15735 matches found
WordPress Membership Plugin - Restrict Content plugin <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure vulnerability
WordPress Membership Plugin - Restrict Content plugin = 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure vulnerability discovered by andrea bocchetti in WordPress Plugin Restrict Content versions = 3.2.16...
CVE-2025-14384
CVE-2025-14384 affects the All in One SEO – Powerful SEO Plugin for WordPress (versions ≤ 4.9.2). It arises from a missing capability check on the REST route /aioseo/v1/ai/credits, allowing authenticated users with Contributor-level access and above to disclose the global AI access token. Wordfen...
PT-2026-3215
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...
EUVD-2026-2734
solspace/craft-freeform Has a DoS Vulnerability...
WordPress NextMove Lite plugin <= 2.23.0 - Insecure Direct Object References (IDOR) vulnerability
Insecure Direct Object References IDOR vulnerability discovered by PPzzAArr in WordPress Plugin NextMove Lite versions = 2.23.0...
WordPress plugin “Drag and Drop Multiple File Upload for Contact Form” has security vulnerabilities
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...
WordPress Penci Review plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Penci Review versions = 3.5...
CVE-2025-15513 Float Payment Gateway <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation
The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as...
CVE-2025-14770
CVE-2025-14770 concerns the WordPress plugin Shipping Rate By Cities. Connected sources confirm an SQL Injection vulnerability introduced by insufficient escaping and underpreparation of the city parameter, affecting versions up to and including 2.0.0. The flaw allows unauthenticated attackers to...
CVE-2025-15283 Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'namedirectoryname' and 'namedirectorydescription' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for...
PT-2026-2820
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on...
WordPress plugin Electric Studio Download Counter 跨站脚本漏洞
WordPress Electric Studio Download Counter plugin is a plugin for WordPress websites whose main function is to count and track the number of file downloads. The WordPress Electric Studio Download Counter plugin suffers from a cross-site scripting vulnerability that stems from the application's la...
WordPress plugin GetContentFromURL 代码问题漏洞
The WordPress GetContentFromURL plugin is a tool that allows users to grab content from other websites and display it on WordPress sites with a simple short code. The WordPress GetContentFromURL plugin suffers from a server-side request forgery vulnerability that stems from the use of the...
WordPress plugin SocialChamp with WordPress 跨站请求伪造漏洞
WordPress SocialChamp with WordPress plugin is a plugin called SocialChamp which focuses on social media automation management. WordPress SocialChamp with WordPress plugin suffers from a cross-site request forgery vulnerability that stems from a lack of random number validation in the...
WordPress plugin Stopwords for comments 跨站请求伪造漏洞
The WordPress Stopwords for comments plugin is a pre-screening tool designed to help webmasters filter out user comments that contain certain banned words i.e. "stopwords". comments. The WordPress Stopwords for comments plugin suffers from a cross-site request forgery vulnerability that stems fro...
WordPress Electric Studio Download Counter plugin <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters vulnerability
Authenticated Administrator+ Stored Cross-Site Scripting via Settings Parameters vulnerability discovered by 0x34rth in WordPress Plugin Electric Studio Download Counter versions = 2.4...
WordPress Makesweat plugin <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Setting vulnerability
Authenticated Administrator+ Stored Cross-Site Scripting via 'makesweatclubid' Setting vulnerability discovered by ChamlaVic in WordPress Plugin Makesweat versions = 0.1...
WordPress Bayarcash WooCommerce plugin <= 4.3.13 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan in WordPress Plugin Bayarcash WooCommerce versions = 4.3.13...
WordPress WPLMS plugin <= 1.9.9.5.4 - Arbitrary File Deletion vulnerability
Arbitrary File Deletion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin WPLMS versions = 1.9.9.5.4...
CVE-2025-14579 Quiz Maker < 6.7.0.89 - Admin+ Stored XSS
The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...