WordPress Photo Gallery by 10Web plugin <= 1.5.34 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability found in WordPress Photo Gallery by 10Web plugin versions = 1.5.34. Solution Update the WordPress Photo Gallery by 10Web plugin to the latest available version at least 1.5.35...

WordPress Multi Step Form plugin <= 1.2.5 - Multiple Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerabilities

Multiple Unauthenticated Reflected Cross-Site Scripting XSS vulnerabilities found by Javier Olmedo in WordPress Multi Step Form plugin versions = 1.2.5. Solution Update the plugin WordPress Multi Step Form plugin to the latest available version at least 1.2.6...

WordPress Huge-IT Video Gallery plugin <=2.0.4 - SQL Injection vulnerability

SQL Injection vulnerability found by Neven Biruski DefenseCode in WordPress Huge-IT Video Gallery plugin version 2.0.4 and earlier versions. Solution Update WordPress Huge-IT Video Gallery plugin to the latest available version...

WordPress <= 4.5.2 - BYPASS #4

The customizer allows an attacker to bypass intended redirection restrictions via unspecified vectors. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-5-2-bypass http://db.threatpress.com/vulnerability/wordpress/wordpress-4-5-2-bypass-1...

WordPress Ninja Forms Plugin <= 2.9.42.0 - PHP Object Injection

This vulnerability allows an attacker to conduct PHP object injection attacks via crafted serialized values in a POST request. Solution Update the plugin...

WordPress qTranslate Plugin <= 2.5.39 - XSS

This vulnerability allows an attacker to inject arbitrary web script or HTML via the "edit" parameter. Solution Update the plugin...

WordPress Easing Slider Plugin <= 2.2.0.6 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "edit" parameter. Solution Upgrade the plugin...

WordPress <= 4.0.0 - XSS #1

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via a crafted Cascading Style Sheets CSS token sequence in a post. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-0-0-xss-2...

WordPress Mulitple Themes - Arbitrary File Download

Multiple WordPress themes are prone to an arbitrary file download vulnerability. It allows an attacker to download arbitrary files from the web server and get potentially sensitive information. Solution Upgrade themes...

WordPress Bookclub Theme - Remote Code Execution

There is a bug in this theme, that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. Solution Update the theme...

WordPress XCloner Plugin 3.1.0 - CSRF

XCloner plugin is prone to a cross-site request forgery vulnerability that exists because of insufficient verification of HTTP request origin. The attackers can trick a logged-in administrator to visit a specially crafted webpage and create a website backup. Solution Update to XCloner 3.1.1...

WordPress VideoWhisper Plugin 4.27.3 - Multiple Vulnerabilities

VideoWhisper plugin is prone to multiple vulnerabilities, such as arbitrary file upload and cross-site scripting XSS and information exposure through externally-generated error message in VideoWhisper Live Streaming Integration: CVE-2014-1908. Solution Upgrade to VideoWhisper Live Streaming...

WordPress Bradesco Gateway Plugin <= 2.0 - XSS

Because of this vulnerability in falha.php, the attackers can inject arbitrary web script or HTML via the QUERYSTRING. Solution Update the plugin...

WordPress <= 3.1.0 - Multiple Vulnerabilities

The attackers can cause a denial of service via a comment with a crafted URL that triggers many recursive calls, because the makeclickable function in wp-includes/formatting.php does not properly check URLs before passing them to the PCRE library. Solution Update WordPress...

WordPress WP Forum Server Plugin <= 2.3 - Multiple SQL Injection

Because of these vulnerabilities, the attackers can execute arbitrary SQL commands. Solution Update the plugin...

WordPress <= 2.8.0 - Multiple Existing/Non-Existing Username Enumeration Weaknesses

Because of this vulnerability, the attackers can enumerate valid usernames. Solution Update WordPress...

WordPress <= 2.1 - Denial of Service Attacks

The attackers can cause a denial of service attacks via pingback service calls. Solution Update the WordPress to the latest available version at least 2.2...

WordPress <= 1.3.0 - Eval Injection

Because of this vulnerability in PEAR XMLRPC, attackers can execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. Solution Update the WordPress to the latest available version at least 1.4...

WordPress LearnPress Plugin <= 4.2.7 is vulnerable to SQL Injection

Software LearnPress Type Plugin Vulnerable versions = 4.2.7 Fixed in 4.2.7.1 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-8522 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 13b3ec9c4ec2 Credits abrahack Required privilege Unauthenticated Publish...

WordPress Slider Revolution Plugin < 6.7.0 is vulnerable to Broken Access Control

Software Slider Revolution Type Plugin Vulnerable versions 6.7.0 Fixed in 6.7.0 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-34444 Patch priority Medium CVSS severity Medium 7.1 Developer ThemePunch PSID de1987954a97 Credits Rafie Muhammad Patchstack...

WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to private post/page title disclosure discovered by Dave Jong Patchstack in the WordPress Betheme premium theme versions = 26.6.1. Solution Update the WordPress Betheme theme to the latest available version at least 26.6.3...

WordPress Seed Social plugin <= 2.0.3 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by zhangyunpei in the WordPress Seed Social plugin versions = 2.0.3. Solution Update the WordPress Seed Social plugin to the latest available version at least 2.0.4...

WordPress Custom Product Tabs for WooCommerce plugin <= 1.7.9 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress Custom Product Tabs for WooCommerce plugin versions = 1.7.9. Solution Update the WordPress Custom Product Tabs for WooCommerce plugin to the latest available version at least 1.8.0...

WordPress Ultimate Member plugin <= 2.5.0 - Auth. Remote Code Execution vulnerability

Auth. Remote Code Execution vulnerability discovered by Ruijie Li in WordPress Ultimate Member plugin versions = 2.5.0. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.5.1...

WordPress Export Post Info plugin <= 1.2.0 - Authenticated CSV Injection vulnerability

Authenticated CSV Injection vulnerability discovered by Mika Patchstack Alliance in WordPress Export Post Info plugin versions = 1.2.0. Solution Update the WordPress Export Post Info plugin to the latest available version at least 1.2.1...

WordPress Awesome Filterable Portfolio plugin <= 1.9.7 - Unauthenticated Plugin Settings Change vulnerability

Unauthenticated Plugin Settings Change vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Awesome Filterable Portfolio plugin versions = 1.9.7. Solution Deactivate and delete. This plugin has been closed as of September 14, 2022 and is not available for download. This...

WordPress Disable User Login plugin <= 1.0.1 - Unauthenticated Settings Update vulnerability

Unauthenticated Settings Update vulnerability discovered by Rafshanzani Suhada in WordPress Disable User Login plugin versions = 1.0.1. Solution No patched version available...

WordPress YDS Support Ticket System plugin <= 1.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by ptsfence Patchstack Alliance in WordPress YDS Support Ticket System plugin versions = 1.0. Solution No patched version is available. No reply from the vendor...

WordPress WP-UserOnline plugin <= 2.88.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Juampa Rodríguez in WordPress WP-UserOnline plugin versions = 2.88.0. Solution Update the WordPress User Online plugin to the latest available version at least 2.88.1...

WordPress Download Manager Plugin <= 3.2.49 - Authenticated PHAR Deserialization vulnerability

Authenticated PHAR Deserialization vulnerability discovered by Rasoul Jahanshahi in Download Manager plugin versions = 3.2.49 Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.50...

WordPress WP Database Backup Plugin <= 5.8.3 - Authenticated Stored Cross-Site Scripting vulnerability

Authenticated Stored Cross-Site Scripting vulnerability discovered by Raad Haddad in WP Database Backup plugin versions = 5.8.3 Solution Update the WordPress WP Database Backup plugin to the latest available version at least 5.9...

WordPress WPIDE – File Manager & Code Editor plugin <= 2.6 - Authenticated Local File Inclusion (LFI) vulnerability

Authenticated Local File Inclusion LFI vulnerability discovered by Raad Haddad in WordPress WPIDE – File Manager & Code Editor plugin versions = 2.6. Solution Update the WordPress WPIDE – File Manager & Code Editor plugin to the latest available version at least 3.0...

WordPress Anti-Malware Security and Brute-Force Firewall plugin <= 4.21.74 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Anti-Malware Security and Brute-Force Firewall plugin versions = 4.21.74. Solution Update the WordPress Anti-Malware Security and Brute-Force Firewall plugin to the latest available version at least 4.21.8...

WordPress Download Manager plugin <= 3.2.48 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Persistent Cross-Site Scripting XSS vulnerabilities were discovered by Vlad Vector Patchstack in the WordPress Download Manager plugin versions = 3.2.48. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.49...

WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Lana Codes in WordPress OAuth 2.0 client for SSO plugin versions = 1.11.3. Solution Update the WordPress OAuth 2.0 client for SSO plugin to the latest available version at least 1.11.4...

WordPress Banner Cycler plugin <= 1.4 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by MOTEKI TAKERU in WordPress Banner Cycler plugin versions = 1.4. Solution Deactivate and delete. This plugin has been closed as of June 30, 2022 and is not available for download. This closure is...

WordPress Fluent Support plugin <= 1.5.7 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Rafshanzani Suhada in WordPress Fluent Support plugin versions = 1.5.7. Solution Update the WordPress Fluent Support plugin to the latest available version at least 1.5.8...

WordPress WP Maintenance plugin <= 6.0.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by m0ze Patchstack in WordPress WP Maintenance plugin versions = 6.0.7 Solution Update the WordPress WP Maintenance plugin to the latest available version at least 6.0.8...

WordPress Photo Gallery by Supsystic plugin <= 1.15.5 - Cross-Site Request Forgery (CSRF) leading to Plugin Settings Change

Cross-Site Request Forgery CSRF leading to Plugin Settings Change discovered by Rasi Afeef Patchstack Alliance in WordPress Photo Gallery by Supsystic plugin versions = 1.15.5. Solution Update the WordPress Photo Gallery by Supsystic plugin to the latest available version at least 1.15.6...

WordPress Code Snippets plugin <= 2.14.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by BEE-K Patchstack in WordPress Code Snippets plugin versions = 2.14.3. Solution Update the WordPress Code Snippets plugin to the latest available version at least 2.14.4...

WordPress Slideshow plugin <= 2.3.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Slideshow plugin versions = 2.3.1. Solution Deactivate and delete. This plugin has been closed as of April 11, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress PNG to JPG plugin <= 4.0 - Cross-Site Request Forgery (CSRF) leading to Persistent Cross-Site Scripting (XSS) vulnerability

Cross-Site Request Forgery CSRF leading to Persistent Cross-Site Scripting XSS vulnerability discovered by Ex.Mi Patchstack in WordPress PNG to JPG plugin versions = 4.0. Solution Update the WordPress PNG to JPG plugin to the latest available version at least 4.1...

WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Bruno Halltari in WordPress VikBooking Hotel Booking Engine & PMS plugin versions = 1.5.8. Solution Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version at least 1.5.9...

WordPress Hermit 音乐播放器 plugin <= 3.1.6 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Ex.Mi Patchstack in WordPress Hermit 音乐播放器 plugin versions = 3.1.6. Solution Deactivate and delete. This plugin has been closed as of April 25, 2022 and is not available for download. This closure is temporary, pending a...

WordPress 3xSocializer plugin <= 0.98.22 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Lenon Leite Patchstack Alliance in WordPress 3xSocializer plugin versions = 0.98.22. Solution No patched version is available. Deactivate and delete. This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may n...

WordPress Photo Gallery plugin <= 1.6.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Photo Gallery plugin versions = 1.6.2. Solution Update the WordPress Photo Gallery plugin to the latest available version at least 1.6.3...

WordPress Sitemap by click5 plugin <= 1.0.35 - Unauthenticated Arbitrary Options Update vulnerability

Unauthenticated Arbitrary Options Update vulnerability discovered by cydave in WordPress Sitemap by click5 plugin versions = 1.0.35. Solution Update the WordPress Sitemap by click5 plugin to the latest available version at least 1.0.36...

WordPress amr users plugin <= 4.59.3 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ankur Bakre in WordPress amr users plugin versions = 4.59.3. Solution Update the WordPress amr users plugin to the latest available version at least 4.59.4...

WordPress Sync WooCommerce Product feed to Google Shopping plugin <= 1.2.4 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by 0xdecafbad in WordPress Sync WooCommerce Product feed to Google Shopping plugin versions = 1.2.4. Solution Deactivate and delete. This plugin has been closed as of February 21, 2022 and is not available for download. This closure is temporary, pendin...

WordPress Passwordless Login with OTP / SMS & Email – Account Kit plugin <= 1.2.3 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Passwordless Login with OTP / SMS & Email – Account Kit plugin versions = 1.2.3. Solution No patched version available...