CVE-2024-56271

WP SecureSubmit plugin for WordPress contains a Missing Authorization vulnerability that allows exploitation of access control misconfigurations. Affected software: WP SecureSubmit, versions up to 1.5.16. The CVE entry describes the issue but does not provide explicit exploitation details, impact...

CVE-2023-47180 WordPress Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin <= 2.16.0 - Arbitrary Content Deletion vulnerability

Missing Authorization vulnerability in XLPlugins Finale Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Finale Lite: from n/a through 2.16.0...

CVE-2023-46631 WordPress Product Recommendation Quiz for eCommerce plugin <= 2.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in RevenueHunt Product Recommendation Quiz for eCommerce product-recommendation-quiz-for-ecommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Recommendation Quiz for eCommerce: from n/a through = 2.1.2...

CVE-2024-12219 Stop Registration Spam <= 1.23 - Cross-Site Request Forgery to Cross-Site Scripting

The Stop Registration Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request...

CVE-2024-5333 The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure

The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...

CVE-2023-40011 WordPress Cost Calculator Builder plugin <= 3.1.42 - Broken Access Control vulnerability

Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator Builder: from n/a through = 3.1.42...

CVE-2024-9881

The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12027

The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateFilter and deleteFilter functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with...

CVE-2024-11952 Classic Addons – WPBakery Page Builder <= 3.0 - Authenticated (Contributor+) Limited Local PHP File Inclusion

The Classic Addons – WPBakery Page Builder plugin for WordPress is vulnerable to Limited Local PHP File Inclusion in all versions up to, and including, 3.0 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions grant...

CVE-2024-10261

CVE-2024-10261 affects the Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction WordPress plugin (

10,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in AI Power: Complete AI Pack WordPress Plugin

🦸 👻 Calling all superheroes and haunters! Introducing theCybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024: All in-scope vulnerability types for WordPress plugins/themes with = 1,000 active installations...

CVE-2024-9582 Accordion Slider <= 1.9.11 - Authenticted (Contributor+) Stored Cross-Site Scripting via HTML Attribute

The Accordion Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ attribute of an accordion slider in all versions up to, and including, 1.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-9021 Relevanssi < 4.23.1 - Contributor+ Stored XSS

In the process of testing the Relevanssi WordPress plugin before 4.23.1, a vulnerability was found that allows you to implement Stored XSS on behalf of the Contributor+ by embedding malicious script, which entails account takeover backdoor...

CVE-2024-7129 Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins...

WordPress plugin Classified Listing 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

CVE-2024-5799 CM Pop-Up Banners for WordPress < 1.7.3 - Contributor+ Stored XSS

The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks...

WordPress plugin Spectra – WordPress Gutenberg Blocks 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. WordPress plugin Spectra - ...

CVE-2024-4875 HT Mega – Absolute Addons For Elementor <= 2.5.2 - Missing Authorization to Options Update

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'ajaxdismiss' function in versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with...

PT-2024-26167 · WordPress · Side Menu Lite

Name of the Vulnerable Software and Affected Versions: The Side Menu Lite WordPress plugin versions prior to 4.2.1 Description: The issue is related to the lack of CSRF checks in some bulk actions, which could allow attackers to make logged-in admins perform unwanted actions, such as deleting...

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels < 4.4.3 - Missing Authorization to Unauthenticated Settings Reset

Description The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wtpklistresetsettings function in all versions up to, and including, 4.4.2. This makes it...