CVE-2020-12070

The Advanced Woo Search plugin version through 1.99 for Wordpress suffers from a sensitive information disclosure vulnerability in every ajax search request via the sql field to includes/class-aws-search.php...

CVE-2023-25484

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Oliver Schlöbe Simple Yearly Archive plugin = 2.1.8 versions...

CVE-2023-25479

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Podlove Podlove Subscribe button plugin = 1.3.7 versions...

CVE-2023-45049

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Ciprian Popescu YouTube Playlist Player plugin = 4.6.7 versions...

CVE-2023-45068

Cross-Site Request Forgery CSRF vulnerability in Supsystic Contact Form by Supsystic plugin = 1.7.27 versions...

CVE-2023-45642

Cross-Site Request Forgery CSRF vulnerability in Hassan Ali Snap Pixel plugin = 1.5.7 versions...

CVE-2023-31091

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Pradeep Singh Dynamically Register Sidebars plugin = 1.0.1 versions...

CVE-2023-4242

The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive information about...

CVE-2023-4730

The LadiApp plugn for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the initendpoint function hooked via 'init' in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to modify a variety of settings. An...

CVE-2023-4941

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobebulkoperationsswap function. This makes it possible for authenticated attackers subscriber or higher to manipulate products...

CVE-2023-4919

The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the iframe shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above, ...

CVE-2023-4024

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deleteplayer function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances...

CVE-2023-4689

The Elementor Addon Elements plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.12.7. This is due to missing or incorrect nonce validation on the eaesaveelements function. This makes it possible for unauthenticated attackers to enable/disable...

CVE-2023-4962

The Video PopUp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'videopopup' shortcode in versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2025-14352

The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0.3. This is due to the plugin relying solely on nonce verification without capability...

CVE-2023-25453

Unauth. Reflected Cross-Site Scripting XSS vulnerability in Ian Sadovy WordPress Tables plugin = 1.3.9 versions...

CVE-2023-31218

Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin = 1.0.6 versions...

CVE-2023-4402

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the getproducts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugi...

CVE-2025-23699

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in techmix Event Countdown Timer Plugin by TechMix event-countdown-timer allows Reflected XSS.This issue affects Event Countdown Timer Plugin by TechMix: from n/a through = 1.4...

PT-2026-1709

Name of the Vulnerable Software and Affected Versions Contact Form vCard Generator versions up to and including 2.4 Description The Contact Form vCard Generator plugin for WordPress has a flaw where a missing capability check on the wp gvccf check download request function allows unauthorized...