PT-2025-47709

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gutenberg blocks in all versions up to, and including, 3.0.0 due to insufficient input validation on user-supplied HTML tag names. This is due to the lack of a tag name...

PT-2025-47699

The AuthorSure plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the 'authorsure' page. This makes it possible for unauthenticated attackers to update settings and inject malicious we...

WordPress Display Pages Shortcode plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Display Pages Shortcode versions = 1.1...

WordPress plugin Attention Bar 安全漏洞

WordPress and the WordPress plugin are products of the WordPress Foundation, a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerability exists in...

PT-2025-47557

Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library = 2.8.3 in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

EUVD-2025-198139

The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces wprest to unauthenticated users via the 'wpajaxnoprivrest-nonce' action. While the plugin...

CVE-2025-11868

The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the everviz shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a from the type and hash attributes. This makes i...

CVE-2025-13088

The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab function. This makes it possible for authenticated...

CVE-2025-12822

The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mojwtgeneratenewapikey' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-6251 Royal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item'fieldid' in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

WordPress YITH WooCommerce Wishlist plugin <= 4.10.0 - Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion vulnerability

Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin YITH WooCommerce Wishlist versions = 4.10.0...

CVE-2025-8084

The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.8 via the resthelperscreateimages function. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations...

WordPress Eagle Booking plugin <= 1.3.4.3 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Bonds in WordPress Plugin Eagle Booking versions = 1.3.4.3...

CVE-2025-12937

The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acfflmupdatetemplatewithpastedlayout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to...

EUVD-2025-197948

The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the formatclassic function. This is due to insufficient file type validation where the validateclassic method validates file extensions and sets error messages but does n...

CVE-2025-11267 VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'veucustomcss' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes i...

WordPress plugin CSV to SortTable 跨站脚本漏洞

WordPress CSV to SortTable plugin is WordPress plugin for converting CSV files to interactive sorting tables. The WordPress CSV to SortTable plugin suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of user-supplied data,...

WordPress plugin WP Duplicate Page 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

WordPress plugin Pie Forms for WP 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A code issue...

PT-2025-47248

Name of the Vulnerable Software and Affected Versions VK All in One Expansion Unit plugin for WordPress versions prior to 9.112.1 Description The software is susceptible to Stored Cross-Site Scripting through the veu custom css parameter. Insufficient input sanitization and output escaping on the...