WordPress YANewsflash plugin <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin YANewsflash versions = 1.0.3...

CVE-2025-7687 Latest Post Accordian Slider <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Latest Post Accordian Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the 'lpaccordian' page. This makes it possible for unauthenticated attackers to update settings and...

CVE-2025-4685 Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This make...

WordPress bbPress Notify plugin <= 2.19.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin bbPress Notify versions = 2.19.5...

CVE-2025-6726

The Block Editor Gallery Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the classicgalleryslideroptions function in all versions up to, and including, 1.1.1. This makes it possible for authenticated attackers, with...

WordPress Contest Gallery plugin cross-site scripting vulnerability

WordPress Contest Gallery plugin is a powerful plugin that is mainly used to organize all kinds of online contests in WordPress websites, supporting the uploading and displaying of photos, videos, audios, documents and other types of files. WordPress Contest Gallery plugin suffers from a cross-si...

WordPress Broken Link Notifier plugin code issue vulnerability

WordPress Broken Link Notifier plugin is a plugin for monitoring broken links e.g. 404 errors, timeout links, etc. within a website. The WordPress Broken Link Notifier plugin suffers from a code issue vulnerability that stems from the server not implementing an adequate validation mechanism to...

CVE-2025-7712 Madara - Core <= 2.2.3 - Unauthenticated Arbitrary File Deletion

The Madara - Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpmangadeletezip function in all versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, whic...

WordPress Residential Address Detection plugin <= 2.5.9 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin Residential Address Detection versions = 2.5.9...

WordPress WP Post Hide plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WP Post Hide versions = 1.0.9...

CVE-2025-29009

Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce medical-prescription-attachment-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Medical Prescription Attachment Plugin for WooCommerce...

CVE-2025-30973 WordPress CoSchool LMS plugin <= 1.4.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS coschool allows Object Injection.This issue affects CoSchool LMS: from n/a through = 1.4.3...

CVE-2025-47645 WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin <= 1.4.9 - Subscriber+ SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes elex-bulk-edit-products-prices-attributes-for-woocommerce-basic allows SQL Injection.This issue affects ELEX WooCommer...

CVE-2025-47645

CVE-2025-47645 is a SQL Injection in ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes (Basic)

CVE-2025-47645 WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin <= 1.4.9 - Subscriber+ SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows SQL Injection. This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a...

CVE-2025-54042 WordPress WP Post Hide plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in Xfinitysoft WP Post Hide wp-post-hide allows Cross Site Request Forgery.This issue affects WP Post Hide: from n/a through = 1.0.9...

CVE-2025-54037

CVE-2025-54037 describes a Missing Authorization vulnerability in the Blazethemes News Kit Elementor Addons WordPress plugin. Affected software: News Kit Elementor Addons (versions up to 1.3.4). Root cause: improperly configured access control security levels that permit unauthorized actions. Imp...

CVE-2025-53990 WordPress JetFormBuilder plugin <= 3.5.1.2 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Object Injection.This issue affects JetFormBuilder: from n/a through = 3.5.1.2...

CVE-2025-6747

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusionmap' shortcode in all versions up to, and including, 3.12.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-7442

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJgmgtdeleteclasslimitformember, MJgmgtgetyearlyincomeexpense, MJgmgtgetmonthlyincomeexpense, MJgmgtaddclasslimit, MJgmgtviewmeetingdetail, and MJgmgtcreatemeeting functio...