CVE-2025-3863

The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the processwbelpspromoform function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level acces...

WordPress PT Project Notebooks plugin 1.0.0-1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation vulnerability

Missing Authorization to Unauthenticated Privilege Escalation vulnerability discovered by kr0d in WordPress Plugin PT Project Notebooks versions 1.0.0-1.1.3...

WordPress Beauty Contact Popup Form plugin <= 6.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Beauty Contact Popup Form versions = 6.0...

WordPress WP DB Booster plugin <= 1.0.1 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by theviper17 in WordPress Plugin WP DB Booster versions = 1.0.1...

WordPress Podcast Feed Player Widget and Shortcode plugin <= 2.2.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Podcast Feed Player Widget and Shortcode versions = 2.2.0...

WordPress WP Permalink Translator plugin <= 1.7.6 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Thi Huyen Trang - Skalucy in WordPress Plugin WP Permalink Translator versions = 1.7.6...

CVE-2025-53332 WordPress Track Everything plugin <= 2.0.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in ethoseo Track Everything allows Stored XSS. This issue affects Track Everything: from n/a through 2.0.1...

CVE-2025-53279 WordPress Popup addon for Ninja Forms plugin <= 3.4 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Aman Popup addon for Ninja Forms popup-addon-for-ninja-forms allows DOM-Based XSS.This issue affects Popup addon for Ninja Forms: from n/a through = 3.4...

CVE-2025-24774 WordPress WPCRM - CRM for Contact form CF7 & WooCommerce plugin <= 3.2.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce wpcrm allows Reflected XSS.This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through = 3.2.0...

WordPress CP Polls plugin cross-site scripting vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. WordPress CP Polls plugin suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of user-supplied data, whi...

WordPress Everest Forms plugin has an unspecified vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A security vulnerability exists in the ordPress Everest Forms plugin that stems from insufficient path validation of the deleteentryfiles function, which can be exploited by an...

WordPress Auto Attachments plugin cross-site scripting vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. WordPress Auto Attachments plugin suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of user-supplied...

WordPress Arconix FAQ plugin Improper Access Control Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. An improper access control vulnerability exists in the WordPress Arconix FAQ plugin, which stems from a lack of authorization, and no detailed vulnerability details are provided...

CVE-2025-5490

The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

CVE-2025-49971

CVE-2025-49971 concerns a Missing Authorization (Broken Access Control) vulnerability in the WordPress plugin eDS Responsive Menu by aThemeArt translations. It affects versions up to 1.2, arising from improper access control configuration. Public references in connected sources confirm the issue ...

PT-2025-26279 · WordPress · Custom Post Carousels With Owl

Name of the Vulnerable Software and Affected Versions: Custom Post Carousels with Owl WordPress plugin versions prior to 1.4.12 Description: The issue concerns the use of the featherlight library and the data-featherlight attribute without proper sanitization. This could potentially lead to...

WordPress WP Roadmap plugin <= 2.1.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Peter Thaleikis in WordPress Plugin WP Roadmap versions = 2.1.3...

WordPress XiSearch bar plugin <= 2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin XiSearch bar versions = 2.6...

CVE-2025-5282

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deletepackage function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to...

WordPress Advanced Settings plugin <= 3.0.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Mika in WordPress Plugin Advanced Settings versions = 3.0.1...