CVE-2015-9313

The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element...

CVE-2015-9449

The microblog-poster plugin before 1.6.2 for WordPress has SQL Injection via the wp-admin/options-general.php?page=microblogposter.php accountid parameter...

CVE-2015-9410

The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter...

CVE-2017-18578

The crafty-social-buttons plugin before 1.5.8 for WordPress has XSS...

CVE-2015-9430

The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header...

CVE-2013-7482

The reflex-gallery plugin before 1.4.3 for WordPress has XSS...

CVE-2015-10122

A vulnerability was found in wp-donate Plugin up to 1.4 on WordPress. It has been classified as critical. This affects an unknown part of the file includes/donate-display.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. Upgrading to version 1.5 is able...

CVE-2025-43834 WordPress cookieBAR plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in tox82 cookieBAR cookiebar allows Stored XSS.This issue affects cookieBAR: from n/a through = 1.7.0...

CVE-2024-8492 Hustle < 7.8.5 - Admin+ Stored XSS

The Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2024-13383 HD Quiz < 2.0.0 - Editor+ Stored XSS

The HD Quiz WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-3077

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-2876

The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitoradminactions' function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user...

PT-2025-15923 · WordPress · Embedder

Name of the Vulnerable Software and Affected Versions: Embedder plugin for WordPress versions 1.3 to 1.3.5 Description: The issue allows unauthorized modification of data, leading to privilege escalation due to a missing capability check on the ajax set global option function. This enables...

CVE-2025-32172 WordPress YaMaps for WordPress plugin <= 0.6.40 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Yuri Baranov YaMaps for WordPress yamaps allows Stored XSS.This issue affects YaMaps for WordPress: from n/a through = 0.6.40...

CVE-2024-12410

CVE-2024-12410 involves the Front End Users WordPress plugin. It is vulnerable to SQL Injection via the UserSearchField parameter in all versions up to and including 3.2.32 due to insufficient escaping and lack of proper SQL query preparation. This allows unauthenticated attackers to append extra...

CVE-2025-2685 TablePress – Tables in WordPress made easy <= 3.0.4 - Authenticated (Author+) Stored Cross-Site Scripting

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...

CVE-2024-12623 DICOM Support <= 0.10.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The DICOM Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dcm' shortcode in all versions up to, and including, 0.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-30570 WordPress دکمه، شبکه اجتماعی خرید plugin <= 2.0.6 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in AliRezaMohammadi دکمه، شبکه اجتماعی خرید dokme allows SQL Injection.This issue affects دکمه، شبکه اجتماعی خرید: from n/a through = 2.0.6...

CVE-2025-0723 ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.7 - Authenticated (Subscriber+) SQL Injection

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind and time-based SQL Injections via the rid and search parameters in all versions up to, and including, 5.9.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient...

CVE-2025-26926 WordPress Booknetic plugin <= 4.0.9 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in fs-code Booknetic booknetic.This issue affects Booknetic: from n/a through = 4.0.9...