WordPress Rara One Click Demo Import plugin <= 1.2.9 - Cross-Site Request Forgery (CSRF) leads to Arbitrary File Upload vulnerability

Cross-Site Request Forgery CSRF leads to Arbitrary File Upload vulnerability discovered in Rara One Click Demo Import plugin versions = 1.2.9 by BEE-K. Solution Update the WordPress Rara One Click Demo Import plugin to the latest available version at least 1.3.0...

WordPress Bulk Edit and Create User Profiles – WP Sheet Editor plugin <= 1.5.13 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ankur Bakre in WordPress Bulk Edit and Create User Profiles – WP Sheet Editor plugin versions = 1.5.13. Solution Update the WordPress Bulk Edit and Create User Profiles – WP Sheet Editor plugin to the latest available version at least...

WordPress th23 Social plugin <= 1.2.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ankur Bakre in WordPress th23 Social plugin versions = 1.2.0. Solution Deactivate and delete. This plugin has been closed as of March 24, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Ubigeo de Perú plugin <= 3.6.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Ubigeo de Perú plugin versions = 3.6.3. Solution Update the WordPress Ubigeo de Perú plugin to the latest available version at least 3.6.4...

WordPress WP Social Buttons plugin <= 2.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress WP Social Buttons plugin versions = 2.1. Solution Deactivate and delete. This plugin has been closed as of March 22, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Advanced Page Visit Counter <= 6.1.5 - Blind SQL Injection (SQLi) vulnerability

Blind SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress Advanced Page Visit Counter versions = 6.1.5. Solution Update the WordPress Advanced Page Visit Counter – Most Advanced WordPress Visit Counter Plugin to the latest available version at least 6.1.6...

WordPress Daily Prayer Time plugin <= 2021.10.29 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Daily Prayer Time plugin versions = 2021.10.29. Solution Update the WordPress Daily Prayer Time plugin to the latest available version at least 2022.03.01...

WordPress Simple Event Planner plugin <= 1.5.4 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Persistent Cross-Site Scripting XSS vulnerabilities discovered by Ex.Mi Patchstack in WordPress Simple Event Planner plugin versions = 1.5.4. Solution Update the WordPress Simple Event Planner plugin to the latest available version at least 1.5.5...

WordPress Export All URLs plugin <= 4.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Export All URLs plugin versions = 4.1. Solution Update the WordPress Export All URLs plugin to the latest available version at least 4.2...

WordPress Wow Countdowns plugin <= 3.1.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by 0xdecafbad in WordPress Wow Countdowns plugin versions = 3.1.2. Solution Deactivate and delete. This plugin has been closed as of January 18, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Checkout with Zelle on Woocommerce plugin <= 1.0 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Checkout with Zelle on Woocommerce plugin versions = 1.0. Solution Update the WordPress Checkout with Zelle on Woocommerce plugin to the latest available version at least 2.0...

WordPress Projectopia – WordPress Project Management Plugin plugin < 5.0.7 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Projectopia – WordPress Project Management Plugin plugin versions 5.0.7. Solution Update the WordPress Projectopia – WordPress Project Management Plugin plugin to the latest available version at least 5.0.7...

WordPress Dreamfox Media Payment gateway per Product for Woocommerce plugin < 3.1.6 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Dreamfox Media Payment gateway per Product for Woocommerce plugin versions 3.1.6. Solution Update the WordPress Dreamfox Media Payment gateway per Product for Woocommerce plugin to the latest available version at least 3.1.6...

WordPress Download Woocommerce Category Banner Management plugin <= 2.2.2 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Download Woocommerce Category Banner Management plugin versions = 2.2.2. Solution Update the WordPress Download Woocommerce Category Banner Management plugin to the latest available version at least 2.2.3...

WordPress Premmerce Product Filter for WooCommerce plugin <= 3.6.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Premmerce Product Filter for WooCommerce plugin versions = 3.6.1. Solution Update the WordPress Premmerce Product Filter for WooCommerce plugin to the latest available version at least 3.6.2...

WordPress DIVI Enhancer – DIVI Modules and Options plugin <= 5.0.9 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress DIVI Enhancer – DIVI Modules and Options plugin versions = 5.0.9. Solution No patched version available...

WordPress Simple Membership plugin <= 4.0.9 - Arbitrary Transaction Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Transaction Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Muhamad Hidayat in WordPress Simple Membership plugin versions = 4.0.9. Solution Update the WordPress Simple Membership plugin to the latest available version at least 4.1.0...

WordPress Advanced Contact form 7 DB plugin <= 1.8.6 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Krzysztof Zając in WordPress Advanced Contact form 7 DB plugin versions = 1.8.6. Solution Update the WordPress Advanced Contact form 7 DB plugin to the latest available version at least 1.8.7...

WordPress Product Feed PRO for WooCommerce plugin <= 11.2.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered in WordPress Product Feed PRO for WooCommerce plugin versions = 11.2.1. Solution Update the WordPress Product Feed PRO for WooCommerce plugin to the latest available version at least 11.2.2...

WordPress WPvivid Backup and Migration Plugin <= 0.9.68 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WPvivid Backup and Migration Plugin versions = 0.9.68. Solution Update the WordPress WPvivid Backup and Migration Plugin to the latest available version at least 0.9.69...

WordPress WP Email Users plugin <= 1.7.6 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress WP Email Users plugin versions = 1.7.6. Solution Deactivate and delete. This plugin has been closed as of January 31, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Google Map plugin <= 1.8.3 - Arbitrary Post Deletion and Plugin's Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Post Deletion and Plugin's Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress WP Google Map plugin versions = 1.8.3. Solution Update the WordPress WP Google Map plugin to the latest available version at least 1.8.4...

WordPress Price Table plugin <= 0.2.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien in WordPress Price Table plugin versions = 0.2.2. Solution Deactivate and delete. This plugin has been closed as of January 27, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WordPress GDPR & CCPA premium plugin <= 1.9.25 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Ace Candelario @0xspade and Victor Paynat-Sautivet 3DS Outscale SOC in WordPress WordPress GDPR & CCPA premium plugin versions = 1.9.25. Solution Update the WordPress WordPress GDPR & CCPA premium plugin to the latest...

WordPress Security Audit plugin <= 1.0.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Shweta Mahajan in WordPress Security Audit plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of November 15, 2021 and is not available for download. Reason: Security Issue...

WordPress Access Demo Importer plugin <= 1.0.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Plugin Activation

Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Plugin Activation discovered by Ex.Mi Patchstack in WordPress Access Demo Importer plugin versions = 1.0.7. Solution Update the WordPress Access Demo Importer plugin to the latest available version at least 1.0.8...

WordPress Popup | Custom Popup Builder plugin <= 1.3 - Unauthenticated Denial of Service (DoS) vulnerability

Unauthenticated Denial of Service DoS vulnerability discovered by Felipe de Avila in WordPress Popup | Custom Popup Builder plugin versions = 1.3. Solution Update the WordPress Popup | Custom Popup Builder plugin to the latest available version at least 1.3.1...

WordPress NewStatPress plugin <= 1.3.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress NewStatPress plugin versions = 1.3.5. Solution Update the WordPress NewStatPress plugin to the latest available version at least 1.3.6...

WordPress Spider Calendar plugin <= 1.5.65 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Spider Calendar plugin versions = 1.5.65. Solution Deactivate and delete. This plugin has been closed as of January 13, 2022 and is not available for download. This closure is permanent...

WordPress IP2Location Country Blocker plugin <= 2.26.4 - Arbitrary Country Ban vulnerability

Arbitrary Country Ban by low privilege users vulnerability discovered by Krzysztof Zając in WordPress IP2Location Country Blocker plugin versions = 2.26.4. Solution Update the WordPress IP2Location Country Blocker plugin to the latest available version at least 2.26.5...

WordPress Asset CleanUp plugin <= 1.3.8.4 - Reflected Cross-Site Scripting (XSS) vulnerability via AJAX Action

Reflected Cross-Site Scripting XSS vulnerability via AJAX Action discovered by JrXnm in WordPress Asset CleanUp plugin versions = 1.3.8.4. Solution Update the WordPress Asset CleanUp plugin to the latest available version at least 1.3.8.5...

WordPress Orange Form plugin <= 1.0 - SQL Injection (SQLi) via Cross-Site Request Forgery (CSRF) vulnerability

SQL Injection SQLi via Cross-Site Request Forgery CSRF vulnerability discovered by Francesco Carlucci in WordPress Orange Form plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of December 29, 2021 and is not available for download. This closure is temporary,...

WordPress Learning Courses plugin <= 4.9 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by dhananjaygarg192002 in WordPress Learning Courses plugin versions = 5.0. Solution Patched in version 5.0, but closed for other security reasons. This plugin has been closed as of October 8, 2021 and is not available for download. Reason:...

WordPress Orders Tracking for WooCommerce plugin <= 1.1.9 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Orders Tracking for WooCommerce plugin versions = 1.1.9. Solution Update the WordPress Orders Tracking for WooCommerce plugin to the latest available version at least 1.1.10...

WordPress Easy Forms for Mailchimp plugin <= 6.8.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Easy Forms for Mailchimp plugin versions = 6.8.5. Solution Update the WordPress Easy Forms for Mailchimp plugin to the latest available version at least 6.8.6...

WordPress Stars Rating plugin <= 3.5.0 - Comments Denial of Service (DoS) vulnerability

Comments Denial of Service DoS vulnerability discovered by Drew Jones in WordPress Stars Rating plugin versions = 3.5.0. Solution Update the WordPress Stars Rating plugin to the latest available version at least 3.5.1...

WordPress WooCommerce PDF Invoices & Packing Slips plugin <= 2.10.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WooCommerce PDF Invoices & Packing Slips plugin versions = 2.10.4. Solution Update the WordPress WooCommerce PDF Invoices & Packing Slips plugin to the latest available version at least 2.10.5...

WordPress Modal Window plugin <= 5.2.1 - Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF vulnerability

Remote File Inclusion RFI leading to Remote Code Execution RCE via CSRF vulnerability discovered by Krzysztof Zając in WordPress Modal Window plugin versions = 5.2.1. Solution Update the WordPress Modal Window plugin to the latest available version at least 5.2.2...

WordPress Variation Swatches for WooCommerce plugin <= 2.1.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Chloe Chamberland WordFence in WordPress Variation Swatches for WooCommerce plugin versions = 2.1.1. Solution Update the WordPress Variation Swatches for WooCommerce plugin to the latest available version at least 2.1.2...

WordPress Doko theme <= 1.0.27 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Doko theme versions = 1.0.27. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress Zigcy Lite theme <= 2.0.9 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Zigcy Lite theme versions = 2.0.9. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress ScrollMe theme <= 2.1.0 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress ScrollMe theme versions = 2.1.0. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores th...

WordPress WP Visitor Statistics (Real Time Traffic) plugin <= 4.7 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress WP Visitor Statistics Real Time Traffic plugin versions = 4.7. Solution Update the WordPress WP Visitor Statistics Real Time Traffic plugin to the latest available version at least 4.8...

WordPress WP Admin Logo Changer plugin <= 1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Plugin Settings Update

Cross-Site Request Forgery CSRF vulnerability leading to Plugin Settings Update discovered by apple502j in WordPress WP Admin Logo Changer plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of October 4, 2021 and is not available for download. This closure is...

WordPress Download Monitor plugin <= 4.4.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Nguy Minh Tuan in WordPress Download Monitor plugin versions = 4.4.6. Solution Update the WordPress Download Monitor plugin to the latest available version at least 4.4.7...

WordPress Speed Booster Pack plugin <= 4.3.3 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Quan, Hoang Xuan in WordPress Speed Booster Pack plugin versions = 4.3.3. Solution Update the WordPress Speed Booster Pack plugin to the latest available version at least 4.3.3.1...

WordPress Brizy – Page Builder plugin <= 2.3.11 - Authenticated File Upload and Path Traversal vulnerability

Authenticated File Upload and Path Traversal vulnerability discovered by Ramuel Gall WordFence in WordPress Brizy – Page Builder plugin versions = 2.3.11. Solution Update the WordPress Brizy – Page Builder plugin to the latest available version at least 2.3.12...

WordPress Simple JWT Login plugin <= 3.2.1 - Insecure Password Creation vulnerability

Insecure Password Creation vulnerability discovered by Zian Choy in WordPress Simple JWT Login plugin versions = 3.2.1. Solution Update the WordPress Simple JWT Login plugin to the latest available version at least 3.3.0...

WordPress 404 to 301 plugin <= 3.0.8 - Cross-Site Request Forgery (CSRF) vulnerability leading to Logs Deletion

Cross-Site Request Forgery CSRF vulnerability leading to Logs Deletion discovered by apple502j in WordPress 404 to 301 plugin versions = 3.0.8. Solution Update the WordPress 404 to 301 plugin to the latest available version at least 3.0.9...

WordPress Quiz Tool Lite plugin <= 2.3.15 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities discovered by Shivam Rai in WordPress Quiz Tool Lite plugin versions = 2.3.15. Solution Deactivate and delete. This plugin has been closed as of September 28, 2021 and is not available for download. This closure is temporary, pending a full...