WordPress Elegant Grunge Theme 1.0.3 - Cross Site Scripting

WordPress Elegant Grunge theme's "s" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...

WordPress <= 3.1.2 - SQL Injection

wp-includes/taxonomy.php has unknown impact and attack vectors, that possibly involving SQL injection. Solution Update WordPress...

WordPress Processing Embed Plugin 0.5 - Cross-Site Scripting Vulnerability

This Processing Embed plugin's "pluginurl" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...

WordPress <= 2.5 - Cookie Integrity Protection Vulnerability

The attackers can forge cookies by registering a username that results in the same concatenated string, because the cookie authentication method relies on a hash of a concatenated string containing USERNAME and EXPIRYTIME. Solution Update WordPress to version 2.5.1...

WordPress <= 2.1.2 - Sensitive Directory Exposure

Because of this vulnerability, the attackers can obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message. Solution Update the WordPress to the latest available version at least 2.1.3...

WordPress <= 2.0 - Denial of Service Attacks

The wpremotefopen function allows the attackers to cause a denial of service attacks via pingback service calls. Solution Update the WordPress to the latest available version at least 2.0.1...

WordPress Chartify plugin <= 3.5.9 - Missing Authentication for Administrative Function vulnerability

Missing Authentication for Administrative Function vulnerability discovered by WordFence in WordPress Plugin Chartify versions = 3.5.9...

WordPress RegistrationMagic Plugin <= 6.0.2.6 is vulnerable to Privilege Escalation

Software RegistrationMagic Type Plugin Vulnerable versions = 6.0.2.6 Fixed in 6.0.2.7 OWASP Top 10 A3: Injection Classification Privilege Escalation CVE CVE-2024-10508 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID fa83ac6f8527 Credits shaman0x01 Required privilege...

WordPress Form Maker by 10Web Plugin <= 1.15.30 is vulnerable to Cross Site Scripting (XSS)

Software Form Maker by 10Web Type Plugin Vulnerable versions = 1.15.30 Fixed in 1.15.31 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10265 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 0450360afe6c Credits vgo0...

WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.45 is vulnerable to Cross Site Scripting (XSS)

Software Elementor – Header, Footer & Blocks Template Type Plugin Vulnerable versions = 1.6.45 Fixed in 1.6.46 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10325 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 3bcf490aa26b...

WordPress JobSearch Plugin <= 2.6.7 is vulnerable to Arbitrary File Upload

Software JobSearch Type Plugin Vulnerable versions = 2.6.7 Fixed in 2.6.8 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-8614 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID d16b486be3a5 Credits Tonn Required privilege Subscriber Published 5...

WordPress JobSearch Plugin <= 2.6.7 is vulnerable to Arbitrary File Upload

Software JobSearch Type Plugin Vulnerable versions = 2.6.7 Fixed in 2.6.8 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-8615 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 46ee6cd9f962 Credits Tonn Required privilege Unauthenticated Publish...

WordPress Acnoo Flutter API Plugin <= 1.0.5 is vulnerable to Privilege Escalation

Software Acnoo Flutter API Type Plugin Vulnerable versions = 1.0.5 Fixed in N/A OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-50486 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 69fb59b59cf8 Credits...

WordPress Time Clock Plugin <= 1.2.2 is vulnerable to Remote Code Execution (RCE)

Software Time Clock Type Plugin Vulnerable versions = 1.2.2 Fixed in 1.2.3 OWASP Top 10 A3: Injection Classification Remote Code Execution RCE CVE CVE-2024-9593 Patch priority High CVSS severity High 8.3 Developer Claim ownership PSID ba1ac64c553d Credits István Márton Required privilege...

WordPress WordPress File Upload Plugin <= 4.24.11 is vulnerable to Path Traversal

Software WordPress File Upload Type Plugin Vulnerable versions = 4.24.11 Fixed in 4.24.12 OWASP Top 10 A1: Broken Access Control Classification Path Traversal CVE CVE-2024-9047 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 5fa6436aa19c Credits Arkadiusz Hydzik Required...

WordPress WP Testimonial Widget Plugin <= 3.1 is vulnerable to SQL Injection

Software WP Testimonial Widget Type Plugin Vulnerable versions = 3.1 Fixed in N/A OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-43966 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 505085fbb60c Credits hnwmn Required privilege Administrator Publishe...

WordPress WBW Product Table PRO Plugin <= 1.9.4 is vulnerable to SQL Injection

Software WBW Product Table PRO Type Plugin Vulnerable versions = 1.9.4 Fixed in 1.9.5 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-43918 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 2c9d3f09a102 Credits Dave Jong Patchstack Required privilege...

WordPress FluentForm Plugin <= 5.1.16 is vulnerable to Privilege Escalation

Software FluentForm Type Plugin Vulnerable versions = 5.1.16 Fixed in 5.1.17 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-2771 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID d5d5aedf6c4b Credits Tobias...

WordPress Max Addons Pro for Bricks Plugin <= 1.6.1 is vulnerable to Settings Change

Software Max Addons Pro for Bricks Type Plugin Vulnerable versions = 1.6.1 Fixed in 1.6.2 OWASP Top 10 A1: Broken Access Control Classification Settings Change CVE CVE-2024-32951 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 446d765fd496 Credits Dave Jong Patchstac...

WordPress WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to fix Insecure Content Plugin <= 7.0 is vulnerable to Sensitive Data Exposure

Software WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to fix Insecure Content Type Plugin Vulnerable versions = 7.0 Fixed in 7.1.0 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2023-7046 Patch priority Low CVSS severity Low 7.5...

WordPress Unlimited Addons for WPBakery Page Builder Plugin <= 1.0.42 is vulnerable to Arbitrary File Upload

Software Unlimited Addons for WPBakery Page Builder Type Plugin Vulnerable versions = 1.0.42 Fixed in N/A OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-6925 Patch priority Low CVSS severity Low 8 Developer Claim ownership PSID 9599a24cfc17 Credits István Márton...

WordPress Dan's Embedder for Google Calendar Plugin <= 1.2 is vulnerable to Cross Site Scripting (XSS)

Software Dan's Embedder for Google Calendar Type Plugin Vulnerable versions = 1.2 Fixed in 1.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-51504 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID e9f89f8b2081 Credits Ngô Thiên An ancorn fro...

WordPress Icons Font Loader Plugin <= 1.1.2 is vulnerable to Arbitrary File Upload

Software Icons Font Loader Type Plugin Vulnerable versions = 1.1.2 Fixed in 1.1.3 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-5860 Patch priority Low CVSS severity Low 7.2 Developer Claim ownership PSID e7c1b6cac566 Credits Alex Thomas Required privilege...

WordPress File Manager Advanced Shortcode Plugin <= 2.3.2 is vulnerable to Remote Code Execution (RCE)

Software File Manager Advanced Shortcode Type Plugin Vulnerable versions = 2.3.2 Fixed in N/A OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2023-2068 Patch priority High CVSS severity High 10 Developer Claim ownership PSID f57871788c33 Credits Mateus Machado Tesser...

WordPress Divi Theme <= 4.20.2 is vulnerable to Cross Site Scripting (XSS)

Software Divi Type Theme Vulnerable versions = 4.20.2 Fixed in 4.20.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-29099 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 15fa42e5d3af Credits Rafie Muhammad Patchstack Require...

WordPress Cream Blog Theme <= 2.1.3 is vulnerable to Cross Site Scripting (XSS)

Software Cream Blog Type Theme Vulnerable versions = 2.1.3 Fixed in 2.1.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-28687 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID 08758c27269b Credits László Radnai Required...

WordPress bolster Theme < 10 is vulnerable to Arbitrary File Upload

Software bolster Type Theme Vulnerable versions 10 Fixed in N/A OWASP Top 10 A6: Security Misconfiguration Classification Arbitrary File Upload CVE CVE-2022-0316 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 8b3d84068dc9 Credits Joshua Small Required privilege...

WordPress Image Map Pro premium plugin <= 5.5.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Dave Jong Patchstack in the WordPress Image Map Pro premium plugin versions = 5.5.0. Solution No patched version is available. No reply from the vendor for a long time...

WordPress miniOrange Two-Factor Authentication plugin <= 5.6.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Calvin Alkan in WordPress miniOrange Two-Factor Authentication plugin versions = 5.6.1. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at least 5.6.2...

WordPress Image Map Pro premium plugin <= 5.5.0 - Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS discovered by Dave Jong Patchstack in the WordPress Image Map Pro premium plugin versions = 5.5.0. Solution No patched version is available. No reply from the vendor for a long time...

WordPress Welcart e-Commerce plugin <= 2.8.3 - Auth. Arbitrary Shipping Method Creation/Update/Deletion vulnerability

Auth. Arbitrary Shipping Method Creation/Update/Deletion vulnerability discovered by Lana Codes in WordPress Welcart e-Commerce plugin versions = 2.8.3. Solution Update the WordPress Welcart e-Commerce plugin to the latest available version at least 2.8.4...

WordPress wpForo Forum plugin <= 2.0.9 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by dhakalananda Patchstack Alliance in WordPress wpForo Forum plugin versions = 2.0.9. Solution Update the WordPress wpForo Forum plugin to the latest available version at least 2.1.0...

WordPress Car Rental by BestWebSoft plugin <= 1.1.2 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Hoang Van Hiep aka sk4rl1ghT Patchstack Alliance in the WordPress Car Rental by BestWebSoft plugin versions = 1.1.2. Solution No patched version is available...

WordPress WPML Multilingual CMS premium plugin <= 4.5.13 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to status change of translation job discovered by Dave Jong Patchstack in WordPress WPML Multilingual CMS premium plugin versions = 4.5.13. Solution Update the WordPress Multilingual CMS plugin to the latest available version at least 4.5.14...

WordPress WPSmartContracts plugin <= 1.3.11 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Kunal Sharma University of Kaiserslautern and Daniel Krohmer Fraunhofer IESE in the WordPress WPSmartContracts plugin versions = 1.3.11 Solution Update the WordPress WPSmartContracts plugin to the latest available version at least 1.3.12...

WordPress Gallery Images Ape plugin <= 2.2.8 - Auth. Cross-Site Scripting (XSS) vulnerability

Auth. Cross-Site Scripting XSS vulnerability discovered by thiennv Patchstack Alliance in WordPress Gallery Images Ape plugin versions = 2.2.8. Solution No patched version is available. No reply from the vendor...

WordPress Ask Me premium theme < 6.8.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Post Deletion discovered by Srijan Adhikari in WordPress Ask Me premium theme versions 6.8.7. Solution Update the WordPress Ask Me theme to the latest available version at least 6.8.7...

WordPress Web Stories plugin <= 1.24.0 - Auth. Server-Side Request Forgery (SSRF) vulnerability

Auth. Server-Side Request Forgery SSRF vulnerability discovered by Aymen Borgi in the WordPress Web Stories plugin versions = 1.24.0. Solution Update the WordPress Web Stories plugin to the latest available version at least 1.25.0...

WordPress Auto Upload Images plugin <= 3.3 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Rasi Patchstack Alliance in the WordPress Auto Upload Images plugin versions = 3.3. Solution No patched version is available. No reply from the vendor...

WordPress Newsmag premium theme 5.2.1 - Unauthenticated Account Takeover vulnerability

Unauthenticated Account Takeover vulnerability discovered by Truoc Phan in the WordPress Newsmag premium theme version 5.2.1. Solution Update the WordPress NewsMag theme to the latest available version at least 5.2.2...

WordPress Role Based Pricing for WooCommerce premium plugin <= 1.6.2 - Auth. PHAR Deserialization vulnerability

Auth. PHAR Deserialization vulnerability discovered by WPScan in WordPress Role Based Pricing for WooCommerce premium plugin versions = 1.6.2. Solution Update the WordPress Role Based Pricing for WooCommerce plugin to the latest available version at least 1.6.3...

WordPress HREFLANG Tags Lite plugin <= 2.0.0 - Unauthenticated Plugin Data Reset vulnerability

Unauthenticated Plugin Data Reset vulnerability discovered by Rasi Afeef Patchstack Alliance in WordPress HREFLANG Tags Lite plugin versions = 2.0.0. Solution No patched version is available. No reply from the vendor...

WordPress TH Advance Product Search plugin <= 1.1.4 - Unauthenticated Plugin Settings Reset vulnerability

Unauthenticated Plugin Settings Reset vulnerability discovered by Rasi Afeef Patchstack Alliance in WordPress TH Advance Product Search plugin versions = 1.1.4. Solution No patched version is available. Ignored by the vendor since Aug 2, 2022...

WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability

Insecure direct object references IDOR vulnerability that allows subscriber+ users to mark any forum post as Solved/Unsolved was discovered by Dhakal Ananda Patchstack Alliance in the WordPress wpForo Forum plugin versions = 2.0.5. Solution Update the WordPress wpForo Forum plugin to the latest...

WordPress Seriously Simple Podcasting plugin <= 2.16.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to plugin settings change discovered by Muhammad Daffa Patchstack Alliance in WordPress Seriously Simple Podcasting plugin versions = 2.16.0. Solution Update the WordPress Seriously Simple Podcasting plugin to the latest available version at...

WordPress Read more By Adam plugin <= 1.1.8 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by ptsfence Patchstack Alliance in WordPress Read more By Adam plugin versions = 1.1.8. Solution No patched version is available. No reply from the vendor...

WordPress Photospace Gallery plugin <= 2.3.5 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to plugin settings change discovered by Tien Nguyen Anh Patchstack Alliance in WordPress Photospace Gallery plugin versions = 2.3.5. Solution No patched version is available. No reply from the vendor...

WordPress wpForo Forum plugin <= 2.0.5 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability was discovered by Brandon Roldan Patchstack Alliance in the WordPress wpForo Forum plugin versions = 2.0.5. Solution Update the WordPress wpForo Forum plugin to the latest available version at least 2.0.6...

WordPress Frontend File Manager plugin <= 21.2 - Unauthenticated File Renaming vulnerability

Unauthenticated File Renaming vulnerability discovered by Raad Haddad Cloudyrion GmbH in WordPress Frontend File Manager plugin versions = 21.2. Solution Update the WordPress Frontend File Manager plugin to the latest available version at least 21.3...

WordPress Notification Bar for WordPress plugin <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress Notification Bar for WordPress plugin versions = 1.1.8. Solution Deactivate and delete. This plugin has been closed as of August 12, 2022 and is not available for download. This...