WordPress <=1.2 - Multiple Cross-Site Scripting (XSS) vulnerabilities

Because of these vulnerabilities, attackers can inject arbitrary web script or HTML. Solution Update WordPress to the latest possible version...

WordPress Sunshine Photo Cart plugin <= 3.6.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Dave Jong Patchstack in WordPress Plugin Sunshine Photo Cart versions = 3.6.7...

WordPress WP to LinkedIn Auto Publish plugin <= 1.9.8 - Reflected Cross-Site Scripting via PostMessage vulnerability

Reflected Cross-Site Scripting via PostMessage vulnerability discovered by Nicolai Hellesnes nico in WordPress Plugin WP to LinkedIn Auto Publish versions = 1.9.8...

WordPress MagOne Theme <= 8.5 is vulnerable to Cross Site Scripting (XSS)

Software MagOne Type Theme Vulnerable versions = 8.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-39488 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 150089f804cf Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunit...

WordPress Spam protection, AntiSpam, FireWall by CleanTalk Plugin <= 6.44 is vulnerable to Broken Authentication

Software Spam protection, AntiSpam, FireWall by CleanTalk Type Plugin Vulnerable versions = 6.44 Fixed in 6.45 OWASP Top 10 A1: Broken Access Control Classification Broken Authentication CVE CVE-2024-10781 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 0bd21f35fe5e...

WordPress CM Pop-Up banners Plugin 1.7.5 is vulnerable to Cross Site Scripting (XSS)

Software CM Pop-Up banners Type Plugin Vulnerable versions 1.7.5 Fixed in 1.7.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-11202 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID f58e5244f29c Credits Peter Thaleikis...

WordPress NextGEN Gallery Plugin < 3.59.5 is vulnerable to Cross Site Scripting (XSS)

Software NextGEN Gallery Type Plugin Vulnerable versions 3.59.5 Fixed in 3.59.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-6393 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 0e6857ff3928 Credits WPscan Required privileg...

WordPress WordPress Announcement & Notification Banner Plugin – Bulletin Plugin <= 3.11.7 is vulnerable to Cross Site Scripting (XSS)

Software WordPress Announcement & Notification Banner Plugin – Bulletin Type Plugin Vulnerable versions = 3.11.7 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10682 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownersh...

WordPress Automation By Autonami Plugin < 3.3.0 is vulnerable to SQL Injection

Software Automation By Autonami Type Plugin Vulnerable versions 3.3.0 Fixed in 3.3.0 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-9186 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 0bc9c96e6168 Credits y4ng0615 Required privilege Unauthenticated...

WordPress Postify: Post Layout For Elementor Plugin <= 1.0.1 is vulnerable to Cross Site Scripting (XSS)

Software Postify: Post Layout For Elementor Type Plugin Vulnerable versions = 1.0.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-51893 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 9a15834c2f21 Credits Gab Required privileg...

WordPress Property Lot Management System Plugin <= 4.2.38 is vulnerable to Arbitrary File Upload

Software Property Lot Management System Type Plugin Vulnerable versions = 4.2.38 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-49331 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID 5524e01a8194 Credits CTRL Chance Required...

WordPress Hunk Companion Plugin <= 1.8.4 is vulnerable to Broken Access Control

Software Hunk Companion Type Plugin Vulnerable versions = 1.8.4 Fixed in 1.8.5 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-9707 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 20cecbb53904 Credits Sean Murphy Required privileg...

WordPress WP-Advanced-Search Plugin < 3.3.9.2 is vulnerable to SQL Injection

Software WP-Advanced-Search Type Plugin Vulnerable versions 3.3.9.2 Fixed in 3.3.9.2 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-9796 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 872f69a2765a Credits Wojciech Jezowski Required privilege...

WordPress ACF Images Search And Insert Plugin <= 1.1.4 is vulnerable to Arbitrary File Upload

Software ACF Images Search And Insert Type Plugin Vulnerable versions = 1.1.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-48035 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID a12f4662ed6d Credits stealthcopter Required...

WordPress Themify Builder Plugin <= 7.6.2 is vulnerable to Cross Site Scripting (XSS)

Software Themify Builder Type Plugin Vulnerable versions = 7.6.2 Fixed in 7.6.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9385 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 2ab445f01cba Credits Colin Xu Required...

WordPress Hash Form Plugin <= 1.1.9 is vulnerable to Arbitrary File Upload

Software Hash Form Type Plugin Vulnerable versions = 1.1.9 Fixed in 1.2.0 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-9417 Patch priority High CVSS severity High 6.1 Developer Claim ownership PSID 599a3ecad6e0 Credits Rein Daelman trein Required privilege...

WordPress TinyPNG Plugin <= 3.4.3 is vulnerable to Cross Site Request Forgery (CSRF)

Software TinyPNG Type Plugin Vulnerable versions = 3.4.3 Fixed in 3.4.4 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-47635 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 9470f9a7ceb0 Credits Rafie Muhammad Patchstack...

WordPress Uncanny Groups for LearnDash Plugin <= 6.1.0.1 is vulnerable to Broken Access Control

Software Uncanny Groups for LearnDash Type Plugin Vulnerable versions = 6.1.0.1 Fixed in 6.1.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-8350 Patch priority Low CVSS severity Low 2.7 Developer Claim ownership PSID d89e217025ab Credits Karl Emil Nikka...

WordPress Livemesh Addons for Elementor Plugin <= 8.5 is vulnerable to Cross Site Scripting (XSS)

Software Livemesh Addons for Elementor Type Plugin Vulnerable versions = 8.5 Fixed in 8.5.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-47303 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 6b692e93ddf5 Credits João Pedro S Alcântara...

WordPress WP Hardening Plugin <= 1.2.6 is vulnerable to Bypass Vulnerability

Software WP Hardening Type Plugin Vulnerable versions = 1.2.6 Fixed in 1.2.7 OWASP Top 10 A4: Insecure Design Classification Bypass Vulnerability CVE CVE-2024-6641 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 5e3f8dc1dce6 Credits Felipe Caon Required privilege...

WordPress LiteSpeed Cache Plugin < 6.5.0.1 is vulnerable to Broken Authentication

Software LiteSpeed Cache Type Plugin Vulnerable versions 6.5.0.1 Fixed in 6.5.0.1 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-44000 Patch priority High CVSS severity High 9.8 Developer Hai Zheng / Lite Speed Cache PSID 8f939cc0b306...

WordPress CoBlocks Plugin < 3.1.13 is vulnerable to Cross Site Scripting (XSS)

Software CoBlocks Type Plugin Vulnerable versions 3.1.13 Fixed in 3.1.13 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-7132 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 2ec557475360 Credits Dmitrii Ignatyev Required...

WordPress Elements kit Elementor addons Plugin <= 3.2.0 is vulnerable to Sensitive Data Exposure

Software Elements kit Elementor addons Type Plugin Vulnerable versions = 3.2.0 Fixed in 3.2.1 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-6455 Patch priority Low CVSS severity Low 5.3 Developer Wpmet PSID b000113e05e5 Credits stealthcopter Required...

WordPress Elementor Pro Plugin <= 3.21.2 is vulnerable to Cross Site Scripting (XSS)

Software Elementor Pro Type Plugin Vulnerable versions = 3.21.2 Fixed in 3.21.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-35656 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 41d6dec3f86d Credits Michael Required privilege...

WordPress Realtyna Organic IDX plugin + WPL Real Estate plugin <= 4.14.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress Plugin Realtyna Organic IDX plugin versions = 4.14.4...

WordPress Email Subscribers & Newsletters Plugin <= 5.7.14 is vulnerable to SQL Injection

Software Email Subscribers & Newsletters Type Plugin Vulnerable versions = 5.7.14 Fixed in 5.7.15 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-2876 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 9b57a92f98bb Credits Arkadiusz Hydzik Required...

WordPress WooCommerce Plugin < 8.6 is vulnerable to Broken Access Control

Software WooCommerce Type Plugin Vulnerable versions 8.6 Fixed in 8.6 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-1310 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 1c0523f0c515 Credits Scott Kingsley Clark Required privilege...

WordPress EventON Plugin <= 2.2.8 is vulnerable to Cross Site Request Forgery (CSRF)

Software EventON Type Plugin Vulnerable versions = 2.2.8 Fixed in 2.2.9 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-6244 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 8c97e0a9cf60 Credits Francesco Carlucci Required...

WordPress Backup Migration Plugin <= 1.3.9 is vulnerable to Path Traversal

Software Backup Migration Type Plugin Vulnerable versions = 1.3.9 Fixed in 1.4.0 OWASP Top 10 A5: Security Misconfiguration Classification Path Traversal CVE CVE-2023-6972 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 63ca4651f92b Credits NP3228 Required privilege...

WordPress Userpro Plugin <= 5.1.4 is vulnerable to Privilege Escalation

Software Userpro Type Plugin Vulnerable versions = 5.1.4 Fixed in 5.1.5 OWASP Top 10 A1: Broken Access Control Classification Privilege Escalation CVE CVE-2023-6009 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 7046ef9feaa8 Credits István Márton Required privilege...

WordPress Amazonify Plugin <= 0.8.1 is vulnerable to Cross Site Request Forgery (CSRF)

Software Amazonify Type Plugin Vulnerable versions = 0.8.1 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-5818 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID a36688b74e5b Credits Ala Arfaoui Required privile...

WordPress Left right image slideshow gallery Plugin <= 12.0 is vulnerable to SQL Injection

Software Left right image slideshow gallery Type Plugin Vulnerable versions = 12.0 Fixed in 12.1 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-5431 Patch priority Low CVSS severity Low 8.5 Developer Claim ownership PSID a8ec43c6fd5b Credits István Márton Required privilege...

WordPress RumbleTalk Live Group Chat Plugin <= 6.2.5 is vulnerable to Broken Access Control

Software RumbleTalk Live Group Chat Type Plugin Vulnerable versions = 6.2.5 Fixed in 6.2.6 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-45828 Patch priority Medium CVSS severity Medium 5.4 Developer Claim ownership PSID 142311804af3 Credits Mika Require...

WordPress JupiterX Core Plugin <= 3.3.5 is vulnerable to Arbitrary File Upload

Software JupiterX Core Type Plugin Vulnerable versions = 3.3.5 Fixed in 3.3.8 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2023-38388 Patch priority High CVSS severity High 9 Developer Claim ownership PSID 8bc7c34302b7 Credits Rafie Muhammad Patchstack Required privileg...

WordPress Stripe Payment Gateway for WooCommerce Plugin <= 3.7.7 is vulnerable to Privilege Escalation

Software Stripe Payment Gateway for WooCommerce Type Plugin Vulnerable versions = 3.7.7 Fixed in 3.7.8 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2023-3162 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID...

WordPress The7 Theme <= 11.7.3 is vulnerable to Cross Site Request Forgery (CSRF)

Software The7 Type Theme Vulnerable versions = 11.7.3 Fixed in 11.7.3.1 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-32123 Patch priority Low CVSS severity Low 6.1 Developer Claim ownership PSID 3ecb876f7b93 Credits Dave Jong Patchstack Requir...

WordPress Product Slider and Carousel with Category for WooCommerce Plugin < 2.8 is vulnerable to Cross Site Scripting (XSS)

Software Product Slider and Carousel with Category for WooCommerce Type Plugin Vulnerable versions 2.8 Fixed in 2.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-4791 Patch priority Medium CVSS severity Medium 6.3 Developer Claim ownership PSID...

WordPress Show-Hide / Collapse-Expand Plugin <= 1.2.5 is vulnerable to Cross Site Scripting (XSS)

Software Show-Hide / Collapse-Expand Type Plugin Vulnerable versions = 1.2.5 Fixed in 1.3.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-4829 Patch priority Medium CVSS severity Medium 6.4 Developer Claim ownership PSID a608bae568e8 Credits István...

WordPress WPML Multilingual CMS premium plugin <= 4.5.10 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to status change of translation job discovered by Dave Jong Patchstack in the WordPress WPML Multilingual CMS premium plugin versions = 4.5.10. Solution Update the WordPress Multilingual CMS plugin to the latest available version at least 4.5.11...

WordPress Image Hover Effects Css3 <= 4.5 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Image Hover Effects Css3 versions = 4.5. Solution Deactivate and delete. This plugin has been closed as of November 1, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Homepage PopUp plugin <= 1.2.5 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Mika Patchstack Alliance in the WordPress Homepage Pop-up plugin versions = 1.2.5. Solution No patched version is available. No reply from the vendor...

WordPress WP User Frontend plugin <= 3.5.28 - Obscure Registration as Admin vulnerability

Obscure Registration as Admin vulnerability discovered by AyeCode Ltd in WordPress WP User Frontend plugin versions = 3.5.28. Solution Update the WordPress WP User Frontend plugin to the latest available version at least 3.5.29...

WordPress Booster for WooCommerce premium plugin <= 5.6.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Checkout Files Deletion discovered by WPScan in WordPress Booster for WooCommerce premium plugin versions = 5.6.4. Solution Update the WordPress Booster Plus for WooCommerce plugin to the latest available version at least 5.6.5...

WordPress Appointment Hour Booking plugin <= 1.3.71 - Missing Authorization vulnerability

Missing Authorization vulnerability leading to Feedback Submission discovered by Lana Codes Patchstack Alliance in the WordPress Appointment Hour Booking plugin versions = 1.3.71. Solution Update the WordPress Appointment Hour Booking plugin to the latest available version at least 1.3.72...

WordPress 3D Tag Cloud plugin <= 3.8 - Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability

Stored Cross-Site Scripting XSS via Cross-Site Request Forgery CSRF vulnerability discovered by Lana Codes Patchstack Alliance in the WordPress 3D Tag Cloud plugin versions = 3.8. Solution Deactivate and delete. This plugin has been closed as of September 22, 2022 and is not available for downloa...

WordPress WPQA premium plugin < 5.9 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Bikram Kharal in WordPress WPQA premium plugin versions 5.9. Solution Update the WordPress WPQA - Builder forms Addon plugin to the latest available version at least 5.9...

WordPress Advanced Floating Content plugin <= 1.2.1 - Multiple Auth. Cross-Site Scripting (XSS) vulnerabilities

Multiple Auth. Cross-Site Scripting XSS vulnerabilities were discovered by Tien Nguyen Anh Patchstack Alliance in the WordPress Advanced Floating Content plugin versions = 1.2.1. Solution Update the WordPress Advanced Floating Content plugin to the latest available version at least 1.2.2...

WordPress Avada premium theme <= 7.8.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability Leading to Arbitrary Plugin Installation/Activation discovered by Dave Jong Patchstack in WordPress Avada theme versions = 7.8.1. Solution Update the WordPress Avada theme to the latest available version at least 7.8.2...

WordPress WP Attachments plugin <= 5.0.4 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Mariah Almotlag in the WordPress WP Attachments plugin versions = 5.0.4. Solution Update the WordPress WP Attachments plugin to the latest available version at least 5.0.5...

WordPress WZone – Lite Version plugin <= 3.1 Lite - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by ptsfence Patchstack Alliance in WordPress WZone – Lite Version plugin versions = 3.1 Lite. Solution No patched version is available. No reply from the vendor since Jul 29, 2022...