PT-2025-21415

Name of the Vulnerable Software and Affected Versions: jwp-a11y WordPress plugin versions 4.1.7 and earlier Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because some settings are not properly sanitised and...

PT-2025-21537 · WordPress · Cp-Polls

Name of the Vulnerable Software and Affected Versions: Polls CP WordPress plugin versions prior to 1.0.77 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This is possible because the plugin does not properly sanitise and escape...

PT-2025-21514 · WordPress · Babelz

Name of the Vulnerable Software and Affected Versions: BabelZ WordPress plugin versions 1.1.5 and earlier Description: The issue concerns the lack of CSRF check and missing sanitization as well as escaping in certain areas of the plugin. This could allow attackers to make logged-in admins add...

WordPress Uncanny Automator plugin <= 6.4.0.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Settings Update vulnerability discovered by mikemyers in WordPress Plugin Uncanny Automator versions = 6.4.0.2...

PT-2025-20486 · WordPress · Frontend Login/Registration Blocks

Name of the Vulnerable Software and Affected Versions: Frontend Login and Registration Blocks plugin for WordPress versions 1.0.0 through 1.0.7 Description: The issue is related to privilege escalation via account takeover. This occurs because the plugin does not properly validate a user's identi...

PT-2025-20485 · WordPress · 1 Click Wordpress Migration Plugin

Name of the Vulnerable Software and Affected Versions: The 1 Click WordPress Migration Plugin versions prior to 2.3 Description: The issue is related to a missing capability check on the start restore function, allowing authenticated attackers with Subscriber-level access and above to upload...

PT-2025-20364 · WordPress · Wp Seo Structured Data Schema

Name of the Vulnerable Software and Affected Versions: WP SEO Structured Data Schema plugin for WordPress versions up to and including 2.7.11 Description: The issue is related to Stored Cross-Site Scripting via the Price Range parameter, which is caused by insufficient input sanitization and outp...

Recently Disclosed SureTriggers Critical Privilege Escalation Vulnerability Under Active Exploitation

On May 2nd, 2025 the Wordfence Threat Intelligence team added a new critical vulnerability to the Wordfence Intelligence vulnerability database in the OttoKit: All-in-One Automation Platform Formerly SureTriggers plugin publicly disclosed by a third-party CNA on April 30th, 2025. This vulnerabili...

PT-2025-18362 · WordPress · Calculated Fields Form

Name of the Vulnerable Software and Affected Versions: Calculated Fields Form WordPress plugin versions prior to 5.2.62 Description: The issue concerns the Calculated Fields Form WordPress plugin, which does not properly sanitise and escape some of its settings. This could allow high-privilege...

PT-2025-18229 · WordPress · Wp Statistics

Name of the Vulnerable Software and Affected Versions: The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin versions up to, and including, 14.13.3 Description: The issue is related to unauthorized modification of data due to a missing capability check on the optionUpdater...

PT-2025-17883 · WordPress · Prevent Direct Access – Protect Wordpress Files

Name of the Vulnerable Software and Affected Versions: Prevent Direct Access – Protect WordPress Files plugin versions up to, and including, 2.8.8 Description: The issue allows unauthenticated attackers to extract sensitive data, including files protected by the plugin, due to insufficient...

PT-2025-17714 · WordPress · Elex Woocommerce Advanced Bulk Edit Products

Name of the Vulnerable Software and Affected Versions: ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress versions up to, and including, 1.4.9 Description: The issue allows authenticated attackers with Subscriber-level access and above to perform SQL Injection...

PT-2025-16939 · WordPress · The Ultimate Dashboard

Name of the Vulnerable Software and Affected Versions: The Ultimate Dashboard WordPress plugin versions prior to 3.8.6 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is...

CVE-2025-30151 Shopware allows Denial Of Service via password length

Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin...

PT-2025-15332 · WordPress · Melhor Envio

Name of the Vulnerable Software and Affected Versions: Melhor Envio plugin for WordPress versions up to and including 2.15.9 Description: The issue allows unauthenticated attackers to extract sensitive data, including environment information, plugin tokens, shipping configurations, and limited...

WordPress Accept SagePay Payments Using Contact Form 7 plugin <= 2.0 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by Avraham Shemesh in WordPress Plugin Accept SagePay Payments Using Contact Form 7 versions = 2.0...

PT-2025-14068 · Unknown · Romethemekit For Elementor

Name of the Vulnerable Software and Affected Versions: RomethemeKit For Elementor versions n/a through 1.5.4 Description: The issue is related to an Improper Control of Generation of Code 'Code Injection' vulnerability, which allows Command Injection. This problem affects over 30,000 active sites...

PT-2025-12479 · WordPress · Export/Import Users/Customers

Name of the Vulnerable Software and Affected Versions: Export and Import Users and Customers plugin for WordPress versions prior to 2.6.3 Description: The issue is related to insufficient file path validation in the admin log page function, allowing authenticated attackers with Administrator-leve...

PT-2025-7330 · WordPress · Master Slider Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Master Slider WordPress plugin versions prior to 3.10.5 Description: The Master Slider WordPress plugin does not sanitise and escape some of its settings, which could allow high privilege users, such as Editor and above, to perform Stored...

WordPress Shortcodes Ultimate Plugin < 7.0.5 - Contributor+ Stored XSS Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:getshortcodes:shortcodesultimate"; if description...