WordPress My Calendar plugin <= 3.3.16 - Unauthenticated Open Redirect vulnerability

Unauthenticated Open Redirect vulnerability discovered by Dan Kegel in WordPress My Calendar plugin versions = 3.3.16. Solution Update the WordPress My Calendar plugin to the latest available version at least 3.3.17...

WordPress WP Sticky Button plugin <= 1.4.0 - Unauthenticated Arbitrary Settings Update vulnerability leading to Stored Cross-Site Scripting (XSS)

Unauthenticated Arbitrary Settings Update vulnerability leading to Stored Cross-Site Scripting XSS discovered by Krzysztof Zając in WordPress WP Sticky Button plugin versions = 1.4.0. Solution Update the WordPress WP Sticky Button – Click to Chat plugin to the latest available version at least...

WordPress Floating Div plugin <= 3.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Floating Div plugin versions = 3.0. Solution No patched version available...

WordPress Feed Them Social plugin <= 2.9.9 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by dc11 in WordPress Feed Them Social plugin versions = 2.9.9. Solution Update the WordPress Feed Them Social plugin to the latest available version at least 3.0.1...

WordPress WP Coder plugin <= 2.5.2 - Code Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Code Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress WP Coder plugin versions = 2.5.2. Solution Update the WordPress WP Coder plugin to the latest available version at least 2.5.3...

WordPress WPGraphQL WooCommerce plugin <= 0.11.0 - Unauthenticated Coupon Codes Disclosure vulnerability

Unauthenticated Coupon Codes Disclosure vulnerability discovered by Rohan Pagey in WordPress WPGraphQL WooCommerce plugin versions = 0.11.0. Solution No patched version available...

WordPress Elementor Contact Form DB <= 1.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress Elementor Contact Form DB versions = 1.7. Solution Update the WordPress Elementor Contact Form DB plugin to the latest available version at least 1.8...

WordPress Auto More Tag plugin <= 4.0.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vinay Varma Mudunuri, Krishna Harsha Kondaveeti in WordPress Auto More Tag plugin versions = 4.0.0. Solution Deactivate and delete. This plugin has been closed as of July 14, 2022 and is not available for download. This...

WordPress WP DS Blog Map plugin <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vinay Varma Mudunuri, Krishna Harsha Kondaveeti in WordPress WP DS Blog Map plugin versions = 3.1.3. Solution Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download. This...

WordPress DW Promobar plugin <= 1.0.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vinay Varma Mudunuri, Krishna Harsha Kondaveeti in WordPress DW Promobar plugin versions = 1.0.4. Solution Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download. This closu...

WordPress GiveWP plugin <= 2.21.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Raad Haddad in WordPress GiveWP plugin versions = 2.21.2. Solution Update the WordPress GiveWP plugin to the latest available version at least 2.21.3...

WordPress YOP Poll plugin <= 6.4.2 - IP Spoofing vulnerability

IP Spoofing vulnerability discovered by Daniel Ruf in WordPress YOP Poll plugin versions = 6.4.2. Solution Update the WordPress YOP Poll plugin to the latest available version at least 6.4.3...

WordPress Popups plugin <= 1.9.3.8 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Raad Haddad in WordPress Popups plugin versions = 1.9.3.8. Solution Deactivate and delete. This plugin has been closed as of July 5, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Microsoft Advertising Universal Event Tracking (UET) plugin <= 1.0.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Chowdhury Faizal Ahammed in WordPress Microsoft Advertising Universal Event Tracking UET plugin versions = 1.0.3. Solution Update the WordPress Microsoft Advertising Universal Event Tracking UET plugin to the latest availab...

WordPress FreeMind WP Browser <= 1.2 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by Kenya Uematsu in WordPress FreeMind WP Browser versions = 1.2. Solution Deactivate and delete. This plugin has been closed as of June 30, 2022 and is not available for download. This closure is...

WordPress Name Directory plugin <= 1.25.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Donato Di Pasquale in WordPress Name Directory plugin versions = 1.25.2. Solution Update the WordPress Name Directory plugin to the latest available version at least 1.25.3...

WordPress Simple Post Notes plugin <= 1.7.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Sachin Kumar eSec Forte Technologies Pvt Ltd in WordPress Simple Post Notes plugin versions = 1.7.5. Solution Update the WordPress Simple Post Notes plugin to the latest available version at least 1.7.6...

WordPress OAuth Single Sign On – SSO (OAuth Client) plugin <= 6.22.5 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Lana Codes in WordPress OAuth Single Sign On – SSO OAuth Client plugin versions = 6.22.5. Solution Update the WordPress OAuth Single Sign On – SSO OAuth Client plugin to the latest available version at least 6.22.6...

WordPress Brizy Page Builder plugin <= 2.4.1 - Authenticated Stored Cross-Site Scripting (XSS) via Element Content

Authenticated Stored Cross-Site Scripting XSS via Element Content discovered by Vishnupriya Ilango in WordPress Brizy Page Builder plugin versions = 2.4.1. Solution Update the WordPress Brizy – Page Builder plugin to the latest available version at least 2.4.2...

WordPress WooCommerce PDF Invoices & Packing Slips plugin <= 2.15.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress WooCommerce PDF Invoices & Packing Slips plugin versions = 2.15.0. Solution Update the WordPress WooCommerce PDF Invoices & Packing Slips plugin to the latest available version at lea...

WordPress GiveWP plugin <= 2.20.2 - Donor Information Disclosure vulnerability

Donor Information Disclosure vulnerability discovered by Kane Gamble Blackfoot UK in WordPress GiveWP plugin versions = 2.20.2. Solution Update the WordPress GiveWP plugin to the latest available version at least 2.21.0...

WordPress Sharebar plugin <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress Sharebar plugin versions = 1.4.1. Solution Deactivate and delete. This plugin has been closed as of June 14, 2022 and is not available for download. This closure is temporary, pending a full revie...

WordPress Product Configurator for WooCommerce plugin <= 1.2.31 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability discovered by cydave in WordPress Product Configurator for WooCommerce plugin versions = 1.2.31. Solution Update the WordPress Product Configurator for WooCommerce plugin to the latest available version at least 1.2.32...

WordPress Google XML Sitemaps plugin <= 4.1.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Google XML Sitemaps plugin versions = 4.1.2. Solution Update the WordPress Google XML Sitemaps plugin to the latest available version at least 4.1.3...

WordPress Travel Management plugin <= 2.0 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities were discovered by Ngo Van Thien Patchstack Alliance in the WordPress Travel Management plugin versions = 2.0. Solution Deactivate and delete. This plugin has been closed as of May 6, 2022 and is not available for download. Th...

WordPress Ocean Extra plugin <= 1.9.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Ocean Extra plugin versions = 1.9.4. Solution Update the WordPress Ocean Extra plugin to the latest available version at least 1.9.5...

WordPress Auto Delete Posts plugin <= 1.3.0 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress Auto Delete Posts plugin versions = 1.3.0. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This closure is temporary,...

WordPress Slideshow CK plugin <= 1.4.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Slideshow CK plugin versions = 1.4.9. Solution Update the WordPress Slideshow CK plugin to the latest available version at least 1.4.10...

WordPress HC Custom WP-Admin URL plugin <= 1.4 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress HC Custom WP-Admin URL plugin versions = 1.4. Solution Deactivate and delete. This plugin has been closed as of May 5, 2022 and is not available for download. This closure is temporar...

WordPress Code Snippets Extended plugin <= 1.4.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by BEE-K Patchstack in WordPress Code Snippets Extended plugin versions = 1.4.7. Solution Deactivate and delete. No patched version is available. No reply from the vendor...

WordPress Photo Gallery plugin <= 1.6.3 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by 0ppr2s in WordPress Photo Gallery plugin versions = 1.6.3. Solution Update the WordPress Photo Gallery plugin to the latest available version at least 1.6.4...

WordPress Ask Me premium theme < 6.8.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in AJAX Actions

Multiple Cross-Site Request Forgery CSRF vulnerabilities in AJAX Actions were discovered by WPScanTeam in WordPress Ask Me premium theme versions 6.8.2. Solution Update the WordPress Ask Me premium theme to the latest available version at least 6.8.2...

WordPress WP Born Babies plugin <= 1.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Wejdan Alomari in WordPress WP Born Babies plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of April 27, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Files Download Delay plugin <= 1.0.6 - Subscriber+ Settings Reset vulnerability

Subscriber+ Settings Reset vulnerability discovered by Daniel Ruf in WordPress Files Download Delay plugin versions = 1.0.6. Solution Update the WordPress Files Download Delay plugin to the latest available version at least 1.0.7...

WordPress Smush plugin <= 3.9.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress Smush plugin versions = 3.9.8. Solution Update the WordPress Smush plugin to the latest available version at least 3.9.9...

WordPress Breeze plugin <= 2.0.2 - Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerability

Plugin Settings Change leading to Cross-Site Scripting XSS vulnerability discovered by Dave Jong Patchstack in WordPress Breeze plugin versions = 2.0.2. Solution Update the WordPress Breeze plugin to the latest available version at least 2.0.3...

WordPress Countdown & Clock plugin <= 2.4.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Jeong Wonjun aka Pongchi Patchstack Alliance in WordPress Countdown & Clock plugin versions = 2.4.7. Solution No patched version is available...

WordPress WP YouTube Live plugin <= 1.8.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in WordPress WP YouTube Live plugin versions = 1.8.2. Solution Update the WordPress WP YouTube Live plugin to the latest available version at least 1.8.3...

WordPress Advanced Uploader plugin <= 4.2 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Roel van Beurden in WordPress Advanced Uploader plugin versions = 4.2. Solution Deactivate and delete. This plugin has been closed as of March 28, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress eRoom plugin <= 1.3.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Sync with Zoom Meetings

Cross-Site Request Forgery CSRF vulnerability leading to Sync with Zoom Meetings discovered by Ex.Mi Patchstack in WordPress eRoom plugin versions = 1.3.7. Solution Update the WordPress eRoom plugin to the latest available version at least 1.3.8...

WordPress Event List plugin <= 0.8.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Akash Rajendra Patil in WordPress Event List plugin versions = 0.8.6. Solution Deactivate and delete. This plugin has been closed as of January 31, 2022 and is not available for download. Reason: Security Issue...

WordPress DW Question & Answer Pro premium plugin <= 1.3.4 - Arbitrary Comment Edition via IDOR vulnerability

Arbitrary Comment Edition via IDOR vulnerability discovered by Brandon Roldan in WordPress DW Question & Answer Pro premium plugin versions = 1.3.4. Solution No patched version is available...

WordPress RSVP and Event Management plugin <= 2.7.7 - Unauthenticated Entries Export vulnerability

Unauthenticated Entries Export vulnerability discovered by Daniel Ruf in WordPress RSVP and Event Management plugin versions = 2.7.7. Solution Update the WordPress RSVP and Event Management plugin to the latest available version at least 2.7.8...

WordPress Migration, Backup, Staging – WPvivid plugin <= 0.9.69 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Migration, Backup, Staging – WPvivid plugin versions = 0.9.69. Solution Update the WordPress Migration, Backup, Staging – WPvivid plugin to the latest available version at least 0.9.70...

WordPress Insights from Google PageSpeed plugin <= 4.0.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Insights from Google PageSpeed plugin versions = 4.0.3. Solution Update the WordPress Insights from Google PageSpeed plugin to the latest available version at least 4.0.4,...

WordPress Coupon Affiliates plugin <= 4.16.4.4 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by cydave in WordPress Coupon Affiliates plugin versions = 4.16.4.4. Solution Update the WordPress Coupon Affiliates plugin to the latest available version at least 4.16.4.5...

WordPress Amelia plugin <= 1.0.46 - Arbitrary Appointments Update and Sensitive Data Disclosure vulnerability

Arbitrary Appointments Update and Sensitive Data Disclosure vulnerability discovered by Huli Cymetrics in WordPress Amelia plugin versions = 1.0.46. Solution Update the WordPress Amelia plugin to the latest available version at least 1.0.47...

WordPress AI Mojo – GPT-3 Playground for WordPress plugin < 0.2.5 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress AI Mojo – GPT-3 Playground for WordPress plugin versions 0.2.5. Solution Update the WordPress AI Mojo – GPT-3 Playground for WordPress plugin to the latest available version at least 0.2.5...

WordPress WoowGallery – image gallery / content gallery / ecommerce gallery / social gallery / video gallery / album photo gallery plugin <= 1.1.8 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress WoowGallery – image gallery / content gallery / ecommerce gallery / social gallery / video gallery / album photo gallery plugin versions = 1.1.8. Solution Update the WordPress WoowGallery – image gallery / content gallery /...

WordPress License Manager for WooCommerce plugin <= 2.2.5 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress License Manager for WooCommerce plugin versions = 2.2.5. Solution Update the WordPress License Manager for WooCommerce plugin to the latest available version at least 2.2.6...