WordPress Booking Calendar and Notification plugin <= 4.0.3 - Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions vulnerability

Missing Authorization via wpcballbookings, wpcbupdatebookingpost, and wpcbdeleteposts Functions vulnerability discovered by WordFence in WordPress Plugin Booking Calendar and Notification versions = 4.0.3...

WordPress Jetpack Boost plugin < 3.4.7 - Admin+ SSRF vulnerability

Admin+ SSRF vulnerability discovered by Miguel Xavier Penha Neto in WordPress Plugin Jetpack Boost versions 3.4.7...

WordPress Marketplace Items plugin <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marketplace' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'marketplace' Shortcode vulnerability discovered by zakaria in WordPress Plugin Marketplace Items versions = 1.5.5...

WordPress plugin Recent Posts From Each Category 跨站请求伪造漏洞

...

WordPress Contact Form 7 Redirect & Thank You Page plugin <= 1.0.7 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by vgo0 in WordPress Plugin Contact Form 7 Redirect & Thank You Page versions = 1.0.7...

WordPress Profiler - What Slowing Down Your WP plugin <= 1.0.0 - Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration vulnerability

WordPress Profiler - What Slowing Down Your WP plugin = 1.0.0 - Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration vulnerability discovered by ch4r0n - FPT Software in WordPress Plugin Profiler - What Slowing Down Your WP versions = 1.0.0...

WordPress Checkout Mestres do WP for WooCommerce plugin 8.6.5 - 8.7.5 - Unauthenticated Arbitrary Options Update vulnerability

WordPress Checkout Mestres do WP for WooCommerce plugin 8.6.5 - 8.7.5 - Unauthenticated Arbitrary Options Update vulnerability discovered by kr0d in WordPress Plugin Checkout Mestres WP versions 8.6.5-8.7.5...

CVE-2025-66094 WordPress Yada Wiki plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in dmccan Yada Wiki yada-wiki allows Stored XSS.This issue affects Yada Wiki: from n/a through = 3.5...

CVE-2025-63027 WordPress WBC907 Core plugin <= 3.4.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in webcreations907 WBC907 Core wbc907-core allows Stored XSS.This issue affects WBC907 Core: from n/a through = 3.4.1...

CVE-2025-64190

CVE-2025-64190: DOM-based XSS in 8theme XStore Core (WordPress plugin) before v5.6 caused by improper neutralization of input during web page generation. Impacts confidentiality/integrity/availability as per XSS descriptions; remediation: upgrade to XStore Core 5.6 or later (no further exploit de...

CVE-2025-64190 WordPress XStore Core plugin < 5.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in 8theme XStore Core et-core-plugin allows DOM-Based XSS.This issue affects XStore Core: from n/a through 5.6...

WordPress XStore Core plugin < 5.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin XStore Core versions 5.6...

CVE-2025-69019

CVE-2025-69019 : FlippingBook (FlippingBook/FlippingBook) contains a DOM-based XSS in the web-page generation flow, affecting FlippingBook versions up to and including 2.0.1. The Wordfence report details an authenticated (Contributor+) path to abuse; CVSS/impact per initial data indicates cross-s...

CVE-2025-68997 WordPress wpDiscuz plugin <= 7.6.43 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through = 7.6.43...

CVE-2025-68995 WordPress My Sticky Elements plugin <= 2.3.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Premio My Sticky Elements mystickyelements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Sticky Elements: from n/a through = 2.3.3...

CVE-2025-68988

CVE-2025-68988 affects the E-Invoice App Malaysia (E-Invoice App Malaysia; plugin name einvoiceapp-malaysia) and is categorized as an unauthenticated information exposure. The WordPress ecosystem entry indicates the vulnerability is an exposure of embedded sensitive data to an unauthorized actor,...

CVE-2025-68992

CVE-2025-68992 affects BWL Knowledge Base Manager (bwL-kb-manager) for WordPress. Connected documents confirm a stored cross-site scripting (XSS) vulnerability in BW KBase Manager, affecting versions up to 1.6.3. The Wordfence report lists this as an authenticated (Contributor+) Stored XSS, indic...

CVE-2025-68979 WordPress Google Calendar Events plugin <= 3.5.9 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through = 3.5.9...

CVE-2025-68975

CVE-2025-68975 concerns the WordPress Eagle Booking plugin (Eagle Booking) versions up to and including 1.3.4.3. Multiple connected sources describe an Insecure Direct Object References (IDOR) / authorization bypass when using a user-controlled key, allowing bypass of access controls. The NVD ent...

WordPress Strong Testimonials plugin <= 3.2.18 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update vulnerability

Missing Authorization to Authenticated Contributor+ Rating Meta Update vulnerability discovered by type5afe in WordPress Plugin Strong Testimonials versions = 3.2.18...