CVE-2025-4597

The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooslideprodeletedraftpreview AJAX action in all versions up to, and including, 1.12. This makes it possible for...

CVE-2025-5287 Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection

The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

WordPress 4stats plugin <= 2.0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin 4stats versions = 2.0.9...

CVE-2025-0860

The VR-Frases collect & share quotes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-9383

The Parcel Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'action' parameter in all versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

CVE-2024-9221

The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 0.21.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

CVE-2024-9064

The Elementor Inline SVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

CVE-2024-7317

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-1213

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the esfinstasaveaccesstoken and efblsavefacebookaccesstoken...

CVE-2024-1278

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'efblikebox' shortcode in all versions up to, and including, 6.5.4 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-7355

The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘titleinput’ and 'nodedescription' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-6334

The Easy Table of Contents WordPress plugin before 2.0.67.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2024-7791

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘arrow’ parameter within the Post Grid widget in all versions up to, and including, 1.4.4.3 due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-0512

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on the addtowishlist function. This makes it possible for unauthenticated attackers to add...

CVE-2024-4474

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-12395

The WooCommerce Additional Fees On Checkout Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘number’ parameter in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-12566

The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-41675

CKAN is an open-source data management system for powering data hubs and data portals. The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. Sites running CKAN = 2.7.0 with the datatablesview plugin activated. This is a plugin...

CVE-2024-3406

The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-5280

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make non-logged in users execute an XSS payload via a CSRF attack...