WordPress Event List plugin <= 0.8.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Akash Rajendra Patil in WordPress Event List plugin versions = 0.8.6. Solution Deactivate and delete. This plugin has been closed as of January 31, 2022 and is not available for download. Reason: Security Issue...

WordPress DW Question & Answer Pro premium plugin <= 1.3.4 - Arbitrary Comment Edition via IDOR vulnerability

Arbitrary Comment Edition via IDOR vulnerability discovered by Brandon Roldan in WordPress DW Question & Answer Pro premium plugin versions = 1.3.4. Solution No patched version is available...

WordPress RSVP and Event Management plugin <= 2.7.7 - Unauthenticated Entries Export vulnerability

Unauthenticated Entries Export vulnerability discovered by Daniel Ruf in WordPress RSVP and Event Management plugin versions = 2.7.7. Solution Update the WordPress RSVP and Event Management plugin to the latest available version at least 2.7.8...

WordPress Migration, Backup, Staging – WPvivid plugin <= 0.9.69 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Migration, Backup, Staging – WPvivid plugin versions = 0.9.69. Solution Update the WordPress Migration, Backup, Staging – WPvivid plugin to the latest available version at least 0.9.70...

WordPress Insights from Google PageSpeed plugin <= 4.0.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Insights from Google PageSpeed plugin versions = 4.0.3. Solution Update the WordPress Insights from Google PageSpeed plugin to the latest available version at least 4.0.4,...

WordPress Coupon Affiliates plugin <= 4.16.4.4 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by cydave in WordPress Coupon Affiliates plugin versions = 4.16.4.4. Solution Update the WordPress Coupon Affiliates plugin to the latest available version at least 4.16.4.5...

WordPress Amelia plugin <= 1.0.46 - Arbitrary Appointments Update and Sensitive Data Disclosure vulnerability

Arbitrary Appointments Update and Sensitive Data Disclosure vulnerability discovered by Huli Cymetrics in WordPress Amelia plugin versions = 1.0.46. Solution Update the WordPress Amelia plugin to the latest available version at least 1.0.47...

WordPress WoowGallery – image gallery / content gallery / ecommerce gallery / social gallery / video gallery / album photo gallery plugin <= 1.1.8 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress WoowGallery – image gallery / content gallery / ecommerce gallery / social gallery / video gallery / album photo gallery plugin versions = 1.1.8. Solution Update the WordPress WoowGallery – image gallery / content gallery /...

WordPress License Manager for WooCommerce plugin <= 2.2.5 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress License Manager for WooCommerce plugin versions = 2.2.5. Solution Update the WordPress License Manager for WooCommerce plugin to the latest available version at least 2.2.6...

WordPress WP-HR Manager: The Human Resources Plugin for WordPress plugin < 3.0.3 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress WP-HR Manager: The Human Resources Plugin for WordPress plugin versions 3.0.3. Solution Update the WordPress WP-HR Manager: The Human Resources Plugin for WordPress plugin to the latest available versi...

WordPress RevivePress – Keep your Old Content Evergreen plugin < 1.3.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress RevivePress – Keep your Old Content Evergreen plugin versions 1.3.1. Solution Update the WordPress RevivePress – Keep your Old Content Evergreen plugin to the latest available version at least 1.3.1...

WordPress Kunze Law plugin <= 1.9 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by fuzzyap1 in WordPress Kunze Law plugin versions = 1.9. Solution Update the WordPress Kunze Law plugin to the latest available version at least 2.1...

WordPress Spiffy Calendar plugin <= 4.9.0 - Edit/Delete event via IDOR vulnerability

Edit/Delete event via IDOR vulnerability discovered in WordPress Spiffy Calendar plugin versions = 4.9.0 by Ex.Mi Patchstack. Solution Update the WordPress Spiffy Calendar plugin to the latest available version at least 4.9.1...

WordPress Yasr – Yet Another Stars Rating plugin <= 2.9.9 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability discovered by ThuraMoeMyint Patchstack Red Team project in WordPress Yasr – Yet Another Stars Rating plugin versions = 2.9.9. Solution Update the WordPress Yasr – Yet Another Stars Rating plugin to the latest available version at least 3.0.0...

WordPress WP Extra File Types plugin <= 0.5 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by JrXnm in WordPress WP Extra File Types plugin versions = 0.5. Solution Update the WordPress WP Extra File Types plugin to the latest available version at least 0.5.1...

WordPress myCred plugin <= 2.3.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress myCred plugin versions = 2.3.2. Solution Update the WordPress myCred plugin to the latest available version at least 2.4...

WordPress WP Post Page Clone plugin <= 1.1 - Unauthorized Post Access vulnerability

Unauthorized Post Access vulnerability discovered by apple502j in WordPress WP Post Page Clone plugin versions = 1.1. Solution Update the WordPress WP Post Page Clone plugin to the latest available version at least 1.2...

WordPress The100 theme <= 1.1.2 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress The100 theme versions = 1.1.2. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress Asgaros Forum plugin <= 1.15.14 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Trang LKB in WordPress Asgaros Forum plugin versions = 1.15.14. Solution Update the WordPress Asgaros Forum plugin to the latest available version at least 1.15.15...

WordPress Smart Coupons for WooCommerce plugin <= 1.3.5 - Authenticated SQL injection (SQLi) vulnerability

Authenticated SQL injection SQLi vulnerability discovered in WordPress Smart Coupons for WooCommerce plugin versions = 1.3.5. Solution Update the WordPress Smart Coupons for WooCommerce plugin to the latest available version at least 1.3.6...

WordPress .htaccess Redirect plugin <= 0.3.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress .htaccess Redirect plugin versions = 0.3.1. Solution Deactivate and delete. This plugin has been closed as of December 3, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress AMP for WP – Accelerated Mobile Pages plugin <= 1.0.77.31 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Tien Nguyen Anh vigov5 in WordPress AMP for WP – Accelerated Mobile Pages plugin versions = 1.0.77.31. Solution Update the WordPress AMP for WP – Accelerated Mobile Pages plugin to the latest available version at least...

WordPress RegistrationMagic plugin <= 5.0.1.7 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Marco Wotschka and Chloe Chamberland in WordPress RegistrationMagic plugin versions = 5.0.1.7. Solution Update the WordPress RegistrationMagic plugin to the latest available version at least 5.0.1.8...

WordPress Chaty plugin <= 2.8.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Chaty plugin versions = 2.8.2. Solution Update the WordPress Chaty plugin to the latest available version at least 2.8.3...

WordPress OMGF | Host Google Fonts Locally plugin <= 4.5.11 - Arbitrary Folder Deletion via Path Traversal vulnerability

Arbitrary Folder Deletion via Path Traversal vulnerability discovered by José Aguilera in WordPress OMGF | Host Google Fonts Locally plugin versions = 4.5.11. Solution Update the WordPress OMGF | Host Google Fonts Locally plugin to the latest available version at least 4.5.12...

WordPress SportsPress – Sports Club & League Manager plugin <= 2.7.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex in WordPress SportsPress – Sports Club & League Manager plugin versions = 2.7.8. Solution Update the WordPress SportsPress – Sports Club & League Manager plugin to the latest available version at least 2.7.9...

WordPress All-in-One Video Gallery plugin <= 2.4.9 - Local File Inclusion (LFI) vulnerability

Local File Inclusion LFI vulnerability discovered by Mohamed Magdy AbuMuslim in WordPress All-in-One Video Gallery plugin versions = 2.4.9. Solution Update the WordPress All-in-One Video Gallery plugin to the latest available version at least 2.5.0...

WordPress Auto Featured Image (Auto Post Thumbnail) plugin <= 3.9.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Auto Featured Image Auto Post Thumbnail plugin versions = 3.9.2. Solution Update the WordPress Auto Featured Image Auto Post Thumbnail plugin to the latest available version at least 3.9.3...

WordPress WP Reset PRO Premium Plugin <= 5.98 - Cross-Site Request Forgery (CSRF) vulnerability leading to Database Reset

Cross-Site Request Forgery CSRF vulnerability discovered by Dave Jong Patchstack in WordPress WP Reset PRO premium plugin versions = 5.98. Solution Update the WordPress WP Reset PRO premium plugin to the latest available version at least v5.99...

WordPress Get Custom Field Values plugin <= 4.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Francesco Carlucci in WordPress Get Custom Field Values plugin versions = 4.0. Solution Update the WordPress Get Custom Field Values plugin to the latest available version at least 4.0.1...

WordPress Ninja Tables plugin <= 4.1.7 - Stored Cross-Site Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Cross-Site Scripting XSS vulnerability discovered by Akash Rajendra Patil in WordPress Ninja Tables plugin versions = 4.1.7. Solution Update the WordPress Ninja Tables plugin to the latest available version at least 4.1.8...

WordPress Shared Files plugin <= 1.6.60 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Mika in WordPress Shared Files plugin versions = 1.6.60. Solution Update the WordPress Shared Files plugin to the latest available version at least 1.6.61...

WordPress LearnPress plugin <= 4.1.3.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress LearnPress plugin versions = 4.1.3.1. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.3.2...

WordPress MPL-Publisher – Self-publish your book & ebook plugin <= 1.30.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress MPL-Publisher – Self-publish your book & ebook plugin versions = 1.30.2. Solution Update the WordPress MPL-Publisher – Self-publish your book & ebook plugin to the latest available versi...

WordPress WPSchoolPress plugin <= 2.1.16 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Davide Taraschi in the WordPress WPSchoolPress plugin versions = 2.1.16. Solution Update the WordPress WPSchoolPress plugin to the latest available version at least 2.1.17...

WordPress Batch Cat plugin <= 0.3 - Arbitrary Categories Add/Set/Delete to Posts vulnerability

Arbitrary Categories Add/Set/Delete to Posts vulnerability discovered by Quentin VILLAIN 3wsec in WordPress Batch Cat plugin versions = 0.3. Solution Deactivate and delete. This plugin has been closed as of September 24, 2021 and is not available for download. This closure is temporary, pending a...

WordPress Game Server Status plugin <= 1.0 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered Neppah in WordPress Game Server Status plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of August 20, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress MainWP Child Reports plugin <= 2.0.7 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by bl4derunner in WordPress MainWP Child Reports plugin versions = 2.0.7. Solution Update the WordPress MainWP Child Reports plugin to the latest available version at least 2.0.8...

WordPress Essential Widgets plugin <= 1.8 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Essential Widgets plugin versions = 1.8. Solution Update the WordPress Essential Widgets plugin to the latest available version at least 1.9...

WordPress LearnPress plugin <= 4.1.3 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Shivam Rai in the WordPress LearnPress plugin versions = 4.1.3. Solution Update the WordPress LearnPress plugin to the latest available version at least 4.1.3.1...

WordPress Coming soon and Maintenance mode plugin <= 3.5.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Coming soon and Maintenance mode plugin versions = 3.5.2. Solution Update the WordPress Coming soon and Maintenance mode plugin to the latest available version at least 3.5.3...

WordPress SMS OVH plugin <= 0.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress SMS OVH plugin versions = 0.1. Solution This plugin has been closed as of August 24, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Woocommerce Payment Gateway per Category plugin <= 2.0.10 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Woocommerce Payment Gateway per Category plugin versions = 2.0.10. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Timetable and Event Schedule by MotoPress plugin <= 2.4.1 - Unauthorized Event TimeSlot Deletion vulnerability

Unauthorized Event TimeSlot Deletion vulnerability discovered by dc11 in WordPress Timetable and Event Schedule by MotoPress plugin versions = 2.4.1. Solution Update the WordPress Timetable and Event Schedule by MotoPress plugin to the latest available version at least 2.4.2...

WordPress PostX – Gutenberg Blocks for Post Grid plugin <= 2.4.9 - Missing Access Controls vulnerability

Missing Access Controls vulnerability discovered by apple502j in WordPress PostX – Gutenberg Blocks for Post Grid plugin versions = 2.4.9. Solution Update the WordPress PostX – Gutenberg Blocks for Post Grid plugin to the latest available version at least 2.4.10...

WordPress 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat plugin <= 5.2.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat plugin versions = 5.2.7. Solution Update WordPress 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat plugin to the latest available version at least 5.2...

WordPress Smart Email Alerts plugin <= 1.0.10 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Smart Email Alerts plugin versions = 1.0.10. Solution This plugin has been closed as of August 12, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Titan Framework plugin <= 1.12.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex and WPScanTeam in WordPress Titan Framework plugin versions = 1.12.1. Solution This plugin has been closed as of March 16, 2021 and is not available for download. This closure is permanent. Reason: Author Request...

WordPress Absolutely Glamorous Custom Admin plugin <= 6.8 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Jörgson Patchstack Red Team in WordPress Absolutely Glamorous Custom Admin plugin versions = 6.8. Solution Update the WordPress Absolutely Glamorous Custom Admin plugin to the latest available version at least 6.9, addition...

WordPress WordPress Download Manager plugin <= 3.1.24 - Authenticated File Upload vulnerability

Authenticated File Upload vulnerability discovered by Ramuel Gall WordFence in WordPress WordPress Download Manager plugin versions = 3.1.24. Solution Update the WordPress WordPress Download Manager plugin to the latest available version at least 3.1.25...