WordPress HD Quiz plugin <= 1.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress HD Quiz plugin versions = 1.8.3. Solution Update the WordPress HD Quiz plugin to the latest available version at least 1.8.4...

WordPress HM Multiple Roles plugin <= 1.2 - Arbitrary Role Change vulnerability

Arbitrary Role Change vulnerability discovered by clemorphy in WordPress HM Multiple Roles plugin versions = 1.2. Solution Update the WordPress HM Multiple Roles plugin to the latest available version at least 1.3...

WordPress WP HTML Mail plugin <= 3.0.6 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Konan Nagashima in WordPress WP HTML Mail plugin versions = 3.0.6. Solution Update the WordPress WP HTML Mail plugin to the latest available version at least 3.0.8...

WordPress Workreap premium theme <= 2.2.1 - Unauthenticated Upload vulnerability leading to Remote Code Execution (RCE)

Unauthenticated Upload vulnerability leading to Remote Code Execution RCE discovered by Harald Eilertsen Jetpack in WordPress Workreap premium theme versions = 2.2.1. Solution Update the WordPress Workreap premium theme to the latest available version at least 2.2.2...

WordPress WP Google Map plugin <= 1.7.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Pratik Khalane in WordPress WP Google Map plugin versions = 1.7.6. Solution Update the WordPress WP Google Map plugin to the latest available version at least 1.7.7...

WordPress Popup Like box plugin <= 3.5.2 - Authenticated Blind SQL Injection (SQLi) vulnerability

Authenticated Blind SQL Injection SQLi vulnerability discovered by To Quang Duong in WordPress Popup Like box plugin versions = 3.5.2. Solution Update the WordPress Popup Like box plugin to the latest available version at least 3.5.3...

WordPress ProfilePress plugin <= 3.1.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vaibhav Koli in WordPress ProfilePress plugin versions = 3.1.7. Solution Update the WordPress ProfilePress plugin to the latest available version at least 3.1.8...

WordPress DW Question & Answer plugin <= 1.5.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Jerome Bruandet NinTechNet in WordPress DW Question & Answer plugin versions = 1.5.7. Solution 21st June 2021 - no fix available...

WordPress Jannah premium theme <= 5.4.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Truoc Phan in WordPress Jannah premium theme versions = 5.4.3. Solution Update the WordPress Jannah premium theme to the latest available version at least 5.4.4...

WordPress GetPaid plugin <= 2.3.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Jörg Steinsträter in WordPress GetPaid plugin versions = 2.3.3. Solution Update the WordPress GetPaid plugin to the latest available version at least 2.3.4...

WordPress Quiz And Survey Master plugin <= 7.1.17 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by renniepak in WordPress Quiz And Survey Master plugin versions = 7.1.17. Solution Update the WordPress Quiz And Survey Master plugin to the latest available version at least 7.1.18...

WordPress Ultimate Maps by Supsystic plugin <= 1.2.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Ultimate Maps by Supsystic plugin versions = 1.2.4. Solution Update the WordPress Ultimate Maps by Supsystic to the latest available version at least 1.2.5...

WordPress Related Posts for WordPress plugin <= 2.0.4 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress Related Posts for WordPress plugin versions = 2.0.4. Solution Update the WordPress Related Posts for WordPress plugin to the latest available version at least 2.0.5...

WordPress Shopello API plugin <= 2.9.0 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Frank Liauw in WordPress Shopello API plugin versions = 2.9.0. Solution This plugin has been closed as of April 12, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Event Banner plugin <= 1.3 - Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by Jin Huang in WordPress Event Banner plugin versions = 1.3. Solution This plugin has been closed as of December 24, 2018 and is not available for download. Reason: Guideline Violation...

WordPress BuddyPress plugin <= 7.2.0 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered in WordPress BuddyPress plugin versions = 7.2.0. Solution Update the WordPress BuddyPress plugin to the latest available version at least 7.2.1...

WordPress Social Slider Feed plugin <= 1.8.4 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by purine chu in WordPress Social Slider Feed plugin versions = 1.8.4. Solution Update the WordPress Social Slider Feed plugin to the latest available version at least 1.8.5...

WordPress eventON premium plugin <= 3.0.5 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Mustafa GUNDOGDU b3kc4t in WordPress eventON premium plugin versions = 3.0.5. Solution 2020-12-01 - we were unable to find a patched version of this plugin...

WordPress <= 5.5.1 - Bypass Protected Meta That Could Lead To Arbitrary File Deletion vulnerability

Bypass Protected Meta That Could Lead To Arbitrary File Deletion vulnerability found by Slavco Mihajloski mslavco in WordPress versions = 5.5.1. Solution Update the WordPress to the latest available version at least 5.5.2...

WordPress Autoptimize plugin <= 2.7.7 - Race Condition leading to Remote Code Execution (RCE) vulnerability

Race Condition leading to Remote Code Execution RCE vulnerability discovered by Marcin Węgłowski in WordPress Autoptimize plugin versions = 2.7.7. Solution Update the WordPress Autoptimize plugin to the latest available version at least 2.7.8...

WordPress Knight Lab Timeline plugin <= 3.6.3.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability vulnerable TimelineJS library version discovered in WordPress Knight Lab Timeline plugin versions = 3.6.3.0. Solution Update the WordPress Knight Lab Timeline plugin to the latest available version at least 3.7.0.0...

WordPress Advanced Access Manager plugin <= 6.6.1 - Authenticated Authorization Bypass and Privilege Escalation vulnerability

Authenticated Authorization Bypass and Privilege Escalation vulnerability discovered by WordFence in WordPress Advanced Access Manager plugin versions = 6.6.1. Solution Update the WordPress Advanced Access Manager plugin to the latest available version at least 6.6.2...

WordPress Appointment Booking Calendar plugin <= 1.3.34 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Daniel Monzon in WordPress Appointment Booking Calendar plugin versions = 1.3.34. Solution Update the WordPress Appointment Booking Calendar plugin to the latest available version at least 1.3.35...

WordPress Envira Photo Gallery plugin <= 1.7.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fortinet in WordPress Envira Photo Gallery plugin versions = 1.7.6. Solution Update the WordPress Envira Photo Gallery plugin to the latest available version at least 1.7.7...

WordPress YITH Custom Thank You Page for Woocommerce plugin <=1.1.7 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability

Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH Custom Thank You Page for Woocommerce plugin versions =1.1.7. Solution Update the WordPress YITH Custom Thank You Page for Woocommerce plugin to the latest available version at leas...

WordPress SlickQuiz plugin <= 1.3.7.1 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability found by Julien Ahrens in WordPress SlickQuiz plugin versions = 1.3.7.1 Solution 11 September 2019 - we were unable to find a patched version of this plugin...

WordPress Search Exclude plugin <= 1.2.2 - Arbitrary Settings Change vulnerability

Arbitrary Settings Change vulnerability found by Jerome Bruandet in WordPress Search Exclude plugin versions = 1.2.2. Solution Update the WordPress Search Exclude plugin to the latest available version at least 1.2.4...

WordPress Adaptive Images for WordPress plugin <= 0.6.66 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability found by Mark Gruffer in WordPress Adaptive Images for WordPress plugin versions = 0.6.66. Solution Update the WordPress Adaptive Images for WordPress plugin to the latest available version at least 0.6.67...

WordPress Custom CSS Pro plugin <= 1.0.3 - Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities

Cross-Site Request Forgery CSRF and Cross-Site Scripting XSS vulnerabilities found by Cryptography Laboratory in WordPress Custom CSS Pro plugin versions = 1.0.3. Solution Update the WordPress Custom CSS Pro plugin to the latest available version at least 1.0.4...

WordPress HTML5 Maps plugin <= 1.6.5.6 - Cross-Site Request Forgery CSRF and Cross-Site Scripting (XSS) vulnerabilities

Cross-Site Request Forgery CSRF and Cross-Site Scripting XSS vulnerabilities found by Cryptography Laboratory in WordPress HTML5 Maps plugin versions = 1.6.5.6. Solution Update the WordPress HTML5 Maps plugin to the latest available version at least 1.6.5.7...

WordPress Ninja Forms plugin <= 3.3.19 - Authenticated Open Redirect vulnerability

Authenticated Open Redirect vulnerability found by Muhammad Talha Khan in WordPress Ninja Forms plugin versions = 3.3.19. Solution Update the WordPress Ninja Forms plugin to the latest available version at least 3.3.19.1...

WordPress WF Cookie Consent plugin <=1.1.3 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability found by B0UG in WordPress WF Cookie Consent plugin versions =1.1.3. Solution Update the WordPress WF Cookie Consent plugin to the latest available version at least 1.1.4...

WordPress Responsive Cookie Consent plugin <=1.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found in WordPress Responsive Cookie Consent plugin versions =1.7. Solution Update the WordPress Responsive Cookie Consent plugin to the latest available version at least 1.8...

WordPress flickrRSS plugin <=5.3.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by AntsKnows in WordPress flickrRSS plugin versions = 5.3.1. Solution 2/7/2018 - Last time updated four years ago. No patched version is available at the moment...

WordPress Simple Download Monitor plugin <=3.5.3 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability found by wpl0v3r in WordPress Simple Download Monitor plugin versions =3.5.3. Vulnerable to Cross-Site Scripting via the "sdmuploadthumbnail" parameter in an edit action to wp-admin/post.php. Solution Update the WordPress Simple Download Monito...

WordPress WP-Testimonials plugin <=3.4.1 - SQL Injection vulnerability

WordPress WP-Testimonials plugin is prone to SQL injection vulnerability. The vulnerability allows an authenticated user to execute arbitrary SQL commands via the "testid" parameter to wp-admin/admin.php Solution WordPress WP-Testimonials plugin removed from WordPress plugin directory. We suggest...

WordPress WooCommerce Plugin <= 2.6.8 - Cross Site Scripting

This plugin is prone to a cross site scripting vulnerability. It allows remote authenticated administrators to inject arbitrary code by manipulating tax-rate table values in CSV format. Solution Update the plugin...

WordPress Heat Trackr Plugin <= 1.0 - Reflected XSS

This plugin is prone to a cross site scripting vulnerability via /heat-trackr/heat-trackrabtestadd.php file. Solution Update the plugin...

WordPress <= 4.5.2 - BYPASS #3

This vulnerability in WordPress 4.5.2 and previous versions allows an attacker to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-5-2-bypass...

WordPress Collne Welcart e-Commerce Plugin <= 1.8.2 - Session Hijacking

The Collne Welcart e-Commerce plugin allows an attacker to obtain access by leveraging knowledge of the e-mail address associated with an account. Solution Update the plugin...

WordPress <= 2.20.9 - XSS

This vulnerability in flash/FlashMediaElement.as in MediaElement.js allows an attacker to inject arbitrary web script or HTML via the query string. Solution Update WordPress...

WordPress <= 4.4 - Service Side Request Forgery

This WordPress version is prone to a service side request forgery vulnerability via crafted address. Solution Upgrade WordPress...

WordPress SiteMile Project Theme 2.0.9.5 - Multiple Vulnerabilities

There are multiple vulnerabilities in this theme, such as stored cross-site scripting, reflected cross-site scripting and cross-site request forgery. Solution Upgrade the theme...

WordPress Formidable Forms Plugin <= 1.06.03 - Remote Code Execution

This plugin is prone to remote code execution because of ofcuploadimage.php file parameters $GET 'name' and $HTTPRAWPOSTDATA. Solution Update the plugin...

WordPress Jetpack Plugin <= 3.7.0 - Information Disclosure

This plugin is prone to an information disclosure vulnerability in certain hosting configurations. Solution Update the plugin...

WordPress Recent Backups Plugin 0.7 - Arbitrary File Download

Recent Backups plugin is prone to an arbitrary file download vulnerability because "download-file.php" does not verify the user is logged. It allows an attacker to download arbitrary files from the web server and get potentially sensitive information. Solution Update the plugin...

WordPress Modern Tribe Eventbrite Tickets Plugin <= 3.10.1 - XSS

This vulnerability is in the Event Import page. It allows an attacker to inject arbitrary web script or HTML via the "error" parameter to wp-admin/edit.php. Solution Update the plugin...

WordPress WP Championship Plugin <= 5.8 - Multiple SQL Injection

These vulnerabilities are in csadminusers.php. Because of these vulnerabilities, remote attackers can execute arbitrary SQL commands via the "user", "isadmin", "mail service", "mailresceipt", "stellv", "userid", "champtipp" or "tippgroup" parameters. Solution Update the plugin...

WordPress NextGEN Gallery Plugin <= 2.0.0 - Directory Traversal

An unauthenticated POST request to a particular URI with a particular parameter lists the contents of arbitrary directories. Solution Update the plugin...

WordPress ClickBank Affiliate Ads plugin <= 1.20 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Kaustubh G. Padwad in WordPress ClickBank Affiliate Ads plugin versions = 1.20. Solution Update the WordPress ClickBank Affiliate Ads plugin to the latest available version at least 1.35...