WordPress Token Login Plugin <= 1.0.3 is vulnerable to Broken Authentication

Software Token Login Type Plugin Vulnerable versions = 1.0.3 Fixed in N/A OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-50488 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 18531b1d1720 Credits stealthcopte...

WordPress Jetpack Plugin < 13.9.1 is vulnerable to Broken Access Control

Software Jetpack Type Plugin Vulnerable versions 13.9.1 Fixed in 13.9.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-9926 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 675e1d99d774 Credits Marc Montpas Required privilege...

WordPress Multilingual CMS Plugin <= 4.6.12 is vulnerable to Remote Code Execution (RCE)

Software Multilingual CMS Type Plugin Vulnerable versions = 4.6.12 Fixed in 4.6.13 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2024-6386 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID 31c994cd7315 Credits stealthcopter Required...

WordPress Calculated Fields Form Plugin <= 1.2.52 is vulnerable to Cross Site Scripting (XSS)

Software Calculated Fields Form Type Plugin Vulnerable versions = 1.2.52 Fixed in 1.2.53 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0963 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 51ba9c951440 Credits Richard Telleng...

WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.4.2 is vulnerable to Arbitrary File Upload

Software Online Booking & Scheduling Calendar for WordPress by vcita Type Plugin Vulnerable versions = 4.4.2 Fixed in N/A OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-2414 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 69648001908f Credit...

WordPress WooCommerce Pre-Orders Plugin <= 2.0.0 is vulnerable to Cross Site Scripting (XSS)

Software WooCommerce Pre-Orders Type Plugin Vulnerable versions = 2.0.0 Fixed in 2.0.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-32793 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 835a4691203f Credits Rafie Muhammad...

WordPress ProfileGrid plugin <= 5.1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by zhangyunpei in the WordPress ProfileGrid plugin versions = 5.1.0. Solution Update the WordPress ProfileGrid plugin to the latest available version at least 5.1.1...

WordPress OAuth Client by DigitialPixies plugin <= 1.1.0 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Lana Codes in WordPress OAuth Client by DigitialPixies plugin versions = 1.1.0. Solution No patched version is available. This plugin has been closed as of October 21, 2022 and is not available for download. This closure is...

WordPress REST API Authentication plugin <= 2.4.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to plugin settings change discovered by Lana Codes Patchstack Alliance in WordPress REST API Authentication plugin versions = 2.4.0. Solution Update the WordPress WordPress REST API Authentication plugin to the latest available version at leas...

WordPress wpForo Forum plugin <= 2.0.9 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in WordPress wpForo Forum plugin versions = 2.0.9. Solution Update the WordPress wpForo Forum plugin to the latest available version at least 2.1.0...

WordPress Beautiful Cookie Consent Banner plugin <= 2.9.0 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by zhangyunpei in the WordPress Beautiful Cookie Consent Banner plugin versions = 2.9.0. Solution Update the WordPress Beautiful Cookie Consent Banner plugin to the latest available version at least 2.9.1...

WordPress core <= 6.0.2 - Content From Multipart Emails Leak vulnerability

Content From Multipart Emails Leak vulnerability when HTML/plaintext used discovered by Thomas Kräftner in WordPress core versions = 6.0.2. Solution Update the WordPress WordPress wordpress to the latest available version at least 6.0.3...

WordPress Sucuri Security plugin <= 1.8.33 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Event log entry creation discovered by Rafie Muhammad Yeraisci in WordPress Sucuri Security plugin versions = 1.8.33. Solution Update the WordPress Sucuri Security plugin to the latest available version at least 1.8.34...

WordPress Awesome Support plugin <= 6.0.7 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities were discovered by Vlad Vector Patchstack in WordPress Awesome Support plugin versions = 6.0.7. Solution Update the WordPress Awesome Support plugin to the latest available version at least 6.0.8...

WordPress MP3 jPlayer plugin <= 2.7.3 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Rasi Afeef Patchstack Alliance in the WordPress MP3-jPlayer plugin versions = 2.7.3. Solution Deactivate and delete. No reply from the vendor...

WordPress Restricted Site Access plugin <= 7.3.1 - Access Bypass via IP Spoofing vulnerability

Access Bypass via IP Spoofing vulnerability discovered by Daniel Ruf in WordPress Restricted Site Access plugin versions = 7.3.1. Solution Update the WordPress Restricted Site Access plugin to the latest available version at least 7.3.2...

WordPress Add User Role plugin <= 0.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress Add User Role plugin versions = 0.0.1. Solution Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporary...

WordPress Event Calendar – Calendar plugin <= 1.4.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Vlad Vector Patchstack in WordPress Event Calendar – Calendar plugin versions = 1.4.6. Solution Update the WordPress Event Calendar – Calendar plugin to the latest available version at least 1.4.7...

WordPress BadgeOS plugin <= 3.7.1.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress BadgeOS plugin versions = 3.7.1.2. Solution Update the WordPress BadgeOS plugin to the latest available version at least 3.7.1.3...

WordPress Ping Optimizer plugin <= 2.35.1.2.3 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress Ping Optimizer plugin versions = 2.35.1.3.0. Solution Update the WordPress WordPress Ping Optimizer plugin to the latest available version at least 2.35.1.3.0...

WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability

Denial Of Service DoS vulnerability was discovered by Dhakal Ananda Patchstack Alliance in the WordPress Better Messages plugin versions = 1.9.10.57. Solution Update the WordPress BP Better Messages plugin to the latest available version at least 1.9.10.58...

WordPress Affiliates Manager Plugin <= 2.9.13 - Authenticated Cross-Site Scripting vulnerability

Authenticated Cross-Site Scripting vulnerability discovered by WPScan in Affiliates Managers versions = 2.9.13 Solution Update the WordPress Affiliates Manager plugin to the latest available version at least 2.9.14...

WordPress THE Leads Management System: 59sec LITE plugin <= 3.4.1 - Unauthenticated plugin settings change vulnerability

Unauthenticated plugin settings change vulnerability discovered by ptsfence Patchstack Alliance in WordPress THE Leads Management System: 59sec LITE plugin versions = 3.4.1. Solution Deactivate and delete. This plugin has been closed as of August 12, 2022 and is not available for download. This...

WordPress Mailchimp for WooCommerce plugin <= 2.7 - Authenticated Server-Side Request Forgery (SSRF) vulnerability

Authenticated Server-Side Request Forgery SSRF vulnerability discovered by Miguel Xavier Penha Neto in WordPress Mailchimp for WooCommerce plugin versions = 2.7. Solution Update the WordPress MailChimp For WooCommerce plugin to the latest available version at least 2.7.1...

WordPress Download Manager plugin <= 3.2.48 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities leading to stats and cache deletion were discovered by Vlad Vector Patchstack in the WordPress Download Manager plugin versions = 3.2.48. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.49...

WordPress Enable SVG, WebP & ICO Upload plugin <= 1.0.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability via malicious SVG file upload discovered by Kim Jong Min aka Universe Patchstack Alliance in WordPress Enable SVG, WebP & ICO Upload plugin versions = 1.0.3. Solution No patched version available...

WordPress GS Testimonial Slider plugin <= 1.9.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Tien Nguyen Anh Patchstack Alliance in WordPress GS Testimonial Slider plugin versions = 1.9.5. Solution Update the WordPress GS Testimonial Slider plugin to the latest available version at least 1.9.6...

WordPress Flipbox plugin <= 2.6.0 - Authenticated WordPress Options Change vulnerability

Authenticated WordPress Options Change vulnerability discovered by m0ze Patchstack in WordPress Flipbox plugin versions = 2.6.0. Solution Update the WordPress Flipbox plugin to the latest available version at least 2.6.1...

WordPress WP OAuth2 Server plugin <= 1.0.1 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Lana Codes in WordPress WP OAuth2 Server plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed as of June 23, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Rough Chart plugin <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Siddhant Suresh Ughade in WordPress Rough Chart plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of July 14, 2022 and is not available for download. This closure is temporary, pending ...

WordPress GiveWP plugin <= 2.20.2 - Authenticated Arbitrary File Read via Export function vulnerability

Authenticated Arbitrary File Read via Export function vulnerability discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in WordPress GiveWP plugin versions = 2.20.2. Solution Update the WordPress GiveWP plugin to the latest available version at least 2.21.0...

WordPress Exports and Reports plugin <= 0.9.1 - Authenticated CSV Injection vulnerability

Authenticated CSV Injection vulnerability discovered by websafe2021 in WordPress Exports and Reports plugin versions = 0.9.1. Solution Update the WordPress Exports and Reports plugin to the latest available version at least 0.9.2...

WordPress Accept Stripe Payments plugin <= 2.0.63 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by iohex in WordPress Accept Stripe Payments plugin versions = 2.0.63. Solution Update the WordPress Stripe Payments plugin to the latest available version at least 2.0.64...

WordPress WP Event Manager plugin <= 3.1.27 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Utkarsh Agrawal in WordPress WP Event Manager plugin versions = 3.1.27. Solution Update the WordPress WP Event Manager plugin to the latest available version at least 3.1.28...

WordPress Bold Page Builder plugin <= 4.3.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Nikhil Kapoor in WordPress Bold Page Builder plugin versions = 4.3.2. Solution Update the WordPress Bold Page Builder plugin to the latest available version at least 4.3.3...

WordPress Social Share Buttons by Supsystic plugin <= 2.2.3 - Multiple Authenticated SQL Injection (SQLi) vulnerabilities

Multiple Authenticated SQL Injection SQLi vulnerabilities were discovered by m0ze Patchstack in the WordPress Social Share Buttons by Supsystic plugin versions = 2.2.3. Solution Update the WordPress Social Share Buttons by Supsystic plugin to the latest available version at least 2.2.4...

WordPress Ninja Forms Contact Form plugin <= 3.6.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Alliance in WordPress Ninja Forms Contact Form plugin versions = 3.6.9. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.6.10...

WordPress Easy Pricing Tables plugin <= 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Easy Pricing Tables plugin versions = 3.1.2. Solution Update the WordPress Easy Pricing Tables plugin to the latest available version at least 3.1.3...

WordPress WP Fundraising Donation and Crowdfunding Platform plugin < 1.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress WP Fundraising Donation and Crowdfunding Platform plugin versions 1.5.0. Solution Update the WordPress WP Fundraising Donation and Crowdfunding Platform plugin to the latest available version at least 1.5.0...

WordPress Image Hover Effects Ultimate plugin <= 9.7.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Nguy Minh Tuan Patchstack Alliance in WordPress Image Hover Effects Ultimate plugin versions = 9.7.1. Solution Update the WordPress Image Hover Effects Ultimate plugin to the latest available version at least 9.7.2...

WordPress Subscribe To Comments Reloaded plugin <= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities discovered by Ex.Mi Patchstack in WordPress Subscribe To Comments Reloaded plugin versions = 211130. Solution Update the WordPress Subscribe To Comments Reloaded plugin to the latest available version at least 220502...

WordPress Personal Dictionary plugin <= 1.3.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Personal Dictionary plugin versions = 1.3.3. Solution Update the WordPress Personal Dictionary plugin to the latest available version at least 1.3.4...

WordPress RSFirewall! plugin <= 1.1.24 - IP Block Bypass vulnerability

IP Block Bypass vulnerability discovered by Daniel Ruf in WordPress RSFirewall! plugin versions = 1.1.24. Solution Update the WordPress RSFirewall! plugin to the latest available version at least 1.1.25...

WordPress BadgeOS plugin <= 3.7.0 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress BadgeOS plugin versions = 3.7.0. Solution Update the WordPress BadgeOS plugin to the latest available version at least 3.7.1...

WordPress Order Listener for WooCommerce plugin <= 3.2.1 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Order Listener for WooCommerce plugin versions = 3.2.1. Solution Update the WordPress Order Listener for WooCommerce plugin to the latest available version at least 3.2.2...

WordPress Chaty plugin <= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Alliance in WordPress Chaty plugin versions = 2.8.3. Solution No patched version is available...

WordPress SiteGround Security plugin <= 1.2.5 - Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes vulnerability

Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes vulnerability discovered by Chloe Chamberland Wordfence in WordPress SiteGround Security plugin versions = 1.2.5. Solution Update the WordPress SiteGround Security plugin to the latest available version at...

WordPress Advanced Page Visit Counter <= 6.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Advanced Page Visit Counter versions = 6.1.1. Solution Update the WordPress Advanced Page Visit Counter – Most Advanced WordPress Visit Counter Plugin to the latest available version at least...

WordPress Coming Soon by Supsystic plugin <= 1.7.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Coming Soon by Supsystic plugin versions = 1.7.5. Solution Update the WordPress Coming Soon by Supsystic plugin to the latest available version at least 1.7.6...

WordPress Opensea plugin <= 1.0.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Mika in WordPress Opensea plugin versions = 1.0.2. Solution Update the WordPress Opensea plugin to the latest available version at least 1.0.3...