WordPress Ask Me premium theme < 6.8.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability Edit Profile was discovered by the WPScan team in WordPress Ask Me premium theme versions 6.8.4. Solution Update the WordPress Ask Me theme to the latest available version at least 6.8.4...

WordPress SearchWP Live Ajax Search plugin <= 1.6.1 - Unauthenticated Arbitrary Post Title Disclosure vulnerability

Unauthenticated Arbitrary Post Title Disclosure vulnerability discovered by Angelo Delicato in WordPress SearchWP Live Ajax Search plugin versions = 1.6.1. Solution Update the WordPress SearchWP Live Ajax Search plugin to the latest available version at least 1.6.2...

WordPress Shortcode Addons plugin <= 3.1.2 - Authenticated WordPress Options Change vulnerability

Authenticated WordPress Options Change vulnerability discovered by m0ze Patchstack in WordPress Shortcode Addons plugin versions = 3.1.2. Solution Update the WordPress Shortcode Addons plugin to the latest available version at least 3.2.0...

WordPress Rough Chart plugin <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Siddhant Suresh Ughade in WordPress Rough Chart plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of July 14, 2022 and is not available for download. This closure is temporary, pending ...

WordPress Simple Membership plugin <= 4.1.2 - Membership Privilege Escalation vulnerability

Membership Privilege Escalation vulnerability discovered by Jet Infosystems in WordPress Simple Membership plugin versions = 4.1.2. Solution Update the WordPress Simple Membership plugin to the latest available version at least 4.1.3...

WordPress Header Footer Code Manager plugin <= 1.1.23 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress Header Footer Code Manager plugin versions = 1.1.23. Solution Update the WordPress Header Footer Code Manager plugin to the latest available version at least 1.1.24...

WordPress Unyson plugin <= 2.7.26 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Raad Haddad in WordPress Unyson plugin versions = 2.7.26. Solution Update the WordPress to the latest available version at least 2.7.27...

WordPress Download Manager plugin <= 3.2.43 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress Download Manager plugin versions = 3.2.43. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.44...

WordPress XO Slider plugin <= 3.3.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress XO Slider plugin versions = 3.3.2. Solution Update the WordPress XO Slider plugin to the latest available version at least 3.3.3...

WordPress Social Share Buttons by Supsystic plugin <= 2.2.3 - Multiple Broken Access Control vulnerabilities

Multiple Broken Access Control vulnerabilities were discovered by m0ze Patchstack in WordPress Social Share Buttons by Supsystic plugin versions = 2.2.3. Solution Update the WordPress Social Share Buttons by Supsystic plugin to the latest available version at least 2.2.4...

WordPress IMDB Info Box plugin <= 2.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress IMDB Info Box plugin versions = 2.0. Solution Deactivate and delete. This plugin has been closed as of April 11, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Content Mask plugin <= 1.8.4 - Arbitrary Options Update vulnerability

Arbitrary Options Update vulnerability discovered by ptsfence in WordPress Content Mask plugin versions = 1.8.4. Solution Update the WordPress Content Mask plugin to the latest available version at least 1.8.4.1...

WordPress Subscribe To Comments Reloaded plugin <= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities discovered by Ex.Mi Patchstack in WordPress Subscribe To Comments Reloaded plugin versions = 211130. Solution Update the WordPress Subscribe To Comments Reloaded plugin to the latest available version at least 220502...

WordPress Psychological tests & quizzes plugin <= 0.21.19 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Psychological tests & quizzes plugin versions = 0.21.19. Solution No patched version...

WordPress BMI BMR Calculator plugin <= 1.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress BMI BMR Calculator plugin versions = 1.3. Solution Deactivate and delete. This plugin has been closed as of April 7, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Import and export users and customers plugin <= 1.19.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by 0x23.so in WordPress Import and export users and customers plugin versions = 1.19.2. Solution Update the WordPress Import and export users and customers plugin to the latest available version at least 1.19.2.1...

WordPress Multiple Shipping Address WooCommerce plugin <= 1.0 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Multiple Shipping Address WooCommerce plugin versions = 1.0. Solution Update the WordPress Multiple Shipping Address WooCommerce plugin to the latest available version at least 2.0...

WordPress HubSpot plugin <= 8.8.13 - Blind Server-Side Request Forgery (SSRF) vulnerability

Blind Server-Side Request Forgery SSRF vulnerability was discovered by Brandon Roldan in the WordPress HubSpot plugin versions = 8.8.13. Solution Update the WordPress HubSpot plugin to the latest available version at least 8.8.15...

WordPress SiteGround Security plugin <= 1.2.5 - Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes vulnerability

Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes vulnerability discovered by Chloe Chamberland Wordfence in WordPress SiteGround Security plugin versions = 1.2.5. Solution Update the WordPress SiteGround Security plugin to the latest available version at...

WordPress ThirstyAffiliates Affiliate Link Manager plugin <= 3.10.4 - Unauthorized Image Upload + CSRF vulnerabilities

Unauthorized Image Upload + CSRF vulnerabilities discovered by Muhamad Hidayat in WordPress ThirstyAffiliates Affiliate Link Manager plugin versions = 3.10.4. Solution Update the WordPress ThirstyAffiliates Affiliate Link Manager plugin to the latest available version at least 3.10.5...

WordPress Users Ultra plugin <= 3.1.0 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Users Ultra plugin versions = 3.1.0. Solution Deactivate and delete. This plugin has been closed as of March 14, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Simple File List plugin <= 3.2.7 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by Admavidhya N in WordPress Simple File List plugin versions = 3.2.7. Solution Update the WordPress Simple File List plugin to the latest available version at least 3.2.8...

WordPress Easy Social Icons plugin <= 3.2.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by qerogram in WordPress Easy Social Icons plugin versions = 3.2.0. Solution Update the WordPress Easy Social Icons plugin to the latest available version at least 3.2.1...

WordPress Download Manager plugin <= 3.2.38 - Unauthenticated Brute Force of Files Master Key vulnerability

Unauthenticated Brute Force of Files Master Key vulnerability discovered by Diogo Real in WordPress Download Manager plugin versions = 3.2.38. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.39...

WordPress Sassy Social Share plugin <= 3.3.39 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Paul J. Martinez in WordPress Sassy Social Share plugin versions = 3.3.39. Solution Update the WordPress Sassy Social Share plugin to the latest available version at least 3.3.40...

WordPress Ad Inserter plugin <= 2.7.11 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress Ad Inserter plugin versions = 2.7.11. Solution Update the WordPress Ad Inserter plugin to the latest available version at least 2.7.12...

WordPress Booking Package plugin <= 1.5.28 - Unauthenticated Sensitive Data Disclosure vulnerability

Unauthenticated Sensitive Data Disclosure vulnerability discovered by Huli Cymetrics in WordPress Booking Package plugin versions = 1.5.28. Solution Update the WordPress Booking Package plugin to the latest available version at least 1.5.29...

WordPress Analytics Cat plugin <= 1.0.9 - Plugin Settings change via Cross-Site Request Forgery (CSRF) vulnerability

Plugin Settings change via Cross-Site Request Forgery CSRF vulnerability discovered by Rasi Afeef Patchstack Alliance in WordPress Analytics Cat plugin versions = 1.0.9. Solution Update the WordPress Analytics Cat plugin to the latest available version at least 1.1.0...

WordPress Akismet Privacy Policies plugin <= 2.0.1- Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Akismet Privacy Policies plugin versions = 2.0.1. Solution Deactivate and delete. This plugin has been closed as of January 18, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Page Visit Counter plugin <= 6.0.8 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Page Visit Counter plugin versions = 6.0.8. Solution No patched version available...

WordPress Internal Linking for SEO traffic & Ranking – Auto internal links (100% automatic) plugin <= 1.0.3 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Internal Linking for SEO traffic & Ranking – Auto internal links 100% automatic plugin versions = 1.0.3. Solution Update the WordPress Internal Linking for SEO traffic & Ranking – Auto internal links...

WordPress Iks Menu – WordPress Category Accordion Menu plugin <= 1.9.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Iks Menu – WordPress Category Accordion Menu plugin versions = 1.9.1. Solution Update the WordPress Iks Menu – WordPress Category Accordion Menu plugin to the latest available version at least 1.9.2...

WordPress Premmerce SEO for WooCommerce plugin <= 2.1.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Premmerce SEO for WooCommerce plugin versions = 2.1.4. Solution Update the WordPress Premmerce SEO for WooCommerce plugin to the latest available version at least 2.1.5...

WordPress Countdown & Clock plugin <= 2.2.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Countdown & Clock plugin versions = 2.2.8. Solution Update the WordPress Countdown & Clock plugin to the latest available version at least 2.2.9...

WordPress Revolut Gateway for WooCommerce plugin <= 3.1.1 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Budiony Damyanov in WordPress Revolut Gateway for WooCommerce plugin versions = 3.1.1. Solution Update the WordPress Revolut Gateway for WooCommerce plugin to the latest available version at least 3.1.2...

WordPress MaxGalleria plugin <= 6.2.7 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Red Team project in the WordPress MaxGalleria plugin versions = 6.2.7. Solution Update the WordPress MaxGalleria plugin to the latest available version at least 6.2.8...

WordPress TI WooCommerce Wishlist premium plugin <= 1.40.0 - Unauthenticated Blind SQL Injection (SQLi) vulnerability

Unauthenticated Blind SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress TI WooCommerce Wishlist premium plugin versions = 1.40.0. Solution Update the WordPress TI WooCommerce Wishlist premium plugin to the latest available version at least 1.40.1...

WordPress WP Responsive Menu plugin <= 3.1.7 - Subscriber+ Settings Update to Stored Cross-Site (XSS)

Subscriber+ Settings Update to Stored Cross-Site XSS discovered by Krzysztof Zając in WordPress WP Responsive Menu plugin versions = 3.1.7. Solution Update the WordPress WP Responsive Menu plugin to the latest available version at least 3.1.7.1...

WordPress Anti-Malware Security and Brute-Force Firewall plugin <= 4.20.93 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Anti-Malware Security and Brute-Force Firewall plugin versions = 4.20.93. Solution Update the WordPress Anti-Malware Security and Brute-Force Firewall plugin to the latest available version at least 4.20.94...

WordPress Access Demo Importer plugin <= 1.0.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Data Reset (Posts / Pages / Media)

Cross-Site Request Forgery CSRF vulnerability leading to Data Reset Posts / Pages / Media discovered by Ex.Mi Patchstack in WordPress Access Demo Importer plugin versions = 1.0.7. Solution Update the WordPress Access Demo Importer plugin to the latest available version at least 1.0.8...

WordPress Five Star Business Profile and Schema plugin <= 2.1.5 - Page creation and settings update leading to stored XSS vulnerability

Page creation and settings update leading to stored XSS vulnerability discovered by Krzysztof Zając in WordPress Five Star Business Profile and Schema plugin versions = 2.1.5. Solution Update the WordPress Five Star Business Profile and Schema plugin to the latest available version at least 2.1.6...

WordPress GiveWP plugin <= 2.17.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS via Donation Forms Dashboard vulnerability discovered by JrXnm in WordPress GiveWP plugin versions = 2.17.2. Solution Update the WordPress GiveWP plugin to the latest available version at least 2.17.3...

WordPress AnyComment plugin <= 0.3.4 - Open Redirect vulnerability

Open Redirect vulnerability discovered by Brandon Roldan in WordPress AnyComment plugin versions = 0.3.4. Solution Update the WordPress AnyComment plugin to the latest available version at least 0.3.5...

WordPress Waitlist Woocommerce ( Back in stock notifier ) plugin <= 2.5.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update

Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Options Update discovered Chloe Chamberland Wordfence in WordPress Waitlist Woocommerce Back in stock notifier plugin versions = 2.5.1. Solution Update the WordPress Waitlist Woocommerce Back in stock notifier plugin to the latest...

WordPress WP Mail Logging plugin <= 1.9.9 - Using Components with Known Vulnerabilities (vulnerable Redux Framework version)

Using Components with Known Vulnerabilities vulnerable Redux Framework version - CVE-2021-38312, CVE-2021-38314 discovered by Rotem Reiss in WordPress WP Mail Logging plugin versions = 1.9.9. Solution Update the WordPress WP Mail Logging plugin to the latest available version at least 1.10.0...

WordPress StoreVilla theme <= 1.4.1 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress StoreVilla theme versions = 1.4.1. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress Simple Download Monitor plugin <= 3.9.5.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Simple Download Monitor plugin versions = 3.9.5.1. Solution Update the WordPress Simple Download Monitor plugin to the latest available version at least 3.9.6...

WordPress Ark-commenteditor plugin <= 2.15.6 - Iframe Injection via Comment vulnerability

Iframe Injection via Comment vulnerability discovered by Rasi Afeef in WordPress Ark-commenteditor plugin versions = 2.15.6. Solution Deactivate and delete. This plugin has been closed as of September 23, 2021 and is not available for download. Reason: Security Issue...

WordPress ZoomSounds premium plugin <= 6.45 - Unauthenticated Directory Traversal vulnerability

Unauthenticated Directory Traversal vulnerability discovered by DigitalJessica Ltd in WordPress ZoomSounds premium plugin versions = 6.45. Solution Update the WordPress ZoomSounds premium plugin to the latest available version at least 6.50...

WordPress Duplicate Page plugin <= 4.4.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Nikhil Kapoor EsecForte in WordPress Duplicate Page plugin versions = 4.4.2. Solution Update the WordPress Duplicate Page plugin to the latest available version at least 4.4.3...