WordPress GPT3 AI Content Writer Plugin <= 1.8.12 is vulnerable to Cross Site Request Forgery (CSRF)

Software GPT3 AI Content Writer Type Plugin Vulnerable versions = 1.8.12 Fixed in 1.8.13 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-51528 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 803ba388c710 Credits Brandon...

WordPress Essential Real Estate Plugin <= 4.3.5 is vulnerable to Arbitrary File Upload

Software Essential Real Estate Type Plugin Vulnerable versions = 4.3.5 Fixed in 4.4.0 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-6827 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 4162eb3df384 Credits István Márton Required privilege...

WordPress Bravo Translate Plugin <= 1.2 is vulnerable to SQL Injection

Software Bravo Translate Type Plugin Vulnerable versions = 1.2 Fixed in N/A OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2023-49161 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 9e3d902f085a Credits Arvandy Required privilege Administrator Published 28...

WordPress JetBlocks For Elementor Plugin <= 1.3.8 is vulnerable to Cross Site Scripting (XSS)

Software JetBlocks For Elementor Type Plugin Vulnerable versions = 1.3.8 Fixed in 1.3.8.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-48756 Patch priority Medium CVSS severity Medium 7.1 Developer Crocoblock PSID 64c07c24a704 Credits Rafie Muhammad Patchstack...

WordPress JetWooBuilder Plugin <= 2.1.7.2 is vulnerable to Broken Access Control

Software JetWooBuilder Type Plugin Vulnerable versions = 2.1.7.2 Fixed in 2.1.7.3 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-48760 Patch priority Medium CVSS severity Medium 8.2 Developer Crocoblock PSID 8b8b6528e3fb Credits Rafie Muhammad Patchstack...

WordPress Button Generator – easily Button Builder Plugin <= 2.3.8 is vulnerable to Cross Site Request Forgery (CSRF)

Software Button Generator – easily Button Builder Type Plugin Vulnerable versions = 2.3.8 Fixed in 2.3.9 OWASP Top 10 A5: Security Misconfiguration Classification Cross Site Request Forgery CSRF CVE CVE-2023-49155 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID f69c6cdb268...

WordPress wpForo Forum Plugin <= 2.2.3 is vulnerable to Cross Site Scripting (XSS)

Software wpForo Forum Type Plugin Vulnerable versions = 2.2.3 Fixed in 2.2.4 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-47872 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID da62b115c79c Credits Jesse McNeil Required privilege...

WordPress Elementor Addon Elements Plugin <= 1.12.7 is vulnerable to Cross Site Request Forgery (CSRF)

Software Elementor Addon Elements Type Plugin Vulnerable versions = 1.12.7 Fixed in 1.12.8 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-4690 Patch priority Low CVSS severity Low 4.3 Developer WPVibes PSID 4fc8bb67050e Credits WordFence Require...

WordPress VK Blocks Plugin <= 1.63.0.1 is vulnerable to Cross Site Scripting (XSS)

Software VK Blocks Type Plugin Vulnerable versions = 1.63.0.1 Fixed in 1.64.0.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-5706 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 2d60e9243083 Credits Lana Codes Required...

WordPress Simple Tweet Plugin <= 1.4.0.2 is vulnerable to Cross Site Scripting (XSS)

Software Simple Tweet Type Plugin Vulnerable versions = 1.4.0.2 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-45767 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 3b30792fe2d1 Credits Rio Darmawan Required...

WordPress WordPress Popular Posts Plugin <= 6.3.2 is vulnerable to Cross Site Scripting (XSS)

Software WordPress Popular Posts Type Plugin Vulnerable versions = 6.3.2 Fixed in 6.3.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-45607 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID e1c445e00e39 Credits Rafie Muhammad Patchstack...

WordPress Complete Open Graph Plugin <= 3.4.5 is vulnerable to Cross Site Scripting (XSS)

Software Complete Open Graph Type Plugin Vulnerable versions = 3.4.5 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-45010 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 98057f180915 Credits Rio Darmawan Required...

WordPress Maintenance Switch Plugin <= 1.5.2 is vulnerable to Cross Site Request Forgery (CSRF)

Software Maintenance Switch Type Plugin Vulnerable versions = 1.5.2 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-29235 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID bc20c4d49d47 Credits Elliot Required...

WordPress WP Database Administrator Plugin <= 1.0.3 is vulnerable to SQL Injection

Software WP Database Administrator Type Plugin Vulnerable versions = 1.0.3 Fixed in N/A OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-3211 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 53fe9995f076 Credits Christiaan Swiers Required privilege...

WordPress Ninja Forms Plugin <= 3.6.25 is vulnerable to Cross Site Scripting (XSS)

Software Ninja Forms Type Plugin Vulnerable versions = 3.6.25 Fixed in 3.6.26 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-37979 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 584a630933ad Credits Rafie Muhammad...

WordPress LWS Affiliation Plugin <= 2.2.6 is vulnerable to Local File Inclusion

Software LWS Affiliation Type Plugin Vulnerable versions = 2.2.6 Fixed in 2.3 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2023-32297 Patch priority High CVSS severity High 9 Developer Claim ownership PSID f62752ba5867 Credits Jonas Höbenreich Required privilege...

WordPress Google Map Shortcode Plugin <= 3.1.2 is vulnerable to Cross Site Request Forgery (CSRF)

Software Google Map Shortcode Type Plugin Vulnerable versions = 3.1.2 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-38396 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID ad78bcfdec4a Credits thiennv Required...

WordPress WordLive Livecall Addon for Woocommerce Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Software WordLive Livecall Addon for Woocommerce Type Plugin Vulnerable versions = 1.2.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 59aa5946d146 Credits Rafie...

WordPress LearnDash LMS Plugin <= 4.6.0 is vulnerable to Broken Authentication

Software LearnDash LMS Type Plugin Vulnerable versions = 4.6.0 Fixed in 4.6.0.1 OWASP Top 10 A2: Broken Authentication Classification Broken Authentication CVE CVE-2023-3105 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID fcee4e28c7df Credits István Márton Required...

WordPress Afterpay Gateway for WooCommerce Plugin < 1.12.4 is vulnerable to SQL Injection

Software Afterpay Gateway for WooCommerce Type Plugin Vulnerable versions 1.12.4 Fixed in 1.12.4 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-2744 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID d0e7ba2b77fa Credits Arvandy Required privilege...

WordPress EventPrime Plugin <= 3.0.5 is vulnerable to Cross Site Scripting (XSS)

Software EventPrime Type Plugin Vulnerable versions = 3.0.5 Fixed in 3.0.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-35884 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 0d78f3844de4 Credits Le Ngoc Anh Required...

WordPress ReviewX Plugin <= 1.6.13 is vulnerable to Privilege Escalation

Software ReviewX Type Plugin Vulnerable versions = 1.6.13 Fixed in 1.6.14 OWASP Top 10 A6: Security Misconfiguration Classification Privilege Escalation CVE CVE-2023-2833 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 0ccf8a6d79e5 Credits Lana Codes Required privilege...

WordPress Quick/Bulk Order Form for WooCommerce Plugin <= 3.5.7 is vulnerable to Cross Site Scripting (XSS)

Software Quick/Bulk Order Form for WooCommerce Type Plugin Vulnerable versions = 3.5.7 Fixed in 3.6.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-34170 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 2b935e525166 Credits...

WordPress Rating Widget Plugin <= 3.2.0 is vulnerable to Cross Site Scripting (XSS)

Software Rating Widget Type Plugin Vulnerable versions = 3.2.0 Fixed in 3.2.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-23831 Patch priority Low CVSS severity Low 6.5 Developer Rating-Widget PSID c69402dd8b41 Credits István Márton Required...

WordPress ChatBot Plugin <= 4.4.6 is vulnerable to PHP Object Injection

Software ChatBot Type Plugin Vulnerable versions = 4.4.6 Fixed in 4.4.7 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2023-1650 Patch priority High CVSS severity High 5.4 Developer Claim ownership PSID 84bd0e4874e7 Credits Erwan LR Required privilege Unauthenticated...

WordPress WooCommerce Payments Plugin <= 5.6.1 is vulnerable to Privilege Escalation

Software WooCommerce Payments Type Plugin Vulnerable versions = 5.6.1 Fixed in 5.6.2 OWASP Top 10 A2: Broken Authentication Classification Privilege Escalation CVE CVE-2023-28121 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID af825d1466e0 Credits Michael Mazzolini...

WordPress TeraWallet – For WooCommerce Plugin <= 1.3.24 is vulnerable to Cross Site Request Forgery (CSRF)

Software TeraWallet – For WooCommerce Type Plugin Vulnerable versions = 1.3.24 Fixed in 1.4.0 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2022-40198 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 35694eeb3788 Credits...

WordPress Royal Elementor Addons Plugin <= 1.3.59 is vulnerable to Broken Access Control

Software Royal Elementor Addons Type Plugin Vulnerable versions = 1.3.59 Fixed in 1.3.60 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2022-4700 Patch priority Medium CVSS severity Medium 5.4 Developer WProyal PSID 423004fa0a2f Credits Ramuel Gall Required...

WordPress Youtube Channel Gallery Plugin <= 2.4 is vulnerable to Cross Site Scripting (XSS)

Software Youtube Channel Gallery Type Plugin Vulnerable versions = 2.4 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-4783 Patch priority Medium CVSS severity Medium 6.4 Developer Claim ownership PSID d89263cd84d3 Credits István Márton...

WordPress spikes Theme < 10 is vulnerable to Arbitrary File Upload

Software spikes Type Theme Vulnerable versions 10 Fixed in N/A OWASP Top 10 A6: Security Misconfiguration Classification Arbitrary File Upload CVE CVE-2022-0316 Patch priority High CVSS severity High 10 Developer Claim ownership PSID a62ccba33719 Credits Joshua Small Required privilege...

WordPress Directorist plugin <= 7.4.2.1 - Auth. Insecure Direct Object References (IDOR) vulnerability

Auth. Insecure Direct Object References IDOR vulnerability leading to arbitrary user password update discovered by cydave in the WordPress Directorist plugin versions = 7.4.2.1. Solution Update the WordPress Directorist plugin to the latest available version at least 7.4.2.2...

WordPress Anthologize plugin <= 0.8.0 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability by Hoang Van Hiep aka sk4rl1ghT Patchstack Alliance in the WordPress Anthologize plugin versions = 0.8.0. Solution Update the WordPress Anthologize plugin to the latest available version at least 0.8.1...

WordPress WooCommerce Shipping - DPD baltic plugin <= 1.2.8 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Lana Codes in WordPress WooCommerce Shipping - DPD baltic plugin versions = 1.2.8. Solution Update the WordPress DPD Baltic Shipping plugin to the latest available version at least 1.2.11...

WordPress Advanced WP Columns plugin <= 2.0.6 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by lucy in the WordPress Advanced WP Columns plugin versions = 2.0.6. Solution Deactivate and delete. This plugin has been closed as of November 7, 2022 and is not available for download. This closure is temporary, pending a full revi...

WordPress Cyklodev WP Notify plugin <= 1.2.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Hoang Van Hiep aka sk4rl1ghT Patchstack Alliance in the WordPress Cyklodev WP Notify plugin versions = 1.2.1. Solution No patched version is available...

WordPress Checkout Field Editor for WooCommerce plugin <= 1.7.2 - Auth PHP Object Injection vulnerability

Auth PHP Object Injection vulnerability discovered by Nguyen Duy Quoc Khanh in WordPress Checkout Field Editor for WooCommerce plugin versions = 1.7.2. Solution Update the WordPress Checkout Field Editor Checkout Manager for WooCommerce plugin to the latest available version at least 1.8.0...

WordPress WP User Merger plugin <= 1.5.2 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Kunal Sharma University of Kaiserslautern, Germany and Daniel Krohmer Fraunhofer IESE, Germany in the WordPress WP User Merger plugin versions = 1.5.2. Solution Update the WordPress WP User Merger plugin to the latest available version at least...

WordPress WatchTowerHQ plugin <= 3.6.15 - Unauth. Arbitrary File Download vulnerability

Unauth. Arbitrary File Download vulnerability discovered by Dave Jong Patchstack in the WordPress WatchTowerHQ plugin versions = 3.6.15. Solution Update the WordPress WatchTowerHQ plugin to the latest available version at least 3.6.16...

WordPress Content Egg plugin <= 5.4.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Autoblogging Removal discovered by Muhammad Daffa Patchstack Alliance in the WordPress Content Egg plugin versions = 5.4.0. Solution Update the WordPress Content Egg plugin to the latest available version at least 5.5.0...

WordPress Booster Elite for WooCommerce premium plugin < 1.1.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Checkout Files Deletion discovered by WPScan in WordPress Booster for WooCommerce premium plugin versions 1.1.7. Solution Update the WordPress Booster Elite for WooCommerce plugin to the latest available version at least 1.1.7...

WordPress TeraWallet – For WooCommerce plugin <= 1.3.24 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress TeraWallet – For WooCommerce plugin versions = 1.3.24. Solution Update the WordPress TeraWallet – For WooCommerce plugin to the latest available version at least 1.4.0...

WordPress My wpdb plugin <= 2.4 - Arbitrary SQL Query via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary SQL Query via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress My wpdb plugin versions = 2.4. Solution Update the WordPress My wpdb plugin to the latest available version at least 2.5...

WordPress Bricks Builder premium theme <= 1.5.3 - Auth. Arbitrary Post/Page Edition vulnerability

Auth. Arbitrary Post/Page Edition vulnerability discovered by RG in WordPress Bricks Builder premium theme versions = 1.5.3. Solution Update the WordPress Bricks Builder theme to the latest available version at least 1.5.4...

WordPress IP Blacklist Cloud plugin <= 5.00 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Mika Patchstack in WordPress IP Blacklist Cloud plugin versions = 5.00. Solution Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a fu...

WordPress ImageMagick Engine plugin <= 1.7.6 - Auth. Remote Code Execution (RCE) vulnerability

Auth. Remote Code Execution RCE vulnerability discovered by ABDO10 in WordPress ImageMagick Engine plugin versions = 1.7.6. Solution No patched version is available. Version 1.7.6 only added a nonce token to fix the CSRF vulnerability...

WordPress WooCommerce Dropshipping premium plugin <= 4.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by WPScan in WordPress WooCommerce Dropshipping premium plugin versions = 4.3. Solution Update the WordPress WooCommerce Dropshipping plugin to the latest available version at least 4.4...

WordPress Highlight Focus plugin <= 1.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Mariam Tariq in the WordPress Highlight Focus plugin versions = 1.1. Solution Deactivate and delete. This plugin has been closed as of October 12, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress AB Press Optimizer plugin <= 1.1.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress AB Press Optimizer plugin versions = 1.1.1. Solution No patched version is available. No reply from the vendor...

WordPress Newspaper premium theme <= 11.5.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ramon Dunker in WordPress Newspaper premium theme versions = 11.5.1. Solution Update the WordPress Newspaper theme to the latest available version at least 12...

WordPress Automatic User Roles Switcher premium plugin <= 1.1.1 - Auth. Privilege Escalation vulnerability

Auth. Privilege Escalation vulnerability discovered by WPScan in WordPress Automatic User Roles Switcher premium plugin versions = 1.1.1. Solution Update the WordPress Automatic User Roles Switcher plugin to the latest available version at least 1.1.2...