PT-2025-27346 · WordPress · Db Backup +1

Name of the Vulnerable Software and Affected Versions: EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress versions up to, and including, 5.25.11 Description: The issue is related to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode due to insufficient input...

WordPress HT Mega – Absolute Addons for WPBakery Page Builder plugin <= 1.0.8 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by theviper17 in WordPress Plugin HT Mega – Absolute Addons for WPBakery Page Builder versions = 1.0.8...

Exploit for PHP Remote File Inclusion in Wpplugins Hide_My_Wp_Ghost

CVE-2025-26909 Vulnerability Scanner A Python-based scanner a...

CVE-2025-5034 WP File Download < 6.2.6 - Reflected XSS

The wp-file-download WordPress plugin before 6.2.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

PT-2025-25642

Name of the Vulnerable Software and Affected Versions Drag and Drop Multiple File Upload for Contact Form 7 versions 1.3.8.9 and earlier Description The issue is related to insufficient file type validation, allowing unauthenticated attackers to bypass the plugin's blacklist and upload dangerous...

PT-2025-25371 · WordPress · Irm Newsroom

Name of the Vulnerable Software and Affected Versions: IRM Newsroom plugin for WordPress versions up to, and including, 1.2.17 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'irmcalendarview' shortcode due to insufficient input sanitization and output escaping o...

PT-2025-24506 · WordPress · Icegram Collect

Name of the Vulnerable Software and Affected Versions: Icegram Collect – Easy Form, Lead Collection and Subscription plugin versions 1.3.18 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control securit...

Abandoned Cart Lite for WooCommerce - Authentication Bypass

The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated...

golang-github-teddysun-v2ray-plugin-5.25.0-1.1 on GA media (moderate)

golang-github-teddysun-v2ray-plugin-5.25.0-1.1 on GA media Announcement ID: openSUSE-SU-2025:15193-1 Rating: moderate Cross-References: CVE-2025-297850 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues...

PT-2025-22837

Name of the Vulnerable Software and Affected Versions eMagicOne Store Manager for WooCommerce plugin for WordPress versions 1.2.5 and earlier Description The issue is related to insufficient file path validation in the delete file function, allowing unauthenticated attackers to delete arbitrary...

CVE-2024-42354

Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1...

CVE-2023-22730

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass quantity limits in...

CVE-2022-1832

The CaPa Protect WordPress plugin through 0.5.8.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable the applied protection...

CVE-2021-24130

Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user admin+...

WordPress AutomatorWP plugin <= 5.2.1.3 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by RoyTdd in WordPress Plugin AutomatorWP versions = 5.2.1.3...

PT-2025-21886 · WordPress · Ninja Forms

Name of the Vulnerable Software and Affected Versions: Ninja Forms WordPress plugin versions prior to 3.10.1 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, f...

PT-2025-21789 · WordPress · Wp Booking Calendar

Name of the Vulnerable Software and Affected Versions: WP Booking Calendar plugin for WordPress versions up to, and including, 10.11.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's wpbc shortcode due to insufficient input sanitization and output escaping on...

PT-2025-21521 · WordPress · Hustle

Name of the Vulnerable Software and Affected Versions: Hustle WordPress plugin versions 7.8.5 and earlier Description: The issue concerns the Hustle WordPress plugin, which does not properly sanitise and escape some of its settings. This could allow high-privilege users, such as editors, to perfo...

PT-2025-21379 · WordPress · Abitgone Commentsafe

Name of the Vulnerable Software and Affected Versions: aBitGone CommentSafe WordPress plugin versions 1.0.0 and earlier Description: The issue concerns the lack of CSRF checks in certain areas and missing sanitization as well as escaping. This could allow attackers to make logged-in admins add...

PT-2025-21369 · WordPress · Edd-Google-Sheet-Connector-Pro +1

Name of the Vulnerable Software and Affected Versions: edd-google-sheet-connector-pro WordPress plugin versions prior to 1.4 Easy Digital Downloads Google Sheet Connector WordPress plugin versions prior to 1.6.6 Description: The issue concerns a lack of CSRF check when updating the Access Code,...