WordPress Image Cleanup plugin <= 1.9.2 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Nabil Irawan in WordPress Plugin Image Cleanup versions = 1.9.2...

WordPress Modula plugin 2.13.1-2.13.2 - Authenticated (Author+) Arbitrary File Deletion vulnerability

Authenticated Author+ Arbitrary File Deletion vulnerability discovered by ISMAILSHADOW in WordPress Plugin Modula Image Gallery versions 2.13.1-2.13.2...

WordPress SureMail – SMTP and Email Logs plugin with Amazon SES, Postmark, and Other Providers plugin <= 1.9.0 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by type5afe in WordPress Plugin SureMail versions = 1.9.0...

WordPress plugin Everest Backup 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

PT-2025-48795

Advanced Custom Fields: Extended and Affected Versions Advanced Custom Fields: Extended versions 0.9.0.5 through 0.9.1.1 Description The Advanced Custom Fields: Extended plugin for WordPress has a flaw that allows for Remote Code Execution RCE. This is due to the prepare form function accepting...

CVE-2025-13685 Photo Gallery by Ays <= 6.4.8 - Cross-Site Request Forgery to Bulk Actions

The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'processbulkaction' function. This makes it possible for unauthenticated attacke...

WordPress plugin SurveyJS 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

WordPress Beaver Builder – WordPress Page Builder plugin <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification vulnerability

Missing Authorization to Authenticated Contributor+ Global Preset Modification vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Beaver Builder versions = 2.9.4...

CVE-2025-66415

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is...

WordPress Tutor LMS Elementor Addons plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Mdr in WordPress Plugin Tutor LMS Elementor Addons versions = 3.0.1...

WordPress Quiz And Survey Master plugin <= 10.3.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Quiz And Survey Master versions = 10.3.2...

WordPress OnPay.io for WooCommerce plugin <= 1.0.47 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin OnPay.io for WooCommerce versions = 1.0.47...

WordPress Simple Folio plugin <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Simple Folio versions = 1.1.0...

WordPress Tiare Membership plugin <= 1.2 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by シルAsuna in WordPress Plugin Tiare Membership versions = 1.2...

CVE-2025-13540 Tiare Membership <= 1.2 - Unauthenticated Privilege Escalation

The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiaremembershipinitrestapiregister' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attacker...

CVE-2025-12579 Reuters Direct <= 3.0.0 - Missing Authorization to Unauthenticated Settings Reset

The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings...

CVE-2025-12578 Reuters Direct <= 3.0.0 - Cross-Site Request Forgery to Settings Reset

The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset...

WordPress plugin Reuters Direct 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

PT-2025-48228

The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall membership check facebook user' and the 'findall...

PT-2025-48261

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc db fix callback function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and...