CVE-2026-25002 WordPress LearnPress – Sepay Payment plugin <= 4.0.0 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in ThimPress LearnPress – Sepay Payment learnpress-sepay-payment allows Authentication Abuse.This issue affects LearnPress – Sepay Payment: from n/a through = 4.0.0...

CVE-2025-14976

CVE-2025-14976 : The WordPress plugin “User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder” is affected by Cross-Site Request Forgery due to missing/incorrect nonce validation in process_row_actions f...

WordPress Add Custom Codes plugin <= 4.80 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Certus Cybersecurity in WordPress Plugin Add Custom Codes versions = 4.80...

CVE-2025-28953 WordPress smart SEO plugin <= 4.0 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in axiomthemes smart SEO smartSEO allows SQL Injection.This issue affects smart SEO: from n/a through = 4.0...

CVE-2025-49953

Summary: CVE-2025-49953 affects the WordPress plugins ShareBang and Ultimate Social Share Buttons for WordPress (versions through 1.4). Vulnerability: Improper input neutralization during web page generation enables Reflected Cross-Site Scripting (XSS). Root cause: Inadequate handling of user-sup...

CVE-2025-10128 Eulerpool Research Systems <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-59585

CVE-2025-59585 affects the WordPress plugin Penci Recipe. The connected document confirms a DOM-based XSS due to improper input neutralization during web page generation, affecting Penci Recipe versions from n/a through 4.0. The CVSS metrics indicate a network-accessible, low-privilege, low-impac...

CVE-2025-57963 WordPress Zoho Billing Plugin <= 4.1 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Zoho Subscriptions Zoho Billing zoho-subscriptions allows DOM-Based XSS.This issue affects Zoho Billing: from n/a through = 4.1...

CVE-2025-9202 ColorMag <= 4.0.19 - Missing Authorization to Authenticated (Subscriber+) ThemeGrill Demo Importer Plugin Installation

The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcomenoticeimporthandler function in all versions up to, and including, 4.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2023-23660

Auth. subscriber+ SQL Injection SQLi vulnerability in MainWP MainWP Maintenance Extension plugin = 4.1.1 versions...

WordPress Appointmind plugin <= 4.0.0 - CSRF to Stored XSS vulnerability

CSRF to Stored XSS vulnerability discovered by SOPROBRO Patchstack Alliance in WordPress Plugin Appointmind versions = 4.0.0...

WordPress Easy Gallery plugin <= 1.4 - SQL Injection vulnerability

SQL Injection vulnerability discovered by LVT-tholv2k Patchstack Alliance in WordPress Plugin Easy Gallery versions = 1.4...

WordPress plugin Starter Templates 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

PT-2024-35136 · WordPress · The Easy Social Like Box – Popup – Sidebar Widget

Name of the Vulnerable Software and Affected Versions: The Easy Social Like Box – Popup – Sidebar Widget plugin for WordPress versions up to, and including, 4.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'cardoza facebook like box' shortcode due to...