PT-2025-34243 · WordPress · Eslint-Ban-Moment

Name of the Vulnerable Software and Affected Versions: eslint-ban-moment versions 3.0.0 and earlier Description: The eslint-ban-moment plugin exposes a sensitive Supabase URI in the .env file. A valid Supabase URI containing a username and password grants an attacker complete unauthorized access...

WordPress Varnish/Nginx Proxy Caching plugin <= 1.8.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin Varnish/Nginx Proxy Caching versions = 1.8.3...

CVE-2025-49381 WordPress ads.txt Guru Connect Plugin <= 1.1.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in ads.txt Guru ads.txt Guru Connect adstxt-guru-connect allows Cross Site Request Forgery.This issue affects ads.txt Guru Connect: from n/a through = 1.1.1...

CVE-2025-49422 WordPress Support Ticket Plugin <= 1.9 - Privilege Escalation Vulnerability

Incorrect Privilege Assignment vulnerability in themepassion Support Ticket support-ticket allows Privilege Escalation.This issue affects Support Ticket: from n/a through = 1.9...

CVE-2025-48169 WordPress Code Engine Plugin <= 0.3.3 - Remote Code Execution (RCE) Vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion. This issue affects Code Engine: from n/a through 0.3.3...

CVE-2025-54028 WordPress CF7 WOW Styler Plugin <= 1.7.2 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Saleswonder Team Tobias CF7 WOW Styler allows PHP Local File Inclusion. This issue affects CF7 WOW Styler: from n/a through 1.7.2...

CVE-2025-9202 ColorMag <= 4.0.19 - Missing Authorization to Authenticated (Subscriber+) ThemeGrill Demo Importer Plugin Installation

The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcomenoticeimporthandler function in all versions up to, and including, 4.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above...

WordPress plugin Page Transition 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

WordPress和WordPress plugin 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

WordPress plugin Bit Form builder code problem vulnerability

WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A file upload vulnerability exists in WordPress plugin Bit Form builder 2.20.4 and earlier versions, whi...

WordPress Captcha.eu plugin <= 1.0.61 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by ch4r0n in WordPress Plugin Captcha.eu versions = 1.0.61...

WordPress AWStats Script plugin <= 0.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin AWStats Script versions = 0.3...

CVE-2024-12612 School Management System for Wordpress <= 93.2.0 - Unauthenticated SQL Injection

The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX action in all versions up to, and including, 93.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

WordPress Al Pack plugin <= 1.1.1 - Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function vulnerability

Missing Authorization to Unauthenticated Premium Feature Activation via checkactivatepermission Function vulnerability discovered by shark3y in WordPress Plugin AL Pack versions = 1.1.1...

CVE-2025-7507 elink – Embed Content <= 1.1.0 - Authenticated (Contributor+) Insufficient Input Validation

The elink – Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-53221 WordPress CodeablePress plugin <= 1.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in codeablepress CodeablePress codeablepress-simple-frontend-profile-picture-upload allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CodeablePress: from n/a through = 1.0.2...

CVE-2025-54729 WordPress Webba Booking Plugin <= 6.0.5 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Stored XSS.This issue affects Webba Booking: from n/a through = 6.0.5...

CVE-2025-55710 WordPress TaxoPress Plugin <= 3.37.2 - Sensitive Data Exposure Vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Steve Burge TaxoPress simple-tags allows Retrieve Embedded Sensitive Data.This issue affects TaxoPress: from n/a through = 3.37.2...

CVE-2025-55710 WordPress TaxoPress Plugin <= 3.37.2 - Sensitive Data Exposure Vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Steve Burge TaxoPress allows Retrieve Embedded Sensitive Data. This issue affects TaxoPress: from n/a through 3.37.2...

CVE-2025-54693 WordPress Form Block Plugin <= 1.5.5 - Arbitrary File Upload Vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block allows Upload a Web Shell to a Web Server. This issue affects Form Block: from n/a through 1.5.5...