CVE-2025-3702

CVE-2025-3702 describes a Missing Authorization (broken access control) vulnerability in the WordPress Melapress File Monitor plugin, affecting versions prior to 2.2.0. Multiple sources consolidate the same issue. The root cause is improperly configured access control levels that can be exploited...

CVE-2024-7892

The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-4445

The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level...

CVE-2023-36384

Unauth. Reflected Cross-Site Scripting XSS vulnerability in CodePeople Booking Calendar Contact Form plugin = 1.2.40 versions...

CVE-2023-31233

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Haoqisir Baidu Tongji generator plugin = 1.0.2 versions...

CVE-2023-44230

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Gopi Ramasamy Popup contact form plugin = 7.1 versions...

CVE-2023-2351

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajaxadmin' function in versions up to, and including, 1.2.3. This makes it possible for authenticated attackers with subscriber-level permissions...

CVE-2021-24791

The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections...

CVE-2021-24763

The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the saveglobalsetting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stor...

CVE-2021-24636

The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce CSRF checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link...

CVE-2021-21614

Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system...

CVE-2016-11008

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpipaypal payer metadata updates...

CVE-2014-8364

Cross-site scripting XSS vulnerability in sshandler.php in the WordPress Spreadsheet wpSS plugin 0.62 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ssid parameter...

CVE-2025-4099

The List Children plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listchildren' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

WordPress WP Easy Poll Plugin <= 2.2.9 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Le Ngoc Anh in WordPress Plugin WP Easy Poll versions = 2.2.9...

CVE-2024-3293

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to blind SQL Injection via the rtmediagallery shortcode in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

CVE-2024-4346

The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.7.13. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to...

CVE-2024-56298 WordPress Pretty Simple Popup Builder Plugin <= 1.0.9 - Stored Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in 5 Star Plugins Pretty Simple Popup Builder allows Stored XSS.This issue affects Pretty Simple Popup Builder: from n/a through 1.0.9...

CVE-2023-47648 WordPress EazyDocs plugin <= 2.3.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Spider Themes EazyDocs eazydocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EazyDocs: from n/a through = 2.3.5...

CVE-2023-47515 WordPress Seers | GDPR & CCPA Cookie Consent & Compliance plugin <= 8.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Seers Seers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seers: from n/a through 8.1.1...