PT-2025-26279 · WordPress · Custom Post Carousels With Owl

Name of the Vulnerable Software and Affected Versions: Custom Post Carousels with Owl WordPress plugin versions prior to 1.4.12 Description: The issue concerns the use of the featherlight library and the data-featherlight attribute without proper sanitization. This could potentially lead to...

WordPress CP Polls plugin <= 1.0.81 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin CP Polls versions = 1.0.81...

WordPress WP Roadmap plugin <= 2.1.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Peter Thaleikis in WordPress Plugin WP Roadmap versions = 2.1.3...

CVE-2025-5209 Ivory Search < 5.5.10 - Admin+ Stored XSS

The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

Unspecified vulnerability in WordPress Password Policy Manager plugin

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A security vulnerability exists in the WordPress Password Policy Manager plugin that stems from vulnerability to authentication bypass attacks, no detailed vulnerability details...

WordPress XiSearch bar plugin <= 2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin XiSearch bar versions = 2.6...

CVE-2025-5282

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deletepackage function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to...

WordPress Advanced Settings plugin <= 3.0.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Mika in WordPress Plugin Advanced Settings versions = 3.0.1...

WordPress Responsive Plus plugin <= 3.2.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability

Cross Site Request Forgery CSRF to Settings Change vulnerability discovered by Chazz Wolcott Patchstack in WordPress Plugin Responsive Plus versions = 3.2.2...

PT-2025-25181 · WordPress · Wp-Downloadmanager

Name of the Vulnerable Software and Affected Versions: WP-DownloadManager versions 1.68.10 and earlier Description: The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to a lack of restriction on the directory from which a file can be deleted. This allows...

WordPress plugin Blogty 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A file inclusion vulnerability exists in the WordPress Blogty plugin that stems from not doing effective filtering of local file resource calls, which can be exploited by an...

CVE-2025-5568 WpEvently <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-2935

CVE-2025-2935 (WordPress Wordfence entry confirmed) : The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 2024.7. The root cause is missing or incorrect nonce validation in the files ss_option_ma...

CVE-2025-5019 Hive Support <= 1.2.5 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function

The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the hsupdateaichatsettings function. This mak...

WordPress WP Security Master plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin WP Security Master versions = 1.0.2...

WordPress Complete Google Seo Scan plugin <= 3.5.1 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Nguyen Quang Minh VCI - VNPT Cyber Immunity in WordPress Plugin Complete Google Seo Scan versions = 3.5.1...

WordPress Quick Event Calendar plugin <= 1.4.9 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by haudayroi - BlueRock in WordPress Plugin Quick Event Calendar versions = 1.4.9...

WordPress WP Gravity Forms Constant Contact Plugin <= 1.1.0 - Open Redirection Vulnerability

Open Redirection Vulnerability discovered by Bonds in WordPress Plugin WP Gravity Forms Constant Contact Plugin versions = 1.1.0...

WordPress HT Team Member plugin <= 1.1.7 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin HT Team Member versions = 1.1.7...

CVE-2025-4590

CVE-2025-4590 affects the Daisycon prijsvergelijkers WordPress plugin (versions up to and including 4.8.4). The issue is a Stored Cross-Site Scripting vulnerability in the plugin’s daisycon_uitvaart shortcode caused by insufficient input sanitization and output escaping on user-supplied attribute...