WordPress Responsive Plus plugin <= 3.2.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability

Cross Site Request Forgery CSRF to Settings Change vulnerability discovered by Chazz Wolcott Patchstack in WordPress Plugin Responsive Plus versions = 3.2.2...

PT-2025-25181 · WordPress · Wp-Downloadmanager

Name of the Vulnerable Software and Affected Versions: WP-DownloadManager versions 1.68.10 and earlier Description: The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to a lack of restriction on the directory from which a file can be deleted. This allows...

CVE-2025-5568 WpEvently <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-2935

CVE-2025-2935 (WordPress Wordfence entry confirmed) : The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 2024.7. The root cause is missing or incorrect nonce validation in the files ss_option_ma...

WordPress WP Security Master plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin WP Security Master versions = 1.0.2...

WordPress Complete Google Seo Scan plugin <= 3.5.1 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Nguyen Quang Minh VCI - VNPT Cyber Immunity in WordPress Plugin Complete Google Seo Scan versions = 3.5.1...

WordPress Quick Event Calendar plugin <= 1.4.9 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by haudayroi - BlueRock in WordPress Plugin Quick Event Calendar versions = 1.4.9...

WordPress WP Gravity Forms Constant Contact Plugin <= 1.1.0 - Open Redirection Vulnerability

Open Redirection Vulnerability discovered by Bonds in WordPress Plugin WP Gravity Forms Constant Contact Plugin versions = 1.1.0...

WordPress HT Team Member plugin <= 1.1.7 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin HT Team Member versions = 1.1.7...

CVE-2025-4590

CVE-2025-4590 affects the Daisycon prijsvergelijkers WordPress plugin (versions up to and including 4.8.4). The issue is a Stored Cross-Site Scripting vulnerability in the plugin’s daisycon_uitvaart shortcode caused by insufficient input sanitization and output escaping on user-supplied attribute...

CVE-2025-4597

The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooslideprodeletedraftpreview AJAX action in all versions up to, and including, 1.12. This makes it possible for...

CVE-2025-5287 Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection

The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

WordPress 4stats plugin <= 2.0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin 4stats versions = 2.0.9...

CVE-2025-0860

The VR-Frases collect & share quotes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-9383

The Parcel Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'action' parameter in all versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

CVE-2024-9064

The Elementor Inline SVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

CVE-2024-7317

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-1213

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the esfinstasaveaccesstoken and efblsavefacebookaccesstoken...

CVE-2024-1278

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'efblikebox' shortcode in all versions up to, and including, 6.5.4 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-7355

The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘titleinput’ and 'nodedescription' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...