WordPress wpForo Forum plugin <= 2.0.5 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability was discovered by Brandon Roldan Patchstack Alliance in the WordPress wpForo Forum plugin versions = 2.0.5. Solution Update the WordPress wpForo Forum plugin to the latest available version at least 2.0.6...

WordPress Frontend File Manager plugin <= 21.2 - Unauthenticated File Renaming vulnerability

Unauthenticated File Renaming vulnerability discovered by Raad Haddad Cloudyrion GmbH in WordPress Frontend File Manager plugin versions = 21.2. Solution Update the WordPress Frontend File Manager plugin to the latest available version at least 21.3...

WordPress Notification Bar for WordPress plugin <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress Notification Bar for WordPress plugin versions = 1.1.8. Solution Deactivate and delete. This plugin has been closed as of August 12, 2022 and is not available for download. This...

WordPress Contest Gallery plugin <= 17.0.4 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Nguy Minh Tuan Patchstack Alliance in WordPress Contest Gallery plugin versions = 17.0.4. Solution Update the WordPress Contest Gallery plugin to the latest available version at least 17.0.5...

WordPress Ecwid Ecommerce Shopping Cart plugin <= 6.10.23 - Cross-Site Request Forgery (CSRF) vulnerability leading to Settings/Options update

Cross-Site Request Forgery CSRF vulnerability leading to Settings/Options update discovered by Marco Wotschka in WordPress Ecwid Ecommerce Shopping Cart plugin versions = 6.10.23. Solution Update the WordPress Ecwid Shopping Cart plugin to the latest available version at least 6.10.24...

WordPress Duplicator plugin <= 1.4.6 - Unauthenticated Backup Download vulnerability

Unauthenticated Backup Download vulnerability discovered by Ihsan Sencan in WordPress Duplicator plugin versions = 1.4.6. Solution Update the WordPress Duplicator plugin to the latest available version at least 1.4.7...

WordPress BxSlider WP plugin <= 2.0.0 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress BxSlider WP plugin versions = 2.0.0. Solution No patched version is available...

WordPress Transposh WordPress Translation plugin <= 1.0.8.1 - Unauthorized Settings Change vulnerability

Unauthorized Settings Change vulnerability discovered by Julien Ahrens in WordPress Transposh WordPress Translation plugin versions = 1.0.8.1. Solution Deactivate and delete. This plugin has been closed as of February 7, 2022 and is not available for download. Reason: Security Issue...

WordPress TranslatePress plugin <= 2.3.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Elias Hohl in WordPress TranslatePress plugin versions = 2.3.2. Solution Update the WordPress TranslatePress plugin to the latest available version at least 2.3.3...

WordPress Yellow Yard Searchbar plugin <= 2.7.27 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Victor Pasman in WordPress Yellow Yard Searchbar plugin versions = 2.7.27. Solution No patched version available...

WordPress Accordions plugin <= 2.0.2 - Unauthenticated WordPress Options Change vulnerability

Unauthenticated WordPress Options Change vulnerability discovered by m0ze Patchstack in WordPress Accordions plugin versions = 2.0.2. Solution Update the WordPress Accordions plugin to the latest available version at least 2.0.3...

WordPress Insights from Google PageSpeed plugin <= 4.0.6 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Daniel Ruf in WordPress Insights from the Google PageSpeed plugin versions = 4.0.6. Solution Update the WordPress Insights from Google PageSpeed plugin to the latest available version at least 4.0.7...

WordPress Advanced Database Cleaner plugin <= 3.1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress Advanced Database Cleaner plugin versions = 3.1.0. Solution Update the WordPress Advanced Database Cleaner plugin to the latest available version at least 3.1.1...

WordPress Best Contact Management Software plugin <= 3.7.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Benachi in WordPress Best Contact Management Software plugin versions = 3.7.3. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary,...

WordPress Import CSV Files plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Benachi in WordPress Import CSV Files plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of June 16, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress MyCSS plugin <= 1.1 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress MyCSS plugin versions = 1.1. Solution Deactivate and delete. This plugin has been closed as of May 31, 2022 and is not available for download. This closure is temporary, pendi...

WordPress Image Gallery – Grid Gallery plugin <= 1.1.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Image Gallery – Grid Gallery plugin versions = 1.1.5. Solution Update the WordPress Image Gallery – Grid Gallery plugin to the latest available version at least 1.1.6...

WordPress Active Products Tables for WooCommerce plugin <= 1.0.4 - Reflected Cross-Site-Scripting (XSS) vulnerability

Reflected Cross-Site-Scripting XSS vulnerability discovered by cydave in WordPress Active Products Tables for WooCommerce plugin versions = 1.0.4. Solution Update the WordPress Active Products Tables for WooCommerce plugin to the latest available version at least 1.0.5...

WordPress Allow svg files plugin <= 1.0 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by Luan Pedersini in WordPress Allow svg files plugin versions = 1.0. Solution Update the WordPress Allow svg files plugin to the latest available version at least 1.1...

WordPress Private Files plugin <= 0.40 - Protection Disabling via Cross-Site Request Forgery (CSRF) vulnerability

Protection Disabling via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress Private Files plugin versions = 0.40. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This closure is temporary,...

WordPress MailerLite – Signup forms plugin <= 1.5.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Utkarsh Agrawal in WordPress MailerLite – Signup forms plugin versions = 1.5.3. Solution Update the WordPress MailerLite – Signup forms plugin to the latest available version at least 1.5.4...

WordPress Jupiter premium theme <= 6.10.1 - Authenticated Privilege Escalation and Post deletion vulnerability

Authenticated Privilege Escalation and Post deletion vulnerability discovered by Ramuel Gall Wordfence in WordPress Jupiter premium theme versions = 6.10.1. Solution Update the WordPress Jupiter premium theme to the latest available version at least 6.10.2...

WordPress JupiterX Core premium plugin <= 2.0.6 - Information Disclosure, Modification, and Denial of Service (DoS) vulnerabilities

Information Disclosure, Modification, and Denial of Service DoS vulnerabilities were discovered by Ramuel Gall Wordfence in the WordPress JupiterX Core premium plugin versions = 2.0.6. Solution Update the WordPress JupiterX Core premium plugin to the latest available version at least 2.0.7...

WordPress Herd Effects plugin <= 5.2 - Local File Inclusion (LFI) vulnerability

Local File Inclusion LFI vulnerability was discovered by 0x9B Patchstack Alliance in WordPress Herd Effects plugin versions = 5.2. Solution Update the WordPress Herd Effects plugin to the latest available version at least 5.2.1...

WordPress Five Minute Webshop plugin <= 1.3.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability was discovered by Daniel Krohmer Fraunhofer IESE, Germany and Shi Chen University of Kaiserslautern, Germany in the WordPress Five Minute Webshop plugin versions = 1.3.2. Solution Deactivate and delete. This plugin has been closed as of May 12, 2022...

WordPress JivoChat Live Chat plugin <= 1.3.5.3 - Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability

Stored Cross-Site Scripting XSS via Cross-Site Request Forgery CSRF vulnerability discovered by Muhamad Hidayat in WordPress JivoChat Live Chat plugin versions = 1.3.5.3. Solution Update the WordPress JivoChat Live Chat plugin to the latest available version at least 1.3.5.4...

WordPress Call&Book Mobile Bar plugin <= 1.2.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability was discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in the WordPress Call&Book Mobile Bar plugin versions = 1.2.2. Solution Deactivate and delete. This plugin has been closed as of April 19, 2022 and is not available for download. Thi...

WordPress Ultimate Member plugin <= 2.3.1 - Open Redirect vulnerability

Open Redirect vulnerability discovered by Ruijie Li in WordPress Ultimate Member plugin versions = 2.3.1. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.3.2...

WordPress Hermit 音乐播放器 plugin <= 3.1.6 - Unauthenticated SQL Injection SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by Lenon Leite Patchstack Alliance in WordPress Hermit 音乐播放器 plugin versions = 3.1.6. Solution Deactivate and delete. This plugin has been closed as of April 25, 2022 and is not available for download. This closure is temporary, pending ...

WordPress Domain Replace plugin <= 1.3.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Domain Replace plugin versions = 1.3.8. Solution Deactivate and delete. This plugin has been closed as of April 4, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress BulletProof Security plugin <= 6.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress BulletProof Security plugin versions = 6.0. Solution Update the WordPress BulletProof Security plugin to the latest available version at least 6.1...

WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Huli Cymetrics in WordPress VikBooking Hotel Booking Engine & PMS plugin versions = 1.5.3. Solution Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version at least 1.5.4...

WordPress Import WP plugin <= 2.4.5 - Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by ericfrank900528 in WordPress Import WP plugin versions = 2.4.5. Solution Update the WordPress Import WP plugin to the latest available version at least 2.4.6...

WordPress Thank Me Later plugin <= 3.3.4 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability was discovered by Ankur Bakre in WordPress Thank Me Later plugin versions = 3.3.4. Solution Deactivate and delete. This plugin has been closed as of March 24, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress One Click Demo Import plugin <= 3.0.2 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by YICHENG LIU-ZTE CHENFENG lab in WordPress One Click Demo Import plugin versions = 3.0.2. Solution Update the WordPress One Click Demo Import plugin to the latest available version at least 3.1.0...

WordPress FV Flowplayer Video Player plugin <= 7.5.15.727 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Tien Nguyen Anh Patchstack Alliance in WordPress FV Flowplayer Video Player plugin versions = 7.5.15.727. Solution Update the WordPress FV Flowplayer Video Player plugin to the latest available version at least 7.5.18.727...

WordPress UpdraftPlus plugin <= 1.22.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress UpdraftPlus plugin versions = 1.22.8. Solution Update the WordPress UpdraftPlus plugin to the latest available version at least 1.22.9...

WordPress Interactive Medical Drawing of Human Body plugin <= 1.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Rubina Shaikh in WordPress Interactive Medical Drawing of Human Body plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of February 17, 2022 and is not available for download. This closure is temporary,...

WordPress WPC Smart Wishlist for WooCommerce plugin <= 2.9.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WPC Smart Wishlist for WooCommerce plugin versions = 2.9.3. Solution Update the WordPress WPC Smart Wishlist for WooCommerce plugin to the latest available version at least 2.9.4...

WordPress Database Peek plugin <= 1.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Database Peek plugin versions = 1.2. Solution Deactivate and delete. This plugin has been closed as of February 15, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress miniOrange's Google Authenticator plugin <= 5.4.52 - Unauthenticated Arbitrary Options Deletion vulnerability

Unauthenticated Arbitrary Options Deletion vulnerability discovered by Krzysztof Zając in WordPress miniOrange's Google Authenticator plugin versions = 5.4.52. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at least 5.5...

WordPress Internal Link Juicer: SEO Auto Linker for WordPress plugin < 1.3.0.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Internal Link Juicer: SEO Auto Linker for WordPress plugin versions 1.3.0.1. Solution Update the WordPress Internal Link Juicer: SEO Auto Linker for WordPress plugin to the latest available version at least 1.3.0.1...

WordPress Ultimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO Booster plugin <= 1.0.6 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Ultimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO Booster plugin versions = 1.0.6. Solution No patched version available...

WordPress Team Circle Image Slider With Lightbox plugin <= 1.0.15 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Team Circle Image Slider With Lightbox plugin versions = 1.0.15. Solution Update the WordPress Team Circle Image Slider With Lightbox plugin to the latest available version at least 1.0.16...

WordPress WP Cerber Security plugin <= 8.9.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WP Cerber Security plugin versions = 8.9.5. Solution Update the WordPress WP Cerber Security plugin to the latest available version at least 8.9.6...

WordPress File Upload plugin <= 4.16.2 - Contributor+ Stored Cross-Site Scripting (XSS) via Shortcode vulnerability

Contributor+ Stored Cross-Site Scripting XSS via Shortcode vulnerability discovered by apple502j in WordPress File Upload plugin versions = 4.16.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.16.3...

WordPress Cost Calculator plugin <= 1.6 - Authenticated Local File Inclusion (LFI) vulnerability

Authenticated Local File Inclusion LFI vulnerability discovered by apple502j in WordPress Cost Calculator plugin versions = 1.6. Solution Deactivate and delete. This plugin has been closed as of November 3, 2021 and is not available for download. Reason: Security Issue...

WordPress Use Any Font plugin <= 6.2 - Unauthenticated Arbitrary CSS Appending vulnerability

Unauthenticated Arbitrary CSS Appending vulnerability discovered by Krzysztof Zając in WordPress Use Any Font plugin versions = 6.2. Solution Update the WordPress Use Any Font plugin to the latest available version at least 6.2.1...

WordPress LearnPress plugin <= 4.1.4.1 - Arbitrary Image Renaming vulnerability

Arbitrary Image Renaming vulnerability discovered by Ceylan Bozogullarindan in WordPress LearnPress plugin versions = 4.1.4.1. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.5...

WordPress Coming soon and Maintenance mode plugin <= 3.6.6 - Arbitrary Email Sending to Subscribed Users vulnerability

Arbitrary Email Sending to Subscribed Users vulnerability discovered by Krzysztof Zając in WordPress Coming soon and Maintenance mode plugin versions = 3.6.6. Solution Update the WordPress Coming soon and Maintenance mode plugin to the latest available version at least 3.6.7...