CVE-2024-11778 CanadaHelps Embedded Donation <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The CanadaHelps Embedded Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedcdn' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

WordPress plugin Master Slider 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-13565

CVE-2024-13565 is tied to the WordPress plugin Simple Map No API . The initial description states a stored cross-site scripting (XSS) vulnerability via the width parameter in all versions up to and including 1.9 due to insufficient input sanitization and output escaping, enabling authenticated us...

CVE-2025-22291 WordPress LTL Freight Quotes – Worldwide Express Edition plugin <= 5.0.20 - Arbitrary Content Deletion vulnerability

Missing Authorization vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express Edition ltl-freight-quotes-worldwide-express-edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a...

CVE-2024-13439

The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response function in all versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2024-13735

CVE-2024-13735 : HurryTimer (WordPress plugin) is affected up to version 2.11.2 with a stored cross-site scripting vulnerability in the campaign name due to insufficient input sanitization and output escaping. Exploitation requires authenticated access at Contributor level or higher; a malicious ...

CVE-2024-13692 Return Refund and Exchange For WooCommerce <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference

The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 3, 2025 to February 9, 2025)

Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability , for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we...

WordPress plugin Small Package Quotes – UPS Edition SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A SQL injection vulnerabili...

CVE-2025-25088 WordPress WP Keyword Monitor Plugin <=1.0.5 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in blackus3r WP Keyword Monitor allows Stored XSS. This issue affects WP Keyword Monitor: from n/a through 1.0.5...

CVE-2024-13841

CVE-2024-13841 affects the WordPress plugin Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time. It allows information exposure via the bse-elementor-template shortcode in all versions up to 1.0.0, enabling authenticated attackers with Contributor-level access and above to...

CVE-2021-4348

The Ultimate GDPR & CCPA plugin for WordPress is vulnerable to unauthenticated settings import and export via the exportsettings & importsettings functions in versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to change plugin settings and conduct attacks suc...

CVE-2022-1900

The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web...

CVE-2024-12313

The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woocomparelist' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No know...

CVE-2024-3293

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to blind SQL Injection via the rtmediagallery shortcode in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

CVE-2024-3067

The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 2.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possib...

CVE-2024-10728

The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the 'installrequiredplugincallback' function in all versions up to, and including, 4.1.16. This makes it possible...

CVE-2024-42357

Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the...

CVE-2024-42356

Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the context variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a...

CVE-2024-28236

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string...