170 matches found
CVE-2025-4335
The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the savemultipleshippingaddresses function. This makes it possible for...
PT-2025-19871 · WordPress · Pgs Core
Name of the Vulnerable Software and Affected Versions: PGS Core plugin for WordPress versions up to, and including, 5.8.0 Description: The issue concerns PHP Object Injection via deserialization of untrusted input in the import header function, allowing unauthenticated attackers to inject a PHP...
PT-2025-18928 · WordPress · Personizely
Name of the Vulnerable Software and Affected Versions: Personizely plugin for WordPress versions up to, and including, 0.10 Description: The issue is related to Stored Cross-Site Scripting via the widgetId parameter due to insufficient input sanitization and output escaping. This allows...
PT-2025-18756 · WordPress · Homey
Name of the Vulnerable Software and Affected Versions: Homey theme for WordPress versions up to, and including, 2.4.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to delete other users' accounts due to missing validation on a user-controlled key in...
PT-2025-18358 · WordPress · Projectopia
Name of the Vulnerable Software and Affected Versions: The Projectopia – WordPress Project Management plugin for WordPress versions up to, and including, 5.1.16 Description: The issue allows unauthorized modification of data, potentially leading to a denial of service. This is due to a missing...
PT-2025-18138 · WordPress · Gutenverse
Name of the Vulnerable Software and Affected Versions: Gutenverse – Ultimate Block Addons and Page Builder for Site Editor plugin for WordPress versions up to, and including, 2.2.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's countdown Block due to insufficien...
WordPress plugin Arrival 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability...
CVE-2024-10894
The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'datepicker', 'textarea', and 'text' in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping on user supplied attributes...
CVE-2025-0839
CVE-2025-0839 concerns ZoomSounds — WordPress Wave Audio Player with Playlist. The vulnerability is a Stored Cross-Site Scripting (XSS) in the ZoomSounds plugin, affecting versions up to and including 6.91, caused by insufficient input sanitization and output escaping on user-supplied shortcode a...
CVE-2025-31871
URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Galaxy Weblinks WP Clone any post type wp-clone-any-post-type allows Phishing.This issue affects WP Clone any post type: from n/a through = 3.6...
CVE-2025-31871
URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Galaxy Weblinks WP Clone any post type wp-clone-any-post-type allows Phishing.This issue affects WP Clone any post type: from n/a through = 3.6...
CVE-2025-31448 WordPress Simple Trackback Disabler plugin <= 1.4 - Cross Site Request Forgery (CSRF) Vulnerability
Cross-Site Request Forgery CSRF vulnerability in misteraon Simple Trackback Disabler simple-trackback-disabler allows Cross Site Request Forgery.This issue affects Simple Trackback Disabler: from n/a through = 1.4...
CVE-2024-13411
CVE-2024-13411 pertains to the Zapier for WordPress plugin for WordPress, with SSRF vulnerability in all versions up to 1.5.1 via the updated_user() function. The issue allows authenticated attackers with Subscriber-level access or higher to cause the WordPress application to perform web requests...
CVE-2025-0723
CVE-2025-0723 (ProfileGrid – WordPress) discloses a blind/time-based SQL Injection in the ProfileGrid plugin (versions ≤ 5.9.4.7) via the rid and search parameters caused by insufficient escaping and SQL prep. The vulnerability permits authenticated users with Subscriber-level access and higher t...
CVE-2025-2505
The CVE-2025-2505 entry concerns the WordPress Age Gate plugin, affected versions up to and including 3.5.3. A local PHP file inclusion via the lang parameter allows unauthenticated attackers to include and execute arbitrary PHP files on the server, potentially bypassing access controls and expos...
CVE-2025-2164
CVE-2025-2164 affects the WordPress plugin pixelstats (
WordPress plugin WPSchoolPress SQL注入漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. WordPress plugin...
CVE-2024-13407 Omnipress <= 1.5.4 - Authenticated (Contributor+) Post Disclosure
The Omnipress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.4 via the megamenu block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above,...
CVE-2024-13806 Authors List <= 2.0.6 - Unauthenticated Arbitrary Shortcode Execution
The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.6. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...
WordPress Google Maps for WordPress plugin <= 1.0.3 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by muhammad yudha in WordPress Plugin Google Maps for WordPress versions = 1.0.3...