CVE-2025-4474

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fedadminsettingformfunction function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the...

WordPress plugin Tours 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

WordPress Weluka Lite plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Chuck in WordPress Plugin Weluka Lite versions = 1.0.3...

CVE-2025-4335

The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the savemultipleshippingaddresses function. This makes it possible for...

WordPress Productive Commerce plugin <= 1.1.38 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Aiden in WordPress Plugin Productive Commerce versions = 1.1.38...

WordPress Wiki Embed plugin <= 1.4.6 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability

Cross Site Request Forgery CSRF to Settings Change vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin Wiki Embed versions = 1.4.6...

WordPress PDF Invoice Builder for WooCommerce plugin <= 5.3.8 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Ngo Bui Truong Vu in WordPress Plugin PDF Invoice Builder for WooCommerce versions = 5.3.8...

CVE-2025-4220

CVE-2025-4220 affects the WordPress plugin Xavin’s List Subpages. The issue is a Stored Cross-Site Scripting via the plugin’s 'xls' shortcode caused by insufficient input sanitization and output escaping of user-supplied attributes. Attack requires authenticated access at contributor level or hig...

CVE-2025-2821

CVE-2025-2821 affects the WordPress Search Exclude plugin (versions up to and including 2.4.9). The root cause is a missing capability check in the get_rest_permission function, enabling unauthorized modification of plugin settings and exclusion of content from search results by unauthenticated a...

WordPress plugin Bulk Featured Image 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exist...

CVE-2025-3281

The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 via the createstripesubscription function, due to missing validation on the 'memberid' use...

CVE-2024-13858

The CVE-2024-13858 entry concerns the BuddyBoss Platform plugin for WordPress and BuddyBoss Theme, affected by a Stored Cross-Site Scripting via the invitee_name parameter. Affected versions are all up to 2.8.50 (platform) and 2.8.41 (theme), with insufficient input sanitization and output escapi...

CVE-2024-13381

The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-4099

The List Children plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listchildren' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-3952

The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'ptoremovelogo' function in all versions up to, and including, 5.1.16. This makes it possible for...

PT-2025-17945 · WordPress · Smart Form Plugin

Name of the Vulnerable Software and Affected Versions: Create custom forms for WordPress with a smart form plugin for smart businesses versions 1.2.4 and earlier Description: The issue allows unauthenticated attackers to execute arbitrary shortcodes due to the software not properly validating a...

WordPress 1 Decembrie 1918 plugin <= 1.dec.2012 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin 1 Decembrie 1918 versions = 1.dec.2012...

WordPress GTDB Guitar Tuners plugin <= 4.2.2 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by johska in WordPress Plugin GTDB Guitar Tuners versions = 4.2.2...

WordPress WP Filter Post Category plugin <= 2.1.4 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability

Cross Site Request Forgery CSRF to Stored XSS vulnerability discovered by johska in WordPress Plugin WP Filter Post Category versions = 2.1.4...

WordPress Animate plugin <= 0.5 - Server Side Request Forgery (SSRF) Vulnerability

Server Side Request Forgery SSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Animate versions = 0.5...