15909 matches found
CVE-2025-7661 Partnerský systém Martinus <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-7658
CVE-2025-7658 refers to a Stored Cross-Site Scripting vulnerability in the WordPress plugin Temporarily Hidden Content (Temporarily Hidden Content) via the shortcodes temphc-start. Affected versions are those up to and including 1.0.6. The issue arises from insufficient input sanitization and out...
CVE-2025-5396
The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackupajaxhandle function not having a capability check, nor validating user supplied input passed directly to calluserfunc. This makes it possible for...
PT-2025-30109 · WordPress · Epay.Bg Payments
Name of the Vulnerable Software and Affected Versions: EPay.bg Payments plugin for WordPress versions up to and including 0.1 Description: The EPay.bg Payments plugin for WordPress is susceptible to Stored Cross-Site Scripting through the plugin’s epay shortcode. Insufficient input sanitization a...
WordPress plugin Vchasno Kasa 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security...
WordPress plugin Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms 代码问题漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL. WordPress plugin is an application plugin. A code issue vulnerability exists ...
WordPress Malcure Malware Scanner plugin <= 16.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary File Read vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin Malcure Malware Scanner versions = 16.8...
CVE-2025-6993
The Ultimate WP Mail plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the getemaillogdetails AJAX handler in versions 1.0.17 to 1.3.6. The handler reads the client-supplied postid and retrieves the corresponding email log post content including the...
CVE-2025-5845
The Affiliate Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘numColumns’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...
CVE-2025-5752
The Vertical scroll image slideshow gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-5754
The Useful Tab Block – Responsive & AMP-Compatible plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2025-5811 Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion
The Listly: Listicles For WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Init function in all versions up to, and including, 2.7. This makes it possible for unauthenticated attackers to delete arbitrary transient values o...
CVE-2025-5752
CVE-2025-5752 : The WordPress plugin “Vertical scroll image slideshow gallery” is vulnerable to a Stored Cross-Site Scripting (XSS) via the width parameter in all versions up to 11.1. The issue arises from insufficient input sanitization and output escaping, enabling authenticated attackers with ...
CVE-2025-5816 Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship <= 3.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details
The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the getorderdetail due to missing validation on a user controlled key. This makes it possible for...
CVE-2025-3740
CVE-2025-3740 affects the WordPress plugin School Management System for Wordpress. It allows authenticated users with Subscriber+ privileges to perform Local File Inclusion via the page parameter, enabling arbitrary PHP file inclusion/execution and potentially password-change-based privilege esca...
WordPress Attachment Manager plugin <= 2.1.2 - Unauthenticated Arbitrary File Deletion vulnerability
Unauthenticated Arbitrary File Deletion vulnerability discovered by johska in WordPress Plugin Attachment Manager versions = 2.1.2...
WordPress Listly plugin <= 2.7 - Unauthenticated Arbitrary Transient Deletion vulnerability
Unauthenticated Arbitrary Transient Deletion vulnerability discovered by ch4r0n in WordPress Plugin Listly versions = 2.7...
WordPress Block Editor Gallery Slider plugin <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Limited Post Meta Update vulnerability
Missing Authorization to Authenticated Subscriber+ Limited Post Meta Update vulnerability discovered by Poli in WordPress Plugin Block Editor Gallery Slider versions = 1.1.1...
WordPress Biteship plugin <= 3.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details vulnerability
Insecure Direct Object Reference to Authenticated Subscriber+ View Order Tracking Details vulnerability discovered by ch4r0n in WordPress Plugin Biteship versions = 3.2.0...
WordPress aapanel WP Toolkit plugin 1.0 - 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via auto_login() Function vulnerability
WordPress aapanel WP Toolkit plugin 1.0 - 1.1 - Missing Authorization to Authenticated Subscriber+ Privilege Escalation via autologin Function vulnerability discovered by kr0d in WordPress Plugin aapanel WP Toolkit versions 1.0 - 1.1...