WordPress Social Media Share Buttons plugin <= 3.8.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Alliance in WordPress Social Media Share Buttons plugin versions = 3.8.4. Solution Update the WordPress Social Media Share Buttons plugin to the latest available version at least 3.8.5...

WordPress Social Share Buttons by Supsystic plugin <= 2.2.3 - Multiple Authenticated SQL Injection (SQLi) vulnerabilities

Multiple Authenticated SQL Injection SQLi vulnerabilities were discovered by m0ze Patchstack in the WordPress Social Share Buttons by Supsystic plugin versions = 2.2.3. Solution Update the WordPress Social Share Buttons by Supsystic plugin to the latest available version at least 2.2.4...

WordPress Download Manager plugin <= 3.2.42 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Rafie Muhammad Yeraisci in WordPress Download Manager plugin versions = 3.2.42. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.43...

WordPress Ultimate Member plugin <= 2.3.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ruijie Li in WordPress Ultimate Member plugin versions = 2.3.2. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.4.0...

WordPress Easy Pricing Tables plugin <= 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Easy Pricing Tables plugin versions = 3.1.2. Solution Update the WordPress Easy Pricing Tables plugin to the latest available version at least 3.1.3...

WordPress Image Slider by NextCode plugin <= 1.1.2 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability discovered by BEE-K in WordPress Image Slider by NextCode plugin versions = 1.1.2. Solution Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Hotel Booking plugin <= 3.0 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities were discovered by Ngo Van Thien Patchstack Alliance in the WordPress Hotel Booking plugin versions = 3.0. Solution Deactivate and delete. This plugin has been closed as of May 6, 2022 and is not available for download. This...

WordPress Core Control plugin <= 1.2.1 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress Core Control plugin versions = 1.2.1. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This closure is permane...

WordPress WP Fundraising Donation and Crowdfunding Platform plugin < 1.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress WP Fundraising Donation and Crowdfunding Platform plugin versions 1.5.0. Solution Update the WordPress WP Fundraising Donation and Crowdfunding Platform plugin to the latest available version at least 1.5.0...

WordPress No Future Posts plugin <= 1.4 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability was discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in WordPress No Future Posts plugin versions = 1.4. Solution Deactivate and delete. This plugin has been closed as of April 18, 2022 and is not available for download. This closure i...

WordPress Countdown & Clock plugin <= 2.3.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ex.Mi Patchstack in WordPress Countdown & Clock plugin versions = 2.3.2. Solution Update the WordPress Countdown & Clock plugin to the latest available version at least 2.3.3...

WordPress Sliderby10Web plugin <= 1.2.51 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Sliderby10Web plugin versions = 1.2.51. Solution Update the WordPress Sliderby10Web plugin to the latest available version at least 1.2.52...

WordPress Personal Dictionary plugin <= 1.3.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Personal Dictionary plugin versions = 1.3.3. Solution Update the WordPress Personal Dictionary plugin to the latest available version at least 1.3.4...

WordPress RSFirewall! plugin <= 1.1.24 - IP Block Bypass vulnerability

IP Block Bypass vulnerability discovered by Daniel Ruf in WordPress RSFirewall! plugin versions = 1.1.24. Solution Update the WordPress RSFirewall! plugin to the latest available version at least 1.1.25...

WordPress BadgeOS plugin <= 3.7.0 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress BadgeOS plugin versions = 3.7.0. Solution Update the WordPress BadgeOS plugin to the latest available version at least 3.7.1...

WordPress Popup Maker plugin <= 1.16.4 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Roel van Beurden in WordPress Popup Maker plugin versions = 1.16.4. Solution Update the WordPress Popup Maker plugin to the latest available version at least 1.16.5...

WordPress Chaty plugin <= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Alliance in WordPress Chaty plugin versions = 2.8.3. Solution No patched version is available...

WordPress WPvivid plugin <= 0.9.70 - Arbitrary File Read vulnerability

Arbitrary File Read vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress WPvivid plugin versions = 0.9.70. Solution Update the WordPress WPvivid plugin to the latest available version at least 0.9.71...

WordPress Advanced Page Visit Counter <= 6.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Advanced Page Visit Counter versions = 6.1.1. Solution Update the WordPress Advanced Page Visit Counter – Most Advanced WordPress Visit Counter Plugin to the latest available version at least...

WordPress Documentor plugin <= 1.5.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Documentor plugin versions = 1.5.3. Solution Deactivate and delete. This plugin has been closed as of March 29, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Coming Soon by Supsystic plugin <= 1.7.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Coming Soon by Supsystic plugin versions = 1.7.5. Solution Update the WordPress Coming Soon by Supsystic plugin to the latest available version at least 1.7.6...

WordPress Opensea plugin <= 1.0.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Mika in WordPress Opensea plugin versions = 1.0.2. Solution Update the WordPress Opensea plugin to the latest available version at least 1.0.3...

WordPress ThirstyAffiliates Affiliate Link Manager plugin <= 3.10.4 - Arbitrary Affiliate Links Creation vulnerability

Arbitrary Affiliate Links Creation vulnerability discovered by Krzysztof Zając in WordPress ThirstyAffiliates Affiliate Link Manager plugin versions = 3.10.4. Solution Update the WordPress ThirstyAffiliates Affiliate Link Manager plugin to the latest available version at least 3.10.5...

WordPress Nimble Page Builder plugin < 3.2.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Nimble Page Builder plugin versions 3.2.2. Solution Update the WordPress Nimble Page Builder plugin to the latest available version at least 3.2.3...

WordPress Caldera Forms plugin <= 1.9.6 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Caldera Forms plugin versions = 1.9.6. Solution Update the WordPress Caldera Forms plugin to the latest available version at least 1.9.7...

WordPress Easy Smooth Scroll Links plugin <= 2.23.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Park won seok in WordPress Easy Smooth Scroll Links plugin versions = 2.23.0. Solution Update the WordPress Easy Smooth Scroll Links plugin to the latest available version at least 2.23.1...

WordPress Stop Bad Bots plugin <= 6.92 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Stop Bad Bots plugin versions = 6.92. Solution Update the WordPress Stop Bad Bots plugin to the latest available version at least 6.930...

WordPress Dropdown Menu Widget plugin <= 1.9.7 - Arbitrary Settings Update leading to Stored Cross-Site Scripting (XSS) vulnerability

Arbitrary Settings Update leading to Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Dropdown Menu Widget plugin versions = 1.9.7. Solution Deactivate and delete. This plugin has been closed as of March 7, 2022 and is not available for download. This closu...

WordPress String locator plugin <= 2.4.2 - Arbitrary File Read vulnerability

Arbitrary File Read vulnerability discovered by qerogram in WordPress String locator plugin versions = 2.4.2. Solution Update the WordPress String locator plugin to the latest available version at least 2.5.0...

WordPress dTabs plugin <= 1.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress dTabs plugin versions = 1.4. Solution Deactivate and delete. This plugin has been closed as of February 15, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress AP Mega Menu plugin <= 3.0.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress AP Mega Menu plugin versions = 3.0.7. Solution Update the WordPress AP Mega Menu plugin to the latest available version at least 3.0.8...

WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin < 1.17.0.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin versions 1.17.0.4. Solution Update the WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin to the latest available version at least...

WordPress Amelia plugin <= 1.0.45 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by qerogram in WordPress Amelia plugin versions = 1.0.45. Solution Update the WordPress Amelia plugin to the latest available version at least 1.0.46...

WordPress Sync QCloud COS plugin <= 2.0.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by fuzzyap1 in WordPress Sync QCloud COS plugin versions = 2.0.0. Solution Update the WordPress Sync QCloud COS plugin to the latest available version at least 2.0.1...

WordPress Essential Addons for Elementor plugin <= 5.0.4 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Wai Yan Myo Thet in WordPress Essential Addons for Elementor plugin versions = 5.0.4. Solution Update the WordPress Essential Addons for Elementor plugin to the latest available version at least 5.0.5...

WordPress Perfect Brands for WooCommerce plugin <= 2.0.4 - Server Information Exposure vulnerability

Server Information Exposure vulnerability discovered by Dave Jong Patchstack in WordPress Perfect Brands for WooCommerce plugin versions = 2.0.4. Solution Update the WordPress Perfect Brands for WooCommerce plugin to the latest available version at least 2.0.5...

WordPress WP Cloudy plugin <= 4.4.8 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress WP Cloudy plugin versions = 4.4.8. Solution Update the WordPress WP Cloudy plugin to the latest available version at least 4.4.9...

WordPress Simple Membership plugin <= 4.0.8 - Arbitrary Member Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Member Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress Simple Membership plugin versions = 4.0.8. Solution Update the WordPress Simple Membership plugin to the latest available version at least 4.0.9...

WordPress AP Custom Testimonial plugin <= 1.4.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Rafael Castilho in WordPress AP Custom Testimonial plugin versions = 1.4.7. Solution Update the WordPress AP Custom Testimonial plugin to the latest available version at least 1.4.8...

WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability was discovered by Brandon Roldan Patchstack Alliance in the WordPress Better Messages plugin versions = 1.9.9.148. Solution Update the WordPress Better Messages plugin to the latest available version at least 1.9.9.149...

WordPress Ad Invalid Click Protector (AICP) plugin <= 1.2.5.2 - SQL injection (SQLi) vulnerability

SQL injection SQLi vulnerability discovered by Krzysztof Zając in WordPress Ad Invalid Click Protector AICP plugin versions = 1.2.5.2. Solution Update the WordPress Ad Invalid Click Protector AICP plugin to the latest available version at least 1.2.6...

WordPress Simple Download Monitor plugin <= 3.9.8 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by apple502j in the WordPress Simple Download Monitor plugin versions = 3.9.8. Solution Update the WordPress Simple Download Monitor to the latest available version at least 3.9.9...

WordPress Chaty Pro premium plugin <= 2.8.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Chaty Pro premium plugin versions = 2.8.1. Solution Update the WordPress Chaty Pro premium plugin to the latest available version at least 2.8.2...

WordPress Contact Form 7 Database Addon – CFDB7 plugin <= 1.2.5.9 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Ex.Mi Patchstack in WordPress Contact Form 7 Database Addon – CFDB7 plugin versions = 1.2.5.9. Solution Update the WordPress Contact Form 7 Database Addon – CFDB7 plugin to the latest available version at least 1.2.6.1...

WordPress LearnPress plugin <= 4.1.3.2 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress LearnPress plugin versions = 4.1.3.2. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.4...

WordPress WOOCS – Currency Switcher for WooCommerce plugin <= 1.3.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress WOOCS – Currency Switcher for WooCommerce plugin versions = 1.3.7. Solution Update the WordPress WOOCS – Currency Switcher for WooCommerce plugin to the latest available version at least 1.3.7.1...

WordPress Brizy – Page Builder plugin <= 2.3.11 - Incorrect authorization checks allowing Post modification vulnerability

Incorrect authorization checks allowing Post modification vulnerability discovered by Ramuel Gall WordFence in WordPress Brizy – Page Builder plugin versions = 2.3.11. Solution Update the WordPress Brizy – Page Builder plugin to the latest available version at least 2.3.12...

WordPress Formidable Forms plugin <= 5.0.06 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress Formidable Forms plugin versions = 5.0.06. Solution Update the WordPress Formidable Forms plugin to the latest available version at least 5.0.07...

WordPress RentPress plugin <= 6.6.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress RentPress plugin versions = 6.6.4. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress 4k Icons for Visual Composer plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex in WordPress 4k Icons for Visual Composer plugin versions = 1.0. Solution This plugin has been closed and is no longer available for download...