WordPress SCSS-Library plugin <= 0.4.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin SCSS-Library versions = 0.4.1...

CVE-2025-2543 Advanced Accordion Gutenberg Block <= 5.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Advanced Accordion Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...

WordPress plugin Tabs 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. A cross-site reque...

WordPress Ocean Extra plugin <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Ocean Extra versions = 2.4.6...

PT-2025-17486

Name of the Vulnerable Software and Affected Versions Front End Users WordPress plugin versions 3.2.32 and earlier Description The issue is related to a Reflected Cross-Site Scripting problem, where the Front End Users WordPress plugin does not properly sanitise and escape a parameter before...

WordPress AFI plugin < 1.100.0 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Bob Matyas in WordPress Plugin Advanced Form Integration versions 1.100.0...

PT-2025-17357 · WordPress · Insert Headers/Footers

Name of the Vulnerable Software and Affected Versions: Insert Headers And Footers plugin for WordPress versions up to, and including, 3.1.1 Description: The issue is due to missing or incorrect nonce validation on the custom plugin set option function, making it possible for unauthenticated...

WordPress User Registration & Membership Pro plugin <= 5.1.3 - Cross-Site Request Forgery to User Deletion vulnerability

Cross-Site Request Forgery to User Deletion vulnerability discovered by wesley wcraft in WordPress Plugin User Registration & Membership Pro versions = 5.1.3...

CVE-2025-24640 WordPress Empty Tags Remover Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Dan-Lucian Stefancu Empty Tags Remover empty-tags-remover allows Reflected XSS.This issue affects Empty Tags Remover: from n/a through = 1.0...

WordPress JetElements For Elementor plugin <= 2.7.4.1 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by stealthcopter Patchstack Alliance in WordPress Plugin JetElements For Elementor versions = 2.7.4.1...

CVE-2025-3487

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and output escaping. This makes it possible for...

WordPress WPCOM Member plugin <= 1.7.7 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by astra.r3verii in WordPress Plugin WPCOM Member versions = 1.7.7...

WordPress Eventin plugin <= 4.0.25 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by theviper17 in WordPress Plugin Eventin versions = 4.0.25...

Mattermost doesn't restrict domains LLM can request to contact upstream

Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira...

CVE-2025-26996 WordPress Sign-up Sheets plugin <= 2.3.0.1 - Shortcode Injection vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Code Injection.This issue affects Sign-up Sheets: from n/a through = 2.3.0.1...

WordPress WP_DEBUG Toggle plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by SOPROBRO in WordPress Plugin WPDEBUG Toggle versions = 1.1...

CVE-2025-2871

The WordPress Mega Menu – QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajaxdismissnotice function. This makes it possible for unauthenticated attackers to update a...

PT-2025-16169 · WordPress · Wpc Admin Columns

Name of the Vulnerable Software and Affected Versions: WPC Admin Columns plugin for WordPress versions 2.0.6 through 2.1.0 Description: The issue is related to privilege escalation due to the plugin not properly restricting user meta values that can be updated through the ajax edit save function...

CVE-2025-3422

The The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.1.1. This is due to the software allowing users to execute an action that does not proper...

WordPress WP Easy Poll Plugin <= 2.2.9 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Le Ngoc Anh in WordPress Plugin WP Easy Poll versions = 2.2.9...