 6.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-plugin` Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via data-plugin Attribute vulnerability discovered by Asaf Mozes in WordPress Plugin Instagram Feed versions = 6.9.0...

WordPress Property plugin 1.0.5-1.0.6 - Missing Authorization to Authenticated (Author+) Privilege Escalation via property_package_user_role Metadata in PayPal Registration vulnerability

Missing Authorization to Authenticated Author+ Privilege Escalation via propertypackageuserrole Metadata in PayPal Registration vulnerability discovered by kr0d in WordPress Plugin Property versions 1.0.5-1.0.6...

WordPress eMagicOne Store Manager for WooCommerce plugin <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_file() vulnerability

Unauthenticated Arbitrary File Upload via setfile vulnerability discovered by Ryan Kozak in WordPress Plugin eMagicOne Store Manager versions = 1.2.5...

WordPress WP SMTP plugin <= 2.1.5 - Unauthenticated Stored Cross-Site Scripting via Email vulnerability

Unauthenticated Stored Cross-Site Scripting via Email vulnerability discovered by zer0gh0st in WordPress Plugin WP SMTP versions = 2.1.5...

WordPress Blog2Social: Social Media Auto Post & Scheduler plugin < 8.4.0 - Contributor+ Stored XSS vulnerability

Contributor+ Stored XSS vulnerability discovered by Krugov Artyom in WordPress Plugin Blog2Social versions 8.4.0...

WordPress Infocob CRM Forms plugin <= 2.4.0 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by astra.r3verii in WordPress Plugin Infocob CRM Forms versions = 2.4.0...

WordPress Advanced Database Cleaner PRO Plugin <= 3.2.10 - Limited .txt Path Traversal vulnerability

Limited .txt Path Traversal vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Advanced Database Cleaner PRO versions = 3.2.10...

WordPress ReDi Restaurant Reservation plugin <= 24.1209 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Ryan Novotny in WordPress Plugin ReDi Restaurant Reservation versions = 24.1209...

WordPress User Meta plugin <= 3.1.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by stealthcopter in WordPress Plugin User Meta versions = 3.1.2...

WordPress Ads Pro plugin <= 4.89 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Nguyễn Trung Kiên anhchangmutrang in WordPress Plugin Ads Pro versions = 4.89...

WordPress Tourmaster plugin <= 5.3.8 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Plugin Tourmaster versions = 5.3.8...

WordPress Pix 4x sem juros - Pagaleve plugin <= 1.6.9 - PHP Object Injection Vulnerability

WordPress Pix 4x sem juros - Pagaleve plugin = 1.6.9 - PHP Object Injection Vulnerability discovered by timomangcut Patchstack Alliance in WordPress Plugin Pix 4x sem juros - Pagaleve versions = 1.6.9...