WordPress CDI plugin <= 5.1.8 - Reflected Cross-Site-Scripting (XSS) vulnerability

Reflected Cross-Site-Scripting XSS vulnerability discovered by WordPress CDI plugin versions = 5.1.8. Solution Update the WordPress CDI plugin to the latest available version at least 5.1.9...

WordPress Best Contact Management Software plugin <= 3.7.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Benachi in WordPress Best Contact Management Software plugin versions = 3.7.3. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary,...

WordPress Social Media Share Buttons plugin <= 3.8.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Alliance in WordPress Social Media Share Buttons plugin versions = 3.8.4. Solution Update the WordPress Social Media Share Buttons plugin to the latest available version at least 3.8.5...

WordPress XO Slider plugin <= 3.3.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress XO Slider plugin versions = 3.3.2. Solution Update the WordPress XO Slider plugin to the latest available version at least 3.3.3...

WordPress MyCSS plugin <= 1.1 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress MyCSS plugin versions = 1.1. Solution Deactivate and delete. This plugin has been closed as of May 31, 2022 and is not available for download. This closure is temporary, pendi...

WordPress Herd Effects plugin <= 5.2 - Local File Inclusion (LFI) vulnerability

Local File Inclusion LFI vulnerability was discovered by 0x9B Patchstack Alliance in WordPress Herd Effects plugin versions = 5.2. Solution Update the WordPress Herd Effects plugin to the latest available version at least 5.2.1...

WordPress Code Snippets Extended plugin <= 1.4.7 - Cross-Site Request Forgery (CSRF) leading to Remote Code Execution (RCE) vulnerability

Cross-Site Request Forgery CSRF leading to Remote Code Execution RCE vulnerability discovered by Rasi Afeef Patchstack Alliance in WordPress Code Snippets Extended plugin versions = 1.4.7. Solution No patched version is available. No reply from the vendor...

WordPress Ultimate Member plugin <= 2.3.1 - Open Redirect vulnerability

Open Redirect vulnerability discovered by Ruijie Li in WordPress Ultimate Member plugin versions = 2.3.1. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.3.2...

WordPress Sliderby10Web plugin <= 1.2.51 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Sliderby10Web plugin versions = 1.2.51. Solution Update the WordPress Sliderby10Web plugin to the latest available version at least 1.2.52...

WordPress WPQA - Builder forms Addon plugin < 5.2 - Arbitrary Profile Picture Deletion via IDOR vulnerability

Arbitrary Profile Picture Deletion via IDOR vulnerability discovered by Binit Ghimire in WordPress WPQA - Builder forms Addon plugin versions 5.2. Solution Update the WordPress WPQA - Builder forms Addon plugin to the latest available version at least 5.2...

WordPress BulletProof Security plugin <= 6.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress BulletProof Security plugin versions = 6.0. Solution Update the WordPress BulletProof Security plugin to the latest available version at least 6.1...

WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Huli Cymetrics in WordPress VikBooking Hotel Booking Engine & PMS plugin versions = 1.5.3. Solution Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version at least 1.5.4...

WordPress HubSpot plugin <= 8.8.13 - Blind Server-Side Request Forgery (SSRF) vulnerability

Blind Server-Side Request Forgery SSRF vulnerability was discovered by Brandon Roldan in the WordPress HubSpot plugin versions = 8.8.13. Solution Update the WordPress HubSpot plugin to the latest available version at least 8.8.15...

WordPress ThirstyAffiliates Affiliate Link Manager plugin <= 3.10.4 - Arbitrary Affiliate Links Creation vulnerability

Arbitrary Affiliate Links Creation vulnerability discovered by Krzysztof Zając in WordPress ThirstyAffiliates Affiliate Link Manager plugin versions = 3.10.4. Solution Update the WordPress ThirstyAffiliates Affiliate Link Manager plugin to the latest available version at least 3.10.5...

WordPress Caldera Forms plugin <= 1.9.6 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Caldera Forms plugin versions = 1.9.6. Solution Update the WordPress Caldera Forms plugin to the latest available version at least 1.9.7...

WordPress Easy Smooth Scroll Links plugin <= 2.23.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Park won seok in WordPress Easy Smooth Scroll Links plugin versions = 2.23.0. Solution Update the WordPress Easy Smooth Scroll Links plugin to the latest available version at least 2.23.1...

WordPress Download Manager plugin <= 3.2.38 - Unauthenticated Brute Force of Files Master Key vulnerability

Unauthenticated Brute Force of Files Master Key vulnerability discovered by Diogo Real in WordPress Download Manager plugin versions = 3.2.38. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.39...

WordPress Sassy Social Share plugin <= 3.3.39 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Paul J. Martinez in WordPress Sassy Social Share plugin versions = 3.3.39. Solution Update the WordPress Sassy Social Share plugin to the latest available version at least 3.3.40...

WordPress Ad Inserter plugin <= 2.7.11 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress Ad Inserter plugin versions = 2.7.11. Solution Update the WordPress Ad Inserter plugin to the latest available version at least 2.7.12...

WordPress Ad Inserter Pro premium plugin <= 2.7.11 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress Ad Inserter Pro premium plugin versions = 2.7.11. Solution Update the WordPress Ad Inserter Pro premium plugin to the latest available version at least 2.7.12...

WordPress Booking Package plugin <= 1.5.28 - Unauthenticated Sensitive Data Disclosure vulnerability

Unauthenticated Sensitive Data Disclosure vulnerability discovered by Huli Cymetrics in WordPress Booking Package plugin versions = 1.5.28. Solution Update the WordPress Booking Package plugin to the latest available version at least 1.5.29...

WordPress Analytics Cat plugin <= 1.0.9 - Plugin Settings change via Cross-Site Request Forgery (CSRF) vulnerability

Plugin Settings change via Cross-Site Request Forgery CSRF vulnerability discovered by Rasi Afeef Patchstack Alliance in WordPress Analytics Cat plugin versions = 1.0.9. Solution Update the WordPress Analytics Cat plugin to the latest available version at least 1.1.0...

WordPress Sermon Browser plugin <= 0.45.22 - Arbitrary File Upload via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary File Upload via Cross-Site Request Forgery CSRF vulnerability discovered by Krishna Harsha Kondaveeti in WordPress Sermon Browser plugin versions = 0.45.22. Solution Deactivate and delete. This plugin has been closed as of February 4, 2022 and is not available for download. This closure...

WordPress Database Peek plugin <= 1.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Database Peek plugin versions = 1.2. Solution Deactivate and delete. This plugin has been closed as of February 15, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WPC Smart Wishlist for WooCommerce plugin <= 2.9.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WPC Smart Wishlist for WooCommerce plugin versions = 2.9.3. Solution Update the WordPress WPC Smart Wishlist for WooCommerce plugin to the latest available version at least 2.9.4...

WordPress AP Mega Menu plugin <= 3.0.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress AP Mega Menu plugin versions = 3.0.7. Solution Update the WordPress AP Mega Menu plugin to the latest available version at least 3.0.8...

WordPress Go Fetch Jobs (for WP Job Manager) plugin <= 1.7.0.3 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Go Fetch Jobs for WP Job Manager plugin versions = 1.7.0.3. Solution Update the WordPress Go Fetch Jobs for WP Job Manager for WooCommerce plugin to the latest available version at least 1.7.3.2...

WordPress Internal Link Juicer: SEO Auto Linker for WordPress plugin < 1.3.0.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Internal Link Juicer: SEO Auto Linker for WordPress plugin versions 1.3.0.1. Solution Update the WordPress Internal Link Juicer: SEO Auto Linker for WordPress plugin to the latest available version at least 1.3.0.1...

WordPress Ultimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO Booster plugin <= 1.0.6 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Ultimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO Booster plugin versions = 1.0.6. Solution No patched version available...

WordPress Premmerce SEO for WooCommerce plugin <= 2.1.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Premmerce SEO for WooCommerce plugin versions = 2.1.4. Solution Update the WordPress Premmerce SEO for WooCommerce plugin to the latest available version at least 2.1.5...

WordPress Sync QCloud COS plugin <= 2.0.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by fuzzyap1 in WordPress Sync QCloud COS plugin versions = 2.0.0. Solution Update the WordPress Sync QCloud COS plugin to the latest available version at least 2.0.1...

WordPress File Upload plugin <= 4.16.2 - Contributor+ Stored Cross-Site Scripting (XSS) via Shortcode vulnerability

Contributor+ Stored Cross-Site Scripting XSS via Shortcode vulnerability discovered by apple502j in WordPress File Upload plugin versions = 4.16.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.16.3...

WordPress Revolut Gateway for WooCommerce plugin <= 3.1.1 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Budiony Damyanov in WordPress Revolut Gateway for WooCommerce plugin versions = 3.1.1. Solution Update the WordPress Revolut Gateway for WooCommerce plugin to the latest available version at least 3.1.2...

WordPress MaxGalleria plugin <= 6.2.7 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Red Team project in the WordPress MaxGalleria plugin versions = 6.2.7. Solution Update the WordPress MaxGalleria plugin to the latest available version at least 6.2.8...

WordPress Cost Calculator plugin <= 1.6 - Authenticated Local File Inclusion (LFI) vulnerability

Authenticated Local File Inclusion LFI vulnerability discovered by apple502j in WordPress Cost Calculator plugin versions = 1.6. Solution Deactivate and delete. This plugin has been closed as of November 3, 2021 and is not available for download. Reason: Security Issue...

WordPress Essential Addons for Elementor plugin <= 5.0.4 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Wai Yan Myo Thet in WordPress Essential Addons for Elementor plugin versions = 5.0.4. Solution Update the WordPress Essential Addons for Elementor plugin to the latest available version at least 5.0.5...

WordPress WP Cloudy plugin <= 4.4.8 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress WP Cloudy plugin versions = 4.4.8. Solution Update the WordPress WP Cloudy plugin to the latest available version at least 4.4.9...

WordPress Access Demo Importer plugin <= 1.0.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Data Reset (Posts / Pages / Media)

Cross-Site Request Forgery CSRF vulnerability leading to Data Reset Posts / Pages / Media discovered by Ex.Mi Patchstack in WordPress Access Demo Importer plugin versions = 1.0.7. Solution Update the WordPress Access Demo Importer plugin to the latest available version at least 1.0.8...

WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability at bpmessagesfavorite discovered by Vlad Vector Patchstack in WordPress Better Messages plugin versions = 1.9.9.148. Solution Update the WordPress BP Better Messages plugin to the latest available version at least 1.9.9.149...

WordPress GiveWP plugin <= 2.17.2 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress GiveWP plugin versions = 2.17.2. Solution Update the WordPress GiveWP plugin to the latest available version at least 2.17.3...

WordPress Simple Download Monitor plugin <= 3.9.8 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by apple502j in the WordPress Simple Download Monitor plugin versions = 3.9.8. Solution Update the WordPress Simple Download Monitor to the latest available version at least 3.9.9...

WordPress WP Mail Logging plugin <= 1.9.9 - Using Components with Known Vulnerabilities (vulnerable Redux Framework version)

Using Components with Known Vulnerabilities vulnerable Redux Framework version - CVE-2021-38312, CVE-2021-38314 discovered by Rotem Reiss in WordPress WP Mail Logging plugin versions = 1.9.9. Solution Update the WordPress WP Mail Logging plugin to the latest available version at least 1.10.0...

WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Contact Form & Lead Form Elementor Builder plugin versions = 1.6.3. Solution Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version at least 1.6...

WordPress Revolve theme <= 1.3.1 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Revolve theme versions = 1.3.1. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress Mediamatic – Media Library Folders plugin <= 2.7 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Mediamatic – Media Library Folders plugin versions = 2.7. Solution Deactivate and delete. This plugin has been closed as of October 11, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Contact Form 7 Database Addon – CFDB7 plugin <= 1.2.5.9 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Ex.Mi Patchstack in WordPress Contact Form 7 Database Addon – CFDB7 plugin versions = 1.2.5.9. Solution Update the WordPress Contact Form 7 Database Addon – CFDB7 plugin to the latest available version at least 1.2.6.1...

WordPress LearnPress plugin <= 4.1.3.2 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress LearnPress plugin versions = 4.1.3.2. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.4...

WordPress Brizy – Page Builder plugin <= 2.3.11 - Incorrect authorization checks allowing Post modification vulnerability

Incorrect authorization checks allowing Post modification vulnerability discovered by Ramuel Gall WordFence in WordPress Brizy – Page Builder plugin versions = 2.3.11. Solution Update the WordPress Brizy – Page Builder plugin to the latest available version at least 2.3.12...

WordPress Post Content XMLRPC plugin <= 1.0 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress Post Content XMLRPC plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of June 21, 2021 and is not available for download. Reason: Security Issue...

WordPress Shortcodes Ultimate plugin <= 5.10.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Shortcodes Ultimate plugin versions = 5.10.1. Solution Update the WordPress Shortcodes Ultimate plugin to the latest available version at least 5.10.2...