CVE-2015-9323

The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection...

CVE-2014-10378

The duplicate-post plugin before 2.6 for WordPress has XSS...

CVE-2016-11008

The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpipaypal payer metadata updates...

CVE-2017-18584

The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action...

CVE-2015-9294

The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in addqueryarg and removequeryarg function instances...

PT-2025-22341 · WordPress · The Glossary

Name of the Vulnerable Software and Affected Versions: The Glossary by WPPedia – Best Glossary plugin for WordPress versions up to, and including, 1.3.0 Description: The issue is related to PHP Object Injection via deserialization of untrusted input from the posttypes parameter. This allows...

WordPress WP YouTube Video Optimizer plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang in WordPress Plugin WP YouTube Video Optimizer versions = 1.2...

WordPress Coupons & Add to Cart by URL Links for WooCommerce plugin <= 1.7.7 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Coupons & Add to Cart by URL Links for WooCommerce versions = 1.7.7...

WordPress Everest Forms plugin < 3.0.3.1 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Everest Forms versions 3.0.3.1...

WordPress The GDPR Framework By Data443 plugin < 2.2.0 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Bob Matyas in WordPress Plugin GDPR Framework By Data443 versions 2.2.0...

CVE-2024-12733

The AffiliateImporterEb WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-12812

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees...

CVE-2025-31641 WordPress UberSlider plugin <= 2.3 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in LambertGroup UberSlider uber-classic allows SQL Injection.This issue affects UberSlider: from n/a through 2.6...

WordPress WPCHURCH plugin <= 2.7.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Thái An in WordPress Plugin WPCHURCH versions = 2.7.0...

CVE-2024-11718

The tarteaucitron-wp WordPress plugin before 0.3.0 allows author level and above users to add HTML into a post/page, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2024-11843

The Panorama WordPress plugin through 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-5934

The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attack...

CVE-2025-1303

CVE-2025-1303 concerns the Plugin Oficial WordPress plugin (Getnet para WooCommerce) up to version 1.7.3. The issue is a reflected cross-site scripting (XSS) vulnerability caused by a parameter not being sanitised/escaped before being echoed in the page. Exploitation is described against unauthen...

CVE-2024-8759 Nested Pages <= 3.2.8 - Editor+ Stored XSS

The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-8700 Event Calendar <= 1.0.4 - Unauthenticated Arbitrary Calendar Deletion

The Event Calendar WordPress plugin through 1.0.4 does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars...