WordPress Floating Tiktok button (Tiktok Follow button)+ Tikcode (QrCode) for Tiktok followers plugin <= 1.0.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Floating Tiktok button Tiktok Follow button+ Tikcode QrCode for Tiktok followers plugin versions = 1.0.4. Solution Update the WordPress Floating Tiktok button Tiktok Follow button+ Tikcode QrCode for Tiktok followers plugin to...

WordPress Best Responsive Comparison Table for Gutenberg Editor – NicheTable plugin <= 2.2.0 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Best Responsive Comparison Table for Gutenberg Editor – NicheTable plugin versions = 2.2.0. Solution Update the WordPress Best Responsive Comparison Table for Gutenberg Editor – NicheTable plugin to the latest available versio...

WordPress WUPO Group Attributes for WooCommerce plugin <= 2.0.0 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress WUPO Group Attributes for WooCommerce plugin versions = 2.0.0. Solution Update the WordPress WUPO Group Attributes for WooCommerce plugin to the latest available version at least 2.1.0...

WordPress wpDiscuz plugin <= 7.3.11 - Sensitive Information Disclosure

Sensitive Information Disclosure vulnerability discovered in WordPress wpDiscuz plugin versions = 7.3.11 by Muhammad Daffa. Solution Update the WordPress wpDiscuz plugin to the latest available version at least 7.3.12...

WordPress Dynamic Widgets plugin <= 1.5.16 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Dynamic Widgets plugin versions = 1.5.16. Solution Deactivate and delete. This plugin has been closed as of December 28, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Popup Builder plugin <= 4.0.6 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered in WordPress Popup Builder plugin versions = 4.0.6. Solution Update the WordPress Popup Builder plugin to the latest available version at least 4.0.7...

WordPress The Plus Addons for Elementor Pro premium plugin <= 5.0.6 - Sensitive Data Disclosure vulnerability

Sensitive Data Disclosure vulnerability discovered by Nicolas Vidal from TEHTRIS in WordPress The Plus Addons for Elementor Pro premium plugin versions = 5.0.6. Solution Update the WordPress The Plus Addons for Elementor Pro premium plugin to the latest available version at least 5.0.7...

WordPress Asgaros Forum plugin <= 1.15.12 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Asgaros Forum plugin versions = 1.15.12. Solution Update the WordPress Asgaros Forum plugin to the latest available version at least 1.15.13...

WordPress Request Quote via Whatsapp for Woocommerce plugin <= 1.0.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex and WPScanTeam in WordPress Request Quote via Whatsapp for Woocommerce plugin versions = 1.0.1. Solution This plugin has been closed as of September 25, 2019 and is not available for download...

WordPress Social Tape plugin <= 1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Ashish Upsham in WordPress Social Tape plugin versions = 1.0. Solution This plugin has been closed as of June 15, 2021 and is not available for download. Reason: Security Issue...

WordPress Modern WPBakery Page Builder Addons premium plugin <= 3.0.1 - Arbitrary File Upload/Deletion vulnerabilities

Arbitrary File Upload/Deletion vulnerabilities discovered by Robin Goodfellow in WordPress Modern WPBakery Page Builder Addons premium plugin versions = 3.0.1. Solution Plugin removed from Envato repository. Deactivate and delete...

WordPress 360 Product Rotation plugin <= 1.4.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability found by ImplosionSec in WordPress 360 Product Rotation plugin versions = 1.4.7. Solution Update the WordPress 360 Product Rotation plugin to the latest available version at least 1.4.8...

WordPress Captcha plugin <=4.4.4 - Backdoored

Backdoor found by WordFence team in WordPress Captcha plugin versions 4.3.6–4.4.4. Solution WordPress plugin repository team patched the plugin, but you need to decide on your own to use this plugin further or not...

WordPress <=4.9 - Authenticated JavaScript File Upload vulnerability

Authenticated JavaScript File Upload vulnerability found in WordPress versions =4.9 Solution Update the WordPress to the latest available version at least 4.9.1...

WordPress <=4.7.4 - Insufficient Redirect Validation vulnerability

All WordPress versions from 2.7 to 4.7.4 suffers from insufficient redirect validation in the HTTP class that leads to SSRF Server Side Request Forgery. Solution Update WordPress core to the latest possible version at least 4.7.5...

WordPress Symposium Plugin <= 15.7- SQL Injection

This vulnerability allows an attacker to execute arbitrary SQL commands via the "size" parameter to getalbumitem.php. Solution Update the plugin...

WordPress Videowall Plugin - Reflected Cross Site Scripting

This plugin is prone to a cross site scripting vulnerability in index.php pageid parameter. Solution Update the plugin...

WordPress Genericons Plugin <= 4.2.1 - XSS

This vulnerability is in example.html and allows an attacker to inject arbitrary web script or HTML via a fragment identifier. Solution Update the plugin...

WordPress <= 3.9.2 - XSS

This vulnerability is in the "wptexturize" function. It allows the attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post. Solution Update WordPress...

WordPress W3 Total Cache Plugin <= 0.9.4 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "Cache key" in the HTML-Comments. Solution Update the plugin...

WordPress MaxButtons Plugin <= 1.26.0 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "id" parameter in a button action on the maxbuttons-controller page to wp-admin/admin.php, related to the button creation page. Solution Update the plugin...

WordPress <= 3.9.1 - Unsafe Serialization

wp-includes/class-wp-customize-widgets.php in the widget implementation in allow the attackers to execute arbitrary code via crafted serialized data. Solution Update WordPress...

WordPress <= 3.8.1 - Privilege Escalation

Because of this vulnerability, authenticated users can publish posts. Solution Update the plugin...

WordPress <= 2.6.9 - Denial Of Service Attacks

Because of this vulnerability in the wp-admin/upgrade.php, the attackers can upgrade the application, and possibly cause a denial of service attacks. Solution Update WordPress...

WordPress <= 2.0.6 - Full Path disclosure

Because of this vulnerability, the attackers can obtain sensitive information via an invalid m parameter. Solution Update the WordPress to the latest available version at least 2.0.7...

WordPress JetEngine <= 3.7.0 - Remote Code Execution (RCE) Vulnerability

Remote Code Execution RCE Vulnerability discovered by stealthcopter in WordPress Plugin JetEngine versions = 3.7.0...

WordPress FluentForm Plugin <= 5.1.19 is vulnerable to Cross Site Scripting (XSS)

Software FluentForm Type Plugin Vulnerable versions = 5.1.19 Fixed in 5.1.20 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9528 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 973bb3afee30 Credits Ivan Kuzymchak Required...

WordPress Z Y N I T H Plugin <= 7.4.9 is vulnerable to Settings Change

Software Z Y N I T H Type Plugin Vulnerable versions = 7.4.9 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Settings Change CVE CVE-2024-43940 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID b82e28b179e8 Credits Dave Jong Patchstack Required...

WordPress myCred Plugin <= 2.7.2 is vulnerable to Cross Site Scripting (XSS)

Software myCred Type Plugin Vulnerable versions = 2.7.2 Fixed in 2.7.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-43353 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID a2faf75ac250 Credits LVT-tholv2k Required privilege Contributor...

WordPress NextScripts Plugin <= 4.4.3 is vulnerable to Cross Site Request Forgery (CSRF)

Software NextScripts Type Plugin Vulnerable versions = 4.4.3 Fixed in 4.4.4 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-1446 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 891652032504 Credits Krzysztof Zając Required...

WordPress Slider Revolution Plugin <= 6.7.7 is vulnerable to Cross Site Scripting (XSS)

Software Slider Revolution Type Plugin Vulnerable versions = 6.7.7 Fixed in 6.7.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-4092 Patch priority Low CVSS severity Low 6.5 Developer ThemePunch PSID 82a59957f3ec Credits wesley wcraft Required...

WordPress Ajax Archive Calendar Plugin <= 2.6.7 is vulnerable to Cross Site Scripting (XSS)

Software Ajax Archive Calendar Type Plugin Vulnerable versions = 2.6.7 Fixed in 2.6.8 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-46069 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 2c6a1e009987 Credits Ngô Thiên An ancorn from...

WordPress Cream Magazine Theme <= 2.1.4 is vulnerable to Cross Site Scripting (XSS)

Software Cream Magazine Type Theme Vulnerable versions = 2.1.4 Fixed in 2.1.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-28687 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 7a491754a1a0 Credits László Radnai...

WordPress WP-Advanced-Search Plugin <= 3.3.8 is vulnerable to Cross Site Request Forgery (CSRF)

Software WP-Advanced-Search Type Plugin Vulnerable versions = 3.3.8 Fixed in 3.3.9 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2022-47447 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 9c0a9b80e999 Credits rezaduty Require...

WordPress Watu Quiz Plugin < 3.3.8.3 is vulnerable to Cross Site Scripting (XSS)

Software Watu Quiz Type Plugin Vulnerable versions 3.3.8.3 Fixed in 3.3.8.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0429 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 5337ca5b2dc2 Credits Felipe Restrepo Rodriguez...

WordPress Smart Slider 3 plugin <= 3.5.1.9 - Auth. PHP Object Injection vulnerability

Auth. PHP Object Injection vulnerability discovered by Dave Jong Patchstack in WordPress Smart Slider 3 plugin versions = 3.5.1.9. Solution Update the WordPress Smart Slider 3 plugin to the latest available version at least 3.5.1.11...

WordPress YITH WooCommerce Gift Cards Premium plugin <= 3.19.0 - Unauth. Arbitrary File Upload vulnerability

Unauth. Arbitrary File Upload vulnerability discovered by Dave Jong Patchstack in WordPress YITH WooCommerce Gift Cards Premium plugin versions = 3.19.0. Solution Update the WordPress YITH WooCommerce Gift Cards Premium plugin to the latest available version at least 3.20.0...

WordPress Booster for WooCommerce plugin <= 5.6.6 - Auth. Arbitrary File Download vulnerability

Auth. Arbitrary File Download vulnerability discovered by WPScan in WordPress Booster for WooCommerce plugin versions = 5.6.6. Solution Update the WordPress Booster for WooCommerce plugin to the latest available version at least 5.6.7...

WordPress All in One SEO Pro plugin <= 4.2.5.1 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by Rafie Muhammad Yeraisci in the WordPress All in One SEO Pro plugin versions = 4.2.5.1. Solution Update the WordPress All in One SEO Pro plugin to the latest available version at least 4.2.6...

WordPress WP ALL Export Pro premium plugin <= 1.7.8 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Sanjay Das in WordPress WP ALL Export Pro premium plugin versions = 1.7.8. Solution Update the WordPress WP ALL Export Pro plugin to the latest available version at least 1.7.9...

WordPress Analytify plugin <= 4.2.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Cache Deletion discovered by Muhammad Daffa Patchstack Alliance in WordPress Analytify plugin versions = 4.2.2 Solution Update the WordPress Analytify plugin to the latest available version at least 4.2.3...

WordPress TaskBuilder plugin <= 1.0.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability via SVG file upload discovered by Rizacan Tufan in WordPress TaskBuilder plugin versions = 1.0.7. Solution Update the WordPress Taskbuilder plugin to the latest available version at least 1.0.8...

WordPress Rate my Post – WP Rating System plugin <= 3.3.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability that allows arbitrary votes discovered by Nguy Minh Tuan Patchstack Alliance in WordPress Rate my Post – WP Rating System plugin plugin = 3.3.4. Solution Update the WordPress Rate my Post – WP Rating System plugin to the latest available version at...

WordPress MailerLite – Signup forms (official) plugin <= 1.5.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to API key change discovered by Muhammad Daffa Patchstack Alliance in WordPress MailerLite – Signup forms official plugin versions = 1.5.7. Solution Update the WordPress MailerLite – Signup forms plugin to the latest available version at least...

WordPress Simple Job Board plugin <= 2.9.6 - Resume Disclosure via Directory Listing

Resume Disclosure via Directory Listing was discovered by Daniel Ruf in the WordPress Simple Job Board plugin versions = 2.9.6. Solution Update the WordPress Simple Job Board plugin to the latest available version at least 2.10.0...

WordPress NEX-Forms plugin <= 7.9.6 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Elias Hohl in WordPress NEX-Forms plugin versions = 7.9.6. Solution Update the WordPress NEX-Forms – Ultimate Form Builder plugin to the latest available version at least 7.9.7...

WordPress Fast Flow Plugin <= 1.2.12 - Authenticated Stored Cross-Site Scripting

Authenticated Stored Cross-Site Scripting vulnerability discovered by Hardik Rathod in Fast Flow plugin versions = 1.2.12 Solution Update the WordPress Fast Flow plugin to the latest available version at least 1.2.13...

WordPress MultiSafepay plugin for WooCommerce plugin <= 4.15.0 - Unauthenticated Arbitrary File Read vulnerability

Unauthenticated Arbitrary File Read vulnerability discovered by Brandon Roldan in WordPress MultiSafepay plugin for WooCommerce plugin versions = 4.15.0. Solution Update the WordPress MultiSafepay plugin for WooCommerce plugin to the latest available version at least 4.16.0...

WordPress YaySMTP plugin <= 2.2 - Authenticated Logs Disclosure vulnerability

Authenticated Logs Disclosure vulnerability discovered by Rafshanzani Suhada in WordPress YaySMTP plugin versions = 2.2. Solution Update the WordPress YaySMTP plugin to the latest available version at least 2.2.1...

WordPress AnyMind Widget plugin <= 1.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by Sho Sakata in WordPress AnyMind Widget plugin versions = 1.1. Solution Deactivate and delete. This plugin has been closed as of June 30, 2022 and is not available for download. This closure is temporar...