WordPress core 4.7-5.7 - XML External Entity (XXE) vulnerability

XML External Entity XXE vulnerability discovered by SonarSource in WordPress core versions 4.7-5.7 Solution Update the WordPress core to the latest available version at least 5.7.1...

WordPress Art-Picture-Gallery plugin <= 1.2.9 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Random Robbie in WordPress Art-Picture-Gallery plugin versions = 1.2.9. Solution Plugin closed. Deactivate and delete...

WordPress WP Rocket plugin <=2.10.3 - Local File Inclusion (LFI) vulnerability

Local File Inclusion LFI vulnerability discovered by Paulos Yibelo in WordPress WP Rocket plugin 2.10.3 and earlier versions. Requires an older deprecated PHP version that is vulnerable to null byte injection. Solution Update WordPress WP Rocket plugin to the latest available version at least...

WordPress Content Repeater plugin <= 1.1.13 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Hoang Van Hiep aka sk4rl1ghT Patchstack Alliance in the WordPress Content Repeater plugin versions = 1.1.13 . Solution No patched version is available. Temporarily closed by WP for review...

WordPress WPCargo Track & Trace plugin <= 6.9.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Raul in WordPress WPCargo Track & Trace plugin versions = 6.9.4. Solution Update the WordPress WPCargo Track & Trace plugin to the latest available version at least 6.9.5...

WordPress Ocean Extra plugin <= 2.0.4 - Auth. PHP Objection Injection vulnerability

Auth. PHP Objection Injection vulnerability discovered by Nguyen Duy Quoc Khanh in the WordPress Ocean Extra plugin versions = 2.0.4. Solution Update the WordPress Ocean Extra plugin to the latest available version at least 2.0.5...

WordPress <=4.9.2 - Application Denial of Service (DoS) vulnerability

Application Denial of Service DoS vulnerability found in WordPress versions =4.9.2. Solution 2/5/2018 - no patch available...

WordPress Booking Calendar plugin <= 10.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpbc Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wpbc Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Booking Calendar versions = 10.11.1...

WordPress Folders Plugin <= 2.9.2 is vulnerable to Arbitrary File Upload

Software Folders Type Plugin Vulnerable versions = 2.9.2 Fixed in 2.9.3 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2023-40204 Patch priority Medium CVSS severity Medium 9.1 Developer Claim ownership PSID c5881308f6ec Credits Rafie Muhammad Patchstack Required privileg...

WordPress Site Reviews Plugin < 6.7.1 is vulnerable to Cross Site Scripting (XSS)

Software Site Reviews Type Plugin Vulnerable versions 6.7.1 Fixed in 6.7.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-1525 Patch priority Low CVSS severity Low 5.9 Developer Gemini Labs PSID 152640d57067 Credits Shreya Pohekar Required privilege...

WordPress Unite Theme - XSS

This WordPress theme is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the theme...

WordPress Slider Plugin <= 1.1.89 - Authenticated Arbitrary File Deletion

This plugin is prone to an authenticated arbitrary file deletion vulnerability. Any user can can delete arbitrary files. Solution Update the plugin...

WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution vulnerability

Authenticated Code Execution vulnerability discovered by Simon Scannell RIPS Technologies in WordPress versions 3.7-5.0, except 4.9.9. Solution Update WordPress to the latest available version at least 5.0.1 or 4.9.9...

WordPress Checkout Plugin - Remote Code Execution

This plugin is prone to a file upload remote code execution vulnerability. Solution Upgrade version Timthumb or Delete Files timthumb.php...

WordPress ClicTracker plugin <= 1.0.5 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Hoang Van Hiep aka sk4rl1ghT Patchstack Alliance in WordPress ClicTracker plugin versions = 1.0.5. Solution No patched version is available. Temporarily closed by WP for review...

WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping

The attributes of enclosures are not correctly escaped in RSS and Atom feeds in wp-includes/feed.php file, which might allow an attacker to exploit XSS via a crafted URL. Solution Update WordPress to v4.9.1...

WordPress core <= 6.0.2 - Cross-Site Request Forgery (CSRF) vulnerability in wp-trackback.php

Cross-Site Request Forgery CSRF vulnerability in wp-trackback.php discovered by Simon Scannell in WordPress core versions = 6.0.2. Solution Update the WordPress to the latest available version at least 6.0.3...

WordPress core <= 5.8 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability discovered by Michal Bentkowski Securitum in WordPress core block editor versions = 5.8. The issue allows an authenticated but low-privileged user like contributor/author to execute XSS in the editor. This bypasses the restrictions imposed on...

WordPress Parallax Scroll plugin <= 2.0.1 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Adam Robinson in WordPress Parallax Scroll plugin version = 2.0.1. Solution Update the WordPress Parallax Scroll plugin to the latest available version at least 2.1...

WordPress DeepL Pro API Translation plugin <= 1.7.4 - API Key Disclosure vulnerability

API Key Disclosure vulnerability discovered by Raad Haddad Cloudyrion GmbH in the WordPress DeepL Pro API Translation plugin versions = 1.7.4. Solution Update the WordPress DeepL Pro API translation plugin to the latest available version at least 1.7.5...

WordPress LayerSlider premium plugin <= 7.1.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress LayerSlider premium plugin versions = 7.1.1. Solution Update the WordPress LayerSlider plugin to the latest available version at least 7.1.2...

WordPress WooCommerce plugin <= 5.6.0 - Analytics Report Leaks vulnerability

Analytics Report Leaks vulnerability discovered in the WordPress WooCommerce plugin versions = 5.6.0. Solution Update the WordPress WooCommerce plugin to the latest available version at least 5.7.0. Other patched versions of WooCommerce: 4.0.3, 4.1.3, 4.2.4, 4.3.5, 4.4.3, 4.5.4, 4.6.4, 4.7.3,...

WordPress Avada premium theme <= 7.6.1 - Unauthenticated Server-Side Request Forgery (SSRF) vulnerability

Unauthenticated Server-Side Request Forgery SSRF vulnerability discovered by Calum Elrick in WordPress Avada premium theme versions = 7.6.1. Solution Update the WordPress Avada premium theme to the latest available version at least 7.6.2...

WordPress Fusion Builder plugin < 3.6.2 - Unauthenticated Server-Side Request Forgery (SSRF) vulnerability

Unauthenticated Server-Side Request Forgery SSRF vulnerability discovered by Calum Elrick in WordPress Fusion Builder plugin versions 3.6.2. Solution Update the WordPress Fusion Builder plugin to the latest available version at least 3.6.2...

WordPress Shapely theme <= 1.2.8 - Unauthenticated Function Injection vulnerability

Unauthenticated Function Injection vulnerability found by Jerome Bruandet NinTechNet in WordPress Shapely theme versions = 1.2.8. Solution Update the WordPress Shapely theme to the latest available version at least 1.2.9...

WordPress AdServe Plugin <= 0.2 - SQL Injection

Because of this vulnerability in adclick.php, the attackers can execute arbitrary SQL commands via the "id" parameter. Solution Update the plugin...

WordPress User Registration plugin <= 1.5.5 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability found by "Mr Winst0n" in WordPress User Registration plugin versions = 1.5.5. Solution Update the WordPress User Registration plugin to the latest available version at least 1.5.6...

WordPress Google Calendar Events Plugin <= 3.4.2 is vulnerable to Cross Site Scripting (XSS)

Software Google Calendar Events Type Plugin Vulnerable versions = 3.4.2 Fixed in 3.4.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8549 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 9f01a635ec08 Credits vgo0 Requir...

WordPress Social Stickers plugin <= 2.2.9 - Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability

Stored Cross-Site Scripting XSS via Cross-Site Request Forgery CSRF vulnerability discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in WordPress Social Stickers plugin versions = 2.2.9. Solution Deactivate and delete. This plugin has been closed as of April 19, 2022 and is not...

WordPress Tatsu plugin < 3.3.13 - Unauthenticated Remote Code Execution (RCE) vulnerability

Unauthenticated Remote Code Execution RCE vulnerability discovered by Vincent Michel in WordPress Tatsu plugin versions 3.3.13. Solution Update the WordPress Tatsu plugin to the latest available version at least 3.3.13...

WordPress WP Statistics plugin <= 13.1.4 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered in WordPress WP Statistics plugin versions = 13.1.4 by Cyku Hong DEVCORE. Solution Update the WordPress WP Statistics plugin to the latest available version at least 13.1.5...

WordPress WP-Advanced-Search plugin <= 3.3.3 - Unauthenticated Database Access vulnerability

Unauthenticated Database Access vulnerability discovered by Florian Hauser in WordPress WP-Advanced-Search plugin versions = 3.3.3. Solution Update the WordPress WP-Advanced-Search plugin to the latest available version at least 3.3.7...

WordPress WCFM – Frontend Manager for WooCommerce plugin <= 6.6.1 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered in WordPress WCFM – Frontend Manager for WooCommerce plugin versions = 6.6.1. Solution Update the WordPress WCFM – Frontend Manager for WooCommerce plugin to the latest available version at least 6.6.2...

WordPress <= 5.0 - PHP Object Injection via Meta Data vulnerability

PHP Object Injection via Meta Data vulnerability found by Sam Thomas in WordPress versions = 5.0. Solution Update WordPress to the latest available version at least 5.0.1...

WordPress Uninstall Plugin <= 1.1 - WordPress Deletion via CSRF

Because of this vulnerability, it is possible to delete all WordPress database files and tables. Solution Upgrade this plugin...

WordPress Elementor Website Builder plugin <= 3.6.2 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Ramuel Gall Wordfence in WordPress Elementor Website Builder plugin versions = 3.6.2. Solution Update the WordPress Elementor Website Builder plugin to the latest available version at least 3.6.3...

WordPress Simple File List plugin <= 4.2.2 - Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by h00die and coiffeur in WordPress Simple File List plugin versions = 4.2.2. Solution Update the WordPress Simple File List plugin to the latest available version at least 4.2.3...

WordPress Timed Popup Plugin <= 1.3 - Multiple CSRF and XSS

Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution Update the plugin...

WordPress <= 2.0.6 - SQL Injection vulnerability

The attackers can execute arbitrary SQL commands via the "tbid" parameter. Solution Update the WordPress to the latest available version at least 2.0.7...

WordPress Catch Sticky Menu plugin <= 1.6.3 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Catch Sticky Menu plugin versions = 1.6.3. Solution Update the WordPress Catch Sticky Menu plugin to the latest available version at least 1.7...

WordPress School Management Pro premium plugin < 9.9.7 - Unauthenticated Remote Code Execution (RCE) via REST API

Unauthenticated Remote Code Execution RCE via REST API discovered by Jetpack Scan Team and WordPress elevated support team in WordPress School Management Pro premium plugin versions 9.9.7. Solution Update the WordPress School Management Pro premium plugin to the latest available version at least...

WordPress Spectrum Theme - Remote Code Execution

There are a bug in this theme, that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. Solution Update the theme...

WordPress Homerunner plugin <= 1.0.30 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Homerunner versions = 1.0.30...

WordPress Elementor Pro plugin <= 3.29.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Bonds Patchstack Alliance in WordPress Plugin Elementor Pro versions = 3.29.0...

WordPress RSVPMaker plugin <= 9.2.5 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by Tobias Kay Dala oxnan in WordPress RSVPMaker plugin versions = 9.2.5. Solution Update the WordPress RSVPMaker plugin to the latest available version at least 9.2.6...

WordPress WPCargo Track & Trace plugin <= 6.8.9 - Unauthenticated Remote Code Execution (RCE) vulnerability

Unauthenticated Remote Code Execution RCE vulnerability discovered by Krzysztof Zając in WordPress WPCargo Track & Trace plugin versions = 6.8.9. Solution Update the WordPress WPCargo Track & Trace plugin to the latest available version at least 6.9.0...

WordPress Google Tag Manager plugin <= 1.15 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Cory Buecker and notstoppable in WordPress Google Tag Manager plugin versions = 1.15. Solution Update the WordPress Google Tag Manager plugin to the latest available version at least 1.15.1...

WordPress Edit Comments plugin <= 0.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar in WordPress Edit Comments plugin versions = 0.3. Solution This plugin has been closed as of June 2, 2021 and is not available for download. Reason: Security Issue...

WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass vulnerability

wpksesbadprotocol Colon Bypass vulnerability found by WordPress.org Security Team in WordPress versions = 5.3. Solution Update the WordPress to the latest available version at least 5.3.1...

WordPress Gutenberg plugin <= 14.3.0 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities via Search, Feature Image, RSS, and Widget blocks were discovered by Alex Concha WP Security team and a third-party audit in the WordPress Gutenberg plugin versions = 14.3.1. Solution Update the WordPress Gutenberg plugin to the latest...