WordPress Ultimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO Booster plugin <= 1.0.6 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Ultimate Bulk SEO Noindex Nofollow – Speed up Penalty Recovery Ultimate SEO Booster plugin versions = 1.0.6. Solution No patched version available...

WordPress Team Circle Image Slider With Lightbox plugin <= 1.0.15 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Team Circle Image Slider With Lightbox plugin versions = 1.0.15. Solution Update the WordPress Team Circle Image Slider With Lightbox plugin to the latest available version at least 1.0.16...

WordPress WP Cerber Security plugin <= 8.9.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WP Cerber Security plugin versions = 8.9.5. Solution Update the WordPress WP Cerber Security plugin to the latest available version at least 8.9.6...

WordPress File Upload plugin <= 4.16.2 - Contributor+ Stored Cross-Site Scripting (XSS) via Shortcode vulnerability

Contributor+ Stored Cross-Site Scripting XSS via Shortcode vulnerability discovered by apple502j in WordPress File Upload plugin versions = 4.16.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.16.3...

WordPress Cost Calculator plugin <= 1.6 - Authenticated Local File Inclusion (LFI) vulnerability

Authenticated Local File Inclusion LFI vulnerability discovered by apple502j in WordPress Cost Calculator plugin versions = 1.6. Solution Deactivate and delete. This plugin has been closed as of November 3, 2021 and is not available for download. Reason: Security Issue...

WordPress Use Any Font plugin <= 6.2 - Unauthenticated Arbitrary CSS Appending vulnerability

Unauthenticated Arbitrary CSS Appending vulnerability discovered by Krzysztof Zając in WordPress Use Any Font plugin versions = 6.2. Solution Update the WordPress Use Any Font plugin to the latest available version at least 6.2.1...

WordPress LearnPress plugin <= 4.1.4.1 - Arbitrary Image Renaming vulnerability

Arbitrary Image Renaming vulnerability discovered by Ceylan Bozogullarindan in WordPress LearnPress plugin versions = 4.1.4.1. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.5...

WordPress Coming soon and Maintenance mode plugin <= 3.6.6 - Arbitrary Email Sending to Subscribed Users vulnerability

Arbitrary Email Sending to Subscribed Users vulnerability discovered by Krzysztof Zając in WordPress Coming soon and Maintenance mode plugin versions = 3.6.6. Solution Update the WordPress Coming soon and Maintenance mode plugin to the latest available version at least 3.6.7...

WordPress AnyComment plugin <= 0.2.17 - Comment Rating Increase/Decrease via Race Condition vulnerability

Comment Rating Increase/Decrease via Race Condition vulnerability discovered by Brandon Roldan in WordPress AnyComment plugin versions = 0.2.17 Solution Update the WordPress AnyComment plugin to the latest available version at least 0.2.18...

WordPress Shield Security plugin <= 13.0.5 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Yoru Oni in WordPress Shield Security plugin versions = 13.0.5. Solution Update the WordPress Shield Security plugin to the latest available version at least 13.0.6...

WordPress Better Messages plugin <= 1.9.9.148 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability at bpmessagesfavorite discovered by Vlad Vector Patchstack in WordPress Better Messages plugin versions = 1.9.9.148. Solution Update the WordPress BP Better Messages plugin to the latest available version at least 1.9.9.149...

WordPress GiveWP plugin <= 2.17.2 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress GiveWP plugin versions = 2.17.2. Solution Update the WordPress GiveWP plugin to the latest available version at least 2.17.3...

WordPress Permalink Manager Pro premium plugin <= 2.2.14 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Permalink Manager Pro premium plugin versions = 2.2.14. Solution Update the WordPress Permalink Manager Pro premium plugin to the latest available version at least 2.2.15...

WordPress WP-DownloadManager plugin <= 1.68.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities discovered by Ex.Mi Patchstack in WordPress WP-DownloadManager plugin versions = 1.68.6. Solution Update the WordPress WP-DownloadManager plugin to the latest available version at least 1.68.7...

WordPress RVM – Responsive Vector Maps plugin <= 6.4.1 - Arbitrary File Read vulnerability

Arbitrary File Read vulnerability discovered by Krzysztof Zając in WordPress RVM – Responsive Vector Maps plugin versions = 6.4.1. Solution Update the WordPress RVM – Responsive Vector Maps plugin to the latest available version at least 6.4.2...

WordPress The Plus Addons for Elementor Pro premium plugin <= 5.0.6 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by Nicolas Vidal from TEHTRIS in WordPress The Plus Addons for Elementor Pro premium plugin versions = 5.0.6. Solution Update the WordPress The Plus Addons for Elementor Pro premium plugin to the latest available version at least 5.0.7...

WordPress PowerPack Addons for Elementor plugin <= 2.6.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress PowerPack Addons for Elementor plugin versions = 2.6.1. Solution Update the WordPress PowerPack Addons for Elementor plugin to the latest available version at least 2.6.2...

WordPress CAOS | Host Google Analytics Locally plugin <= 4.1.8 - Arbitrary Folder Deletion via Path Traversal vulnerability

Arbitrary Folder Deletion via Path Traversal vulnerability discovered by José Aguilera in WordPress CAOS | Host Google Analytics Locally plugin versions = 4.1.8. Solution Update the WordPress CAOS | Host Google Analytics Locally plugin to the latest available version at least 4.1.9...

WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Contact Form & Lead Form Elementor Builder plugin versions = 1.6.3. Solution Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version at least 1.6...

WordPress Revolve theme <= 1.3.1 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Revolve theme versions = 1.3.1. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress Mediamatic – Media Library Folders plugin <= 2.7 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Mediamatic – Media Library Folders plugin versions = 2.7. Solution Deactivate and delete. This plugin has been closed as of October 11, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Stream plugin <= 3.8.1 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by bl4derunner in WordPress Stream plugin versions = 3.8.1. Solution Update the WordPress Stream plugin to the latest available version at least 3.8.2...

WordPress Pie Register plugin <= 3.7.1.5 - Unauthenticated Arbitrary Login vulnerability

Unauthenticated Arbitrary Login vulnerability discovered by AyeCode Ltd in WordPress Pie Register plugin versions = 3.7.1.5. Solution Update the WordPress Pie Register plugin to the latest available version at least 3.7.1.6...

WordPress Post Content XMLRPC plugin <= 1.0 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress Post Content XMLRPC plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of June 21, 2021 and is not available for download. Reason: Security Issue...

WordPress Simple Download Monitor plugin <= 3.9.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Simple Download Monitor plugin versions = 3.9.4. Solution Update the WordPress Simple Download Monitor plugin to the latest available version at least 3.9.5...

WordPress Disable Image Right Click plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex in WordPress Disable Image Right Click plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of January 6, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Image Slider by Ays plugin <= 2.4.9 - Authenticated Blind SQL Injection (SQLi) vulnerability

Authenticated Blind SQL Injection SQLi vulnerability discovered by To Quang Duong in WordPress Image Slider by Ays plugin versions = 2.4.9. Solution Update the WordPress Image Slider by Ays plugin to the latest available version at least 2.5.0...

WordPress ProfilePress plugin 3.0 – 3.1.3 - Authenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Chloe Chamberland WordFence in WordPress ProfilePress plugin versions 3.0 – 3.1.3. 06.29.2021 - WordFence updated the vulnerable version to 3.0 - 3.1.3. Solution Update the WordPress ProfilePress plugin to the latest available versi...

WordPress Smart Slider 3 PRO premium plugin <= 3.5.0.8 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Hardik Solanki in WordPress Smart Slider 3 PRO premium plugin versions = 3.5.0.8. Solution Update the WordPress Smart Slider 3 PRO premium plugin to the latest available version at least 3.5.0.9...

WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin <= 5.153.3 - Unauthenticated Time-Based Blind SQL Injection (SQLi) vulnerability

Unauthenticated Time-Based Blind SQL Injection SQLi vulnerability discovered by WordFence in WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin versions = 5.153.3. Solution Update the WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin to the latest available version ...

WordPress W3 Total Cache plugin <= 2.1.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress W3 Total Cache plugin versions = 2.1.2. Solution Update the WordPress W3 Total Cache plugin to the latest available version at least 2.1.3...

WordPress Redirect 404 to parent plugin <= 1.3.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Redirect 404 to parent plugin versions = 1.3.0. Solution Update the WordPress Redirect 404 to parent plugin to the latest available version at least 1.3.1...

WordPress WP Maintenance Mode & Site Under Construction plugin <= 1.8.1 - Arbitrary Plugin Installation and Activation vulnerability

Arbitrary Plugin Installation and Activation vulnerability discovered by Bugbang in WordPress WP Maintenance Mode & Site Under Construction plugin versions = 1.8.1. Solution Update the WordPress WP Maintenance Mode & Site Under Construction plugin to the latest available version at least 1.8.2...

WordPress Stop Spammers plugin <= 2021.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Hoseinvita in WordPress Stop Spammers plugin versions = 2021.8. Solution Update the WordPress Stop Spammers plugin to the latest available version at least 2021.9...

WordPress NextGen Gallery plugin <= 3.4.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to file upload

Cross-Site Request Forgery CSRF vulnerability leading to file upload found by WordFence in WordPress NextGen Gallery plugin versions = 3.4.7. Solution Update the WordPress NextGen Gallery plugin to the latest available version at least 3.5.0...

WordPress Activello theme <= 1.4.1 - Unauthenticated Function Injection vulnerability

Unauthenticated Function Injection vulnerability found by Jerome Bruandet NinTechNet in WordPress Activello theme versions = 1.4.1. Solution Update the WordPress Activello theme to the latest available version at least 1.4.2...

WordPress Backup, Restore and Migrate plugin 4.2.1 – 4.2.12 - Unprotected AJAX Action to Arbitrary File Overwrite and Sensitive Information Disclosure vulnerability

Unprotected AJAX Action to Arbitrary File Overwrite and Sensitive Information Disclosure vulnerability discovered by Chloe Chamberland WordFence in WordPress Backup, Restore and Migrate plugin versions 4.2.1 – 4.2.12. Solution Update the WordPress Backup, Restore and Migrate plugin to the latest...

WordPress 15zine premium theme <= 3.2.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Fariq Fadillah Gusti Insani in WordPress 15zine premium theme versions = 3.2.2. Solution Update the WordPress 15zine premium theme to the latest available version at least 3.3.0...

WordPress Advanced Access Manager plugin <= 6.6.1 - Authenticated Information Disclosure vulnerability

Authenticated Information Disclosure vulnerability discovered by WordFence in WordPress Advanced Access Manager plugin versions = 6.6.1. Solution Update the WordPress Advanced Access Manager plugin to the latest available version at least 6.6.2...

WordPress Mesmerize theme <=1.6.89 - Authenticated Options Update vulnerability

Authenticated Options Update vulnerability found by NinTechNet in WordPress Mesmerize theme versions =1.6.89. Solution Update the WordPress Mesmerize theme to the latest available version at least 1.6.90...

WordPress Nextgen Gallery plugin <= 3.2.8 - SQL Injection vulnerability

SQL Injection vulnerability found by Tin Duong Fortinet FortiGuard Labs in WordPress Nextgen Gallery plugin versions = 3.2.8. Solution Update the WordPress Nextgen Gallery plugin to the latest available version at least 3.2.10...

WordPress Advanced Contact form 7 DB plugin <= 1.6.1 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability found by Tin Duong in WordPress Advanced Contact form 7 DB plugin versions = 1.6.1. Solution Update the WordPress Advanced Contact form 7 DB plugin to the latest available version at least 1.7.1...

WordPress WP Statistics plugin <= 12.6.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found by kuqadk3 in WordPress WP Statistics plugin versions = 12.6.5. Solution Update the WordPress WP Statistics plugin to the latest available version at least 12.6.6.1...

WordPress Hustle – Pop-Ups, Slide-ins and Email Opt-ins plugin <= 6.0.7 - Unauthenticated CSV Injection vulnerability

Unauthenticated CSV Injection vulnerability found by Mark Parfeniuk in WordPress Hustle – Pop-Ups, Slide-ins and Email Opt-ins plugin versions = 6.0.7. Solution Update the WordPress Hustle – Pop-Ups, Slide-ins and Email Opt-ins plugin to the latest available version at least 6.0.8.1...

WordPress Blog2Social plugin <= 5.0.2 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability found by Tim Coen in WordPress Blog2Social plugin versions = 5.0.2. Solution Update the WordPress Blog2Social plugin to the latest available version at least 5.0.3...

WordPress Booking Calendar plugin <= 8.4.5.14 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by B0UG in WordPress Booking Calendar plugin versions = 8.4.5.14. Solution Update the WordPress Booking Calendar plugin to the latest available version at least 8.4.5.15...

WordPress Yet Another Stars Rating plugin <= 1.8.6 - PHP Object Injection vulnerability

PHP Object Injection vulnerability found by Paul Dannewitz in WordPress Yet Another Stars Rating plugin versions = 1.8.6. Solution Update the WordPress Yet Another Stars Rating plugin to the latest available version at least 1.8.7...

WordPress Ninja Forms plugin <= 3.3.17 - Unauthenticated Cross-Site Scripting (XSS) vulnerability

Unauthenticated Cross-Site Scripting XSS vulnerability found in WordPress Ninja Forms plugin versions = 3.3.17. Solution Update the WordPress Ninja Forms plugin to the latest available version at least 3.3.18...

WordPress Comments Import & Export plugin <= 2.3.1 - CSV Injection vulnerability

CSV Injection vulnerability found by Bhushan B. Patil in WordPress Comments Import & Export plugin versions = 2.0.5. No fully patched version available...

WordPress Concours plugin <=1.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability found by Nicolas Buzy-Debat in WordPress Concours plugin versions =1.1 Solution Dec 20, 2017 - we were unable to find a patched version of this plugin last updated eight months ago. Uninstall or use it at your own risk...