PT-2025-50032

Cross-Site Request Forgery CSRF vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through = 2.2.7...

PT-2025-50002

Cross-Site Request Forgery CSRF vulnerability in ProteusThemes Custom Sidebars by ProteusThemes custom-sidebars-by-proteusthemes allows Cross Site Request Forgery.This issue affects Custom Sidebars by ProteusThemes: from n/a through = 1.0.3...

WordPress plugin Lobo 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

WordPress plugin CWW Companion 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

WordPress plugin Simple Folio 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

📄 WordPress StoryChief 1.0.42 Remote Code Execution

A critical security vulnerability exists in WordPress Story Chief plugin version 1.0.42 that allows unauthenticated attackers to achieve remote code execution by exploiting the webhook featured image functionality...

WordPress Starter Templates plugin <= 4.4.41 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass vulnerability

Authenticated Author+ Arbitrary File Upload via WXR Upload Bypass vulnerability discovered by mikemyers in WordPress Plugin Starter Templates versions = 4.4.41...

WordPress Custom Field Template plugin <= 2.7.6 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Phat RiO in WordPress Plugin Custom Field Template versions = 2.7.6...

WordPress Contact Form by BestWebSoft plugin <= 4.3.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Contact Form by BestWebSoft versions = 4.3.6...

CVE-2025-12091

The Search, Filters & Merchandising for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcissaveemail' endpoint in all versions up to, and including, 3.0.67. This makes it possible for authenticated attackers, with...

WordPress JNews Gallery plugin < 12.0.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin JNews Gallery versions 12.0.1...

WordPress REHub Framework plugin < 19.9.9.4 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin REHub Framework versions 19.9.9.4...

WordPress Xpro Elementor Addons plugin <= 1.4.19.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Abu Hurayra in WordPress Plugin Xpro Elementor Addons versions = 1.4.19.1...

EUVD-2025-201540

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submissionid' parameter due to missing validation on a user controlled key within...

CVE-2025-12499

CVE-2025-12499 affects the WordPress plugin Rich Shortcodes for Google Reviews (

EUVD-2025-201516

The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

EUVD-2025-201514

The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the Settings::createPage function. This makes it...

CVE-2025-13629

CVE-2025-13629 relates to the WP Landing Page WordPress plugin (versions up to 0.9.3). The vulnerability is a CSRF flaw caused by missing nonce validation in the wplp_api_update_text function, allowing unauthenticated attackers to forge requests that update arbitrary post meta if a site administr...

CVE-2025-13362

The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject...

WordPress Canadian Nutrition Facts Label plugin <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Nutrition Label Custom Post Type vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Canadian Nutrition Facts Label versions = 3.0...