CVE-2025-3419

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxyimage function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on...

CVE-2024-12023 FULL – Cliente 3.1.5 - 3.1.25 - Authenticated (Subscriber+) SQL Injection

The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the 'formId' parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

CVE-2025-3058 Xelion Webchat <= 9.1.0 - Authenticated (Subscriber+) Arbitrary Options Update

The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwcsavesettings function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with...

PT-2025-17259 · WordPress · Mappress Maps

Name of the Vulnerable Software and Affected Versions: MapPress Maps for WordPress versions prior to 2.94.10 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability is disallowed, f...

CVE-2025-32670 WordPress Spark GF Failed Submissions plugin <= 1.3.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Mark Parnell Spark GF Failed Submissions allows Reflected XSS. This issue affects Spark GF Failed Submissions: from n/a through 1.3.5...

CVE-2025-32202

Unrestricted Upload of File with Dangerous Type vulnerability in Brian Batt - elearningfreak.com Insert or Embed Articulate Content into WordPress insert-or-embed-articulate-content-into-wordpress allows Upload a Web Shell to a Web Server.This issue affects Insert or Embed Articulate Content into...

CVE-2025-30520 WordPress Breezing Forms plugin <= 1.2.8.11 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in crosstec Breezing Forms allows Reflected XSS. This issue affects Breezing Forms: from n/a through 1.2.8.11...

CVE-2025-1440 Advanced iFrame <= 2024.5 - Unauthenticated Settings Update

The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aipmapurlcallback function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the...

CVE-2025-1770 Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Authenticated (Contributor+) Local File Inclusion

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

CVE-2025-1668 School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Arbitrary User Deletion

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpspDeleteUser function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access a...

CVE-2025-1527 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution formerly WooLentor plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to...

CVE-2024-12119

CVE-2024-12119 affects FooGallery – Responsive Photo Gallery (WordPress) up to version 2.4.29. It is a stored Cross‑Site Scripting vulnerability caused by insufficient input sanitization and output escaping for the gallery title/album title size parameter. Exploitation requires an authenticated a...

CVE-2024-13539 AForms Eats <= 1.3.1 - Unauthenticated Full Path Disclosure

The AForms Eats plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.3.1. This is due the /vendor/aura/payload-interface/phpunit.php file being publicly accessible and displaying error messages. This makes it possible for unauthenticated attackers to...

CVE-2024-7146

The JetTabs for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.3 via the 'switcherpreset' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files ...

CVE-2024-50427

Unrestricted Upload of File with Dangerous Type vulnerability in devsoftbaltic SurveyJS surveyjs.This issue affects SurveyJS: from n/a through = 1.9.136...

CVE-2024-13099 Widget4call <= 1.0.7 - Reflected XSS

The Widget4Call WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-11641

CVE-2024-11641 affects the VikBooking Hotel Booking Engine & PMS plugin for WordPress (versions ≤ 1.7.2). The issue is a Cross-Site Request Forgery vulnerability caused by missing or incorrect nonce validation on the plugin’s save function. This can allow unauthenticated attackers with subscriber...

CVE-2024-11445 Image Magnify <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Image Magnify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'imagemagnify' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-11223

Summary (CVE-2024-11223): The WPForms WordPress plugin, versions prior to 1.9.2.3, fails to sanitise and escape certain settings. This allows high-privilege users (e.g., admins) to perform Stored Cross-Site Scripting (XSS) even when unfiltered_html is disallowed (e.g., multisite). The vulnerabili...

CVE-2024-9545 Shortcodes and extra features for Phlox theme <= 2.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auxcontactbox and auxgmaps shortcodes in all versions up to, and including, 2.17.0 due to insufficient input sanitization and output escaping on user supplied...