CVE-2025-8081

The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the ImportImages::import function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access an...

WordPress Porn Videos Embed plugin <= 0.9.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Mika Patchstack Alliance in WordPress Plugin Porn Videos Embed versions = 0.9.1...

CVE-2025-8295

The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccessmsg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-8313

CVE-2025-8313 affects the Campus Directory plugin for WordPress. A Stored Cross-Site Scripting flaw exists via the noaccess_msg parameter in all versions up to 1.9.1. Exploitation requires Contributor+ authentication, with scripts executed when an injected page is viewed. Mitigation: update to a ...

PT-2025-31978 · WordPress · Asset-Manager

Name of the Vulnerable Software and Affected Versions: Asset-Manager for Wordpress versions 2.0 and earlier Description: The Wordpress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint does not properly validate...

PT-2025-31735 · WordPress · Ultimate Addons For Elementor

Name of the Vulnerable Software and Affected Versions: Ultimate Addons for Elementor versions up to and including 2.4.6 Description: The Ultimate Addons for Elementor plugin for WordPress contains a flaw that allows unauthorized data modification. A missing capability check within the save hfe...

WordPress Image Gallery plugin <= 1.0.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Image Gallery versions = 1.0.0...

WordPress NinjaScanner plugin <= 3.2.5 - Authenticated (Administrator+) Arbitrary File Deletion vulnerability

Authenticated Administrator+ Arbitrary File Deletion vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin NinjaScanner versions = 3.2.5...

WordPress April Framework plugin <= 5.1 - Missing Authorization to Authenticated (Subscriber+) Settings Updates vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Updates vulnerability discovered by Lucio Sá in WordPress Plugin April Framework versions = 5.1...

WordPress Integrate Google Drive plugin <= 1.5.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Integrate Google Drive versions = 1.5.2...

WordPress Classified Listing Plugin plugin <= 5.0.0 - Content Injection Vulnerability

Content Injection Vulnerability discovered by Denver Jackson in WordPress Plugin Classified Listing versions = 5.0.0...

WordPress WP LOL Rotation <= 1.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin WP LOL Rotation versions = 1.0...

WordPress StreamWeasels Twitch Integration plugin <= 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gai Tanaka in WordPress Plugin StreamWeasels Twitch Integration versions = 1.9.3...

CVE-2025-6588

CVE-2025-6588 is a reflected Cross-Site Scripting vulnerability in the WordPress FunnelCockpit plugin (versions up to and including 1.4.2). The issue arises from insufficient input sanitization and output escaping in the vulnerable plugin, enabling unauthenticated attackers to inject scripts into...

WordPress Featured Image Plus – Quick & Bulk Edit with Unsplash plugin <= 1.6.6 - Authenticated (Admin+) Server-Side Request Forgery vulnerability

Authenticated Admin+ Server-Side Request Forgery vulnerability discovered by ch4r0n in WordPress Plugin Featured Image Plus versions = 1.6.6...

WordPress YANewsflash plugin <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin YANewsflash versions = 1.0.3...

WordPress Broken Link Notifier plugin code issue vulnerability

WordPress Broken Link Notifier plugin is a plugin for monitoring broken links e.g. 404 errors, timeout links, etc. within a website. The WordPress Broken Link Notifier plugin suffers from a code issue vulnerability that stems from the server not implementing an adequate validation mechanism to...

WordPress Contest Gallery plugin cross-site scripting vulnerability

WordPress Contest Gallery plugin is a powerful plugin that is mainly used to organize all kinds of online contests in WordPress websites, supporting the uploading and displaying of photos, videos, audios, documents and other types of files. WordPress Contest Gallery plugin suffers from a cross-si...

CVE-2025-7712 Madara - Core <= 2.2.3 - Unauthenticated Arbitrary File Deletion

The Madara - Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpmangadeletezip function in all versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, whic...

WordPress Residential Address Detection plugin <= 2.5.9 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin Residential Address Detection versions = 2.5.9...