WordPress History Log by click5 Plugin < 1.0.13 is vulnerable to SQL Injection

Software History Log by click5 Type Plugin Vulnerable versions 1.0.13 Fixed in 1.0.13 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-5082 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 0a946699ae5c Credits Karolis Narvilas Required privilege...

WordPress Social Media & Share Icons Plugin <= 2.8.5 is vulnerable to Sensitive Data Exposure

Software Social Media & Share Icons Type Plugin Vulnerable versions = 2.8.5 Fixed in 2.8.6 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2023-5070 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 041c1c8cf3d2 Credits Marco...

WordPress EmbedPress Plugin <= 3.8.2 is vulnerable to Broken Access Control

Software EmbedPress Type Plugin Vulnerable versions = 3.8.2 Fixed in 3.8.3 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-4282 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 9300647917bb Credits Lana Codes Required privilege...

WordPress Stock Ticker Plugin <= 3.23.2 is vulnerable to Cross Site Scripting (XSS)

Software Stock Ticker Type Plugin Vulnerable versions = 3.23.2 Fixed in 3.23.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-45365 Patch priority Medium CVSS severity Medium 7.1 Developer Aleksandar Urošević PSID b2f877d49771 Credits Aman Rawat...

WordPress User Registration Plugin <= 3.0.2 is vulnerable to Arbitrary File Upload

Software User Registration Type Plugin Vulnerable versions = 3.0.2 Fixed in 3.0.2.1 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-3342 Patch priority High CVSS severity High 9.9 Developer Masteriyo PSID 9e6954072452 Credits István Márton Required privilege Subscribe...

WordPress Houzez CRM Plugin <= 1.3.4 is vulnerable to SQL Injection

Software Houzez CRM Type Plugin Vulnerable versions = 1.3.4 Fixed in 1.3.5 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-36529 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 5387270a680b Credits Dave Jong Patchstack Required privilege Subscriber...

WordPress Kanban Boards for WordPress Plugin < 2.5.21 is vulnerable to Cross Site Scripting (XSS)

Software Kanban Boards for WordPress Type Plugin Vulnerable versions 2.5.21 Fixed in 2.5.21 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0873 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 29201871ee56 Credits Shreya Pohek...

WordPress Pinpoint Booking System Plugin < 2.9.9.2.9 is vulnerable to SQL Injection

Software Pinpoint Booking System Type Plugin Vulnerable versions 2.9.9.2.9 Fixed in 2.9.9.2.9 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-0220 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID 7276b0492738 Credits István Márton Required privilege...

WordPress Simple URLs Plugin < 115 is vulnerable to SQL Injection

Software Simple URLs Type Plugin Vulnerable versions 115 Fixed in 115 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-0098 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID ce05d13c3118 Credits dc11 Required privilege Subscriber Published 17 January,...

WordPress Page View Count Plugin < 2.6.1 is vulnerable to Cross Site Scripting (XSS)

Software Page View Count Type Plugin Vulnerable versions 2.6.1 Fixed in 2.6.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0095 Patch priority Medium CVSS severity Medium 6.3 Developer Claim ownership PSID 545a0fccfa3b Credits Lana Codes Required...

WordPress Contest Gallery plugin <= 13.1.0.9 - Unauth. Stored Cross-Site Scripting (XSS) vulnerability

Unauth. Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in the WordPress Contest Gallery plugin versions = 13.1.0.9. Solution Update the WordPress Contest Gallery plugin to the latest available version at least 14.0.0...

WordPress ShareThis Dashboard for Google Analytics plugin <= 3.1.2 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to plugin settings reset discovered by Dave Jong Patchstack in WordPress ShareThis Dashboard for Google Analytics plugin versions = 3.1.2. Solution No patched version available...

WordPress Easy Video Player plugin <= 1.2.2.2 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Lana Codes in WordPress Easy Video Player plugin versions = 1.2.2.2. Solution Update the WordPress Easy Video Player plugin to the latest available version at least 1.2.2.3...

WordPress Betheme premium theme <= 26.6.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Dave Jong Patchstack in the WordPress Betheme premium theme versions = 26.6.1. Solution No reply from the vendor...

WordPress Ezoic plugin <= 2.8.8 - Unauthenticated Plugin Settings Change Leading To Stored XSS Vulnerability

Unauthenticated Plugin Settings Change Leading To Stored XSS Vulnerability discovered by José Aguilera Patchstack Alliance in the WordPress Ezoic plugin versions = 2.8.8. Solution Update the WordPress Ezoic plugin to the latest available version at least 2.8.9...

WordPress News Announcement Scroll plugin <= 8.8.8 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Mika Patchstack Alliance in the WordPress News Announcement Scroll plugin versions = 8.8.8. Solution Update the WordPress News Announcement Scroll plugin to the latest available version at least 9.0.0...

WordPress Betheme theme <= 26.5.1.4 - Auth. PHP Object Injection vulnerability

Auth. PHP Object Injection vulnerability discovered by Dave Jong Patchstack in the WordPress Betheme theme versions = 26.5.1.4. Solution Update the WordPress Betheme theme to the latest available version at least 26.6...

WordPress WP Page Builder plugin <= 1.2.8 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Vaibhav Koli in the WordPress WP Page Builder plugin versions = 1.2.8. Solution Deactivate and delete. This plugin has been closed as of 9. November, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Asgaros Forum plugin <= 2.1.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Dhakal Ananda Patchstack Alliance in the WordPress Asgaros Forum plugin versions = 2.1.0. Solution No patched version is available. No reply from the vendor...

WordPress Quick Restaurant Reservations plugin <= 1.5.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by thiennv Patchstack Alliance in WordPress Quick Restaurant Reservations plugin versions = 1.5.4. Solution Update the WordPress Quick Restaurant Reservations plugin to the latest available version at least 1.5.5...

WordPress WP User Merger plugin <= 1.5.2 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Kunal Sharma University of Kaiserslautern and Daniel Krohmer Fraunhofer IESE in the WordPress WP User Merger plugin versions = 1.5.2. Solution Update the WordPress WP User Merger plugin to the latest available version at least 1.5.3...

WordPress Event Monster plugin <= 1.1.20 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Visitors Deletion discovered by Thura Moe Myint in the WordPress Event Monster plugin versions = 1.1.20. Solution Update the WordPress Event Management Tickets Booking plugin to the latest available version at least 1.2.0...

WordPress Advanced Coupons for WooCommerce Coupons plugin <= 4.5 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Notice Dismissal discovered by Muhammad Daffa Patchstack Alliance in WordPress Advanced Coupons for WooCommerce Coupons plugin versions = 4.5. Solution Update the WordPress Advanced Coupons for WooCommerce Coupons plugin to the latest...

WordPress Forms by CaptainForm <= 2.5.3 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Account Disconnect discovered by Rasi Afeef Patchstack Alliance in WordPress Forms by CaptainForm versions = 2.5.3. Solution No patched version is available. No reply from the vendor...

WordPress Api2Cart Bridge Connector plugin <= 1.1.0 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Dave Jong Patchstack in the WordPress Api2Cart Bridge Connector plugin versions = 1.1.0. Solution Update the WordPress Api2Cart Bridge Connector plugin to the latest available version at least 1.2.0...

WordPress Gallery with thumbnail slider plugin <= 6.0 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Gallery with thumbnail slider plugin versions = 6.0. Solution Update the WordPress Gallery with thumbnail slider plugin to the latest available version at least 6.1...

WordPress Image Zoom plugin <= 1.8.8 - Multiple Broken Access Control vulnerabilities

Multiple Broken Access Control vulnerabilities were discovered by Lana Codes Patchstack Alliance in the WordPress Image Zoom plugin versions = 1.8.8. Solution Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary,...

WordPress WP Page Builder plugin <= 1.2.6 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Auth. Stored Cross-Site Scripting XSS vulnerabilities were discovered by Ngo Van Thien Patchstack Alliance in the WordPress WP Page Builder plugin versions = 1.2.6. Solution Update the WordPress WP Page Builder plugin to the latest available version at least 1.2.7...

WordPress Simple SEO plugin <= 1.8.12 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Sitemap Creation/Deletion discovered by Mika Patchstack Alliance in WordPress Simple SEO plugin versions = 1.8.12. Solution Update the WordPress Simple SEO plugin to the latest available version at least 1.8.13...

WordPress Advanced Order Export For WooCommerce plugin <= 3.3.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to export file download discovered by Lana Codes Patchstack Alliance in WordPress Advanced Order Export For WooCommerce plugin versions = 3.3.2. Solution Update the WordPress Advanced Order Export For WooCommerce plugin to the latest available...

WordPress core <= 6.0.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability via wp-mail.php discovered by Toshitsugu Yoneyama Mitsui Bussan Secure Directions, Inc. via JPCERT in WordPress core versions = 6.0.2 Solution Update the WordPress to the latest available version at least 6.0.3...

WordPress Complianz premium plugin 6.3.3-6.3.5 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Sakri Rafael Koskimies saggre in the WordPress Complianz premium plugin versions 6.3.3-6.3.5. Solution Update the WordPress Complianz Premium plugin to the latest available version at least 6.3.6...

WordPress Rock Convert plugin <= 2.11.0 - Auth. Cross-Site Scripting (XSS) vulnerability

Auth. Cross-Site Scripting XSS vulnerability was discovered by Mika Patchstack Alliance in the WordPress Rock Convert plugin versions = 2.11.0. Solution Update the WordPress Rock Convert plugin to the latest available version at least 3.0.0...

WordPress Optinly plugin <= 1.0.11 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to plugin settings change discovered by ptsfence Patchstack Alliance in WordPress Optinly plugin = 1.0.11 Solution No patched version is available. No reply from the vendor...

WordPress Rock Convert plugin <= 2.10.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by José Ricardo in the WordPress Rock Convert plugin versions = 2.10.2. Solution Update the WordPress Rock Convert plugin to the latest available version at least 2.11.0...

WordPress LearnPress plugin <= 4.1.7.1 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability via REST API discovered by Nguyen Duy Quoc Khanh in the WordPress LearnPress plugin versions = 4.1.7.1. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.7.2...

WordPress Accordions plugin <= 2.0.3 - Authenticated WordPress Options Change vulnerability

Authenticated WordPress Options Change vulnerability discovered by Vlad Vector Patchstack in WordPress Accordions plugin versions = 2.0.3. Solution Update the WordPress Accordions plugin to the latest available version at least 2.1.0...

WordPress Drag and Drop Multiple File Upload plugin <= 1.3.6.4 - File Upload Size Limit Bypass vulnerability

File Upload Size Limit Bypass vulnerability discovered by Sanjay Das in WordPress Drag and Drop Multiple File Upload plugin versions = 1.3.6.4. Solution Update the WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin to the latest available version at least 1.3.6.5...

WordPress GS Testimonial Slider plugin <= 1.9.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities were discovered by Ngo Van Thien Patchstack Alliance in the WordPress GS Testimonial Slider plugin versions = 1.9.6. Solution Update the WordPress GS Testimonial Slider plugin to the latest available version at least 1.9.7...

WordPress Soledad plugin <= 8.2.4 - Reflected Cross-site Scripting (XSS) vulnerability

Reflected Cross-site Scripting XSS vulnerability discovered by Truoc Phan in the WordPress Soledad plugin versions = 8.2.4. Solution Update the WordPress Soledad plugin to the latest available version at least 8.2.5...

WordPress History Timeline plugin <= 1.0.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress History Timeline plugin versions = 1.0.5. Solution Deactivate and delete. No reply from the vendor...

WordPress Word Search Puzzles game plugin <= 2.0.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities were discovered by Vlad Vector Patchstack in the WordPress Word Search Puzzles game plugin versions = 2.0.1. Solution Deactivate and delete. No reply from the vendor...

WordPress Beaver Builder plugin <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability via caption

Authenticated Stored Cross-Site Scripting XSS vulnerability via caption discovered by Zhouyuan Yang in WordPress Beaver Builder plugin versions = 2.5.5.2. Solution Update the WordPress Beaver Builder plugin to the latest available version at least 2.5.5.3...

WordPress Form Builder CP plugin <= 1.2.31 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Chinmay Vishwas Divekar in WordPress Form Builder CP plugin versions = 1.2.31. Solution Update the WordPress Form Builder CP plugin to the latest available version at least 1.2.32...

WordPress Accommodation System plugin <= 1.0.1 - Missing Access Control vulnerability

Missing Access Control vulnerability discovered by ptsfence Patchstack Alliance in WordPress Accommodation System plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed as of August 24, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Advanced Order Export For WooCommerce plugin <= 3.3.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Lucio Sá Patchstack Alliance in WordPress Advanced Order Export For WooCommerce plugin versions = 3.3.1. Solution Update the WordPress Advanced Order Export For WooCommerce plugin to the latest available version at least 3.3.2...

WordPress Scroll To Top plugin <= 1.4.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Scroll To Top plugin versions = 1.4.0. Solution Update the WordPress Scroll To Top plugin to the latest available version at least 1.4.1...

WordPress Search Exclude plugin <= 1.2.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress Search Exclude plugin versions = 1.2.6. Solution Update the WordPress Search Exclude plugin to the latest available version at least 1.2.7...

WordPress Directorist plugin <= 7.3.0 - Unauthenticated Email Address Disclosure vulnerability

Unauthenticated Email Address Disclosure vulnerability discovered by Krzysztof Zając in WordPress Directorist plugin versions = 7.3.0. Solution Update the WordPress Directorist plugin to the latest available version at least 7.3.1...

WordPress JoomSport plugin <= 5.2.5 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Salim Al-Wahaibi in WordPress JoomSport plugin versions = 5.2.5. Solution Update the WordPress JoomSport plugin to the latest available version at least 5.2.6...