WordPress G Auto-Hyperlink plugin <= 1.0.1 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress G Auto-Hyperlink plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed as of June 18, 2021 and is not available for download. Reason: Security Issue...

WordPress Cookie Bar plugin <= 1.8.8 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by pang0lin in WordPress Cookie Bar plugin versions = 1.8.8. Solution Update the WordPress Cookie Bar plugin to the latest available version at least 1.8.9...

WordPress Ninja Forms Contact Form plugin <= 3.5.7 - Unprotected REST-API to Sensitive Information Disclosure vulnerability

Unprotected REST-API to Sensitive Information Disclosure vulnerability discovered by Chloe Chamberland WordFence in WordPress Ninja Forms Contact Form plugin versions = 3.5.7. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.5.8...

WordPress Frontend Uploader plugin <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Veshraj Ghimire in WordPress Frontend Uploader plugin versions = 1.3.2. Solution Deactivate and delete. This plugin has been closed as of July 22, 2021 and is not available for download. Reason: Security Issue...

WordPress WP HTML Author Bio plugin <= 1.2.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Veshraj Ghimire in WordPress WP HTML Author Bio plugin versions = 1.2.0. Solution Deactivate and delete. This plugin has been closed as of July 19, 2021 and is not available for download. Reason: Security Issue...

WordPress Gutenberg PDF Viewer Block plugin <= 1.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Gutenberg PDF Viewer Block plugin versions = 1.0. Solution Update the WordPress Gutenberg PDF Viewer Block plugin to the latest available version at least 1.0.1...

WordPress eID Easy plugin <= 4.6 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress eID Easy plugin versions = 4.6. Solution Update the WordPress eID Easy plugin to the latest available version at least 4.7...

WordPress On Page SEO + Whatsapp Chat Button plugin <= 1.0.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress On Page SEO + Whatsapp Chat Button plugin versions = 1.0.1. Solution Update the WordPress On Page SEO + Whatsapp Chat Button plugin to the latest available version at least 1.0.2...

WordPress Weather Effect plugin <= 1.3.3 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by apple502j in WordPress Weather Effect plugin versions = 1.3.3. Solution Update the WordPress Weather Effect plugin to the latest available version at least 1.3.4...

WordPress User Registration plugin <= 2.0.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by AyeCode Ltd in WordPress User Registration plugin versions = 2.0.1. Solution Update the WordPress User Registration plugin to the latest available version at least 2.0.2...

WordPress WP Video Lightbox plugin <= 1.9.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Vishnupriya Ilango Fortinet Fortiguard Labs in WordPress WP Video Lightbox plugin versions = 1.9.2. Solution Update the WordPress WP Video Lightbox plugin to the latest available version at least 1.9.3...

WordPress SMS Alert Order Notifications – WooCommerce plugin <= 3.4.6 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability discovered by Swapnil Bodekar in WordPress SMS Alert Order Notifications – WooCommerce plugin versions = 3.4.6. Solution Update the WordPress SMS Alert Order Notifications – WooCommerce plugin to the latest available version at least 3.4.7...

WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by m0ze Patchstack Red Team in WordPress uListing plugin versions = 2.0.3. Solution Update the WordPress uListing plugin to the latest available version at least 2.0.4...

WordPress GTranslate plugin <= 2.8.64 – Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered in WordPress GTranslate plugin versions = 2.8.64. Solution Update the WordPress GTranslate plugin to the latest available version at least 2.8.65...

WordPress Timeline Calendar plugin <= 1.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar in WordPress Timeline Calendar plugin versions = 1.2. Solution This plugin has been closed as of June 3, 2021 and is not available for download. Reason: Security Issue...

WordPress Popular Posts plugin <= 5.3.3 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability discovered by Vlad Visse Patchstack in WordPress Popular Posts plugin versions = 5.3.3. Solution Update the WordPress Popular Posts plugin to the latest available version at least 5.3.4...

WordPress CiviCRM plugin <= 5.24.2 - Authenticated Phar Deserialization vulnerability

Authenticated Phar Deserialization vulnerability discovered by Dennis Brinkrolf SonarSource in WordPress CiviCRM plugin versions = 5.24.2. Solution Update the WordPress CiviCRM plugin to the latest available version at least 5.24.3...

WordPress Admin Columns PRO premium plugin <= 5.5.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Johannes Lauinger in WordPress Admin Columns PRO premium plugin versions = 5.5.1. Solution Update the WordPress Admin Columns PRO premium plugin to the latest available version at least 5.5.2...

WordPress Admin Columns plugin <= 4.3.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Johannes Lauinger in WordPress Admin Columns plugin versions = 4.3.1. Solution Update the WordPress Admin Columns plugin to the latest available version at least 4.3.2...

WordPress WP Google Maps plugin <= 8.1.11 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Mohammed Adam in WordPress WP Google Maps plugin versions = 8.1.11. Solution Update the WordPress WP Google Maps plugin to the latest available version at least 8.1.12...

WordPress Hana Flv Player plugin <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Kishore Hariram in WordPress Hana Flv Player plugin versions = 3.1.3. Solution No patched version is available. The last version was released 8 years ago...

WordPress Invoicing with InvoiceXpress for WooCommerce plugin <= 3.0.2 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Frank Liauw in WordPress Invoicing with InvoiceXpress for WooCommerce plugin versions = 3.0.2. Solution Update the WordPress Invoicing with InvoiceXpress for WooCommerce plugin to the latest available version at least...

WordPress Teamleader CRM Forms plugin <= 2.0.0 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Frank Liauw in WordPress Teamleader CRM Forms plugin versions = 2.0.0. Solution Update the WordPress Teamleader CRM Forms plugin to the latest available version at least 2.1.0...

WordPress WordPress Goto premium theme <= 1.9 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by m0ze Patchstack Red Team in WordPress WordPress Goto premium theme versions = 1.9. Solution Update the WordPress WordPress Goto premium theme to the latest available version at least 2.0...

WordPress Redux Framework plugin <= 4.1.20 - CSRF Nonce Validation Bypass vulnerability

CSRF Nonce Validation Bypass vulnerability discovered by Lenon Leite in WordPress Redux Framework plugin versions = 4.1.20. Solution Update the WordPress Redux Framework plugin to the latest available version at least 4.1.21...

WordPress DiveBook plugin <= 1.1.4 - Improper Authorisation Check vulnerability

Improper Authorisation Check vulnerability found by Hooper Labs in WordPress DiveBook plugin versions = 1.1.4. Solution 2020-12-09 - we were unable to find a patched version of this plugin Last updated: 10 years ago...

WordPress WooCommerce Blocks plugin <= 3.7.0 - Guest Account Creation vulnerability

Guest Account Creation vulnerability found in WordPress WooCommerce Blocks plugin versions = 3.7.0. Solution Update the WordPress WooCommerce Blocks plugin to the latest available version at least 3.7.1...

WordPress Recall Products plugin <= 0.8 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability found by ZERO APTITUDE in WordPress Recall Products plugin versions = 0.8. Solution 2020-09-16 - we were unable to find a patched version of this plugin. WordPress.org notification: "This plugin has been closed as of July 28, 2020 and is not availabl...

WordPress WooCommerce Subscriptions premium plugin <= 2.6.2 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability found by PRECURSOR SECURITY in WordPress WooCommerce Subscriptions premium plugin versions = 2.6.2. Solution Update the WordPress WooCommerce Subscriptions premium plugin to the latest available version at least 2.6.3...

WordPress wpDiscuz plugin <= 5.3.5 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability found in WordPress wpDiscuz plugin versions = 5.3.5. Solution Update the WordPress wpDiscuz plugin to the latest available version at least 5.3.6...

WordPress Drag and Drop Multiple File Upload for Contact Form 7 plugin <= 1.3.3.2 - Unauthenticated File Upload vulnerability leading to Remote Code Execution (RCE)

Unauthenticated File Upload vulnerability leading to Remote Code Execution RCE discovered by Austin Martin in WordPress Drag and Drop Multiple File Upload for Contact Form 7 plugin versions = 1.3.3.2. Solution Update the WordPress Drag and Drop Multiple File Upload for Contact Form 7 plugin to th...

WordPress Advanced Woo Search plugin <= 1.99 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability found in WordPress Advanced Woo Search plugin versions = 1.99. Solution Update the WordPress Advanced Woo Search plugin to the latest available version at least 2.00...

WordPress WP Lead Plus X plugin <= 0.98 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by WordFence in WordPress WP Lead Plus X plugin versions = 0.98. Solution Update the WordPress WP Lead Plus X plugin to the latest available version at least 0.99...

WordPress LifterLMS plugin <= 3.37.14 - Arbitrary File Writing vulnerability

Arbitrary File Writing vulnerability discovered by Omri Herscovici and Sagi Tzadik in WordPress LifterLMS plugin versions = 3.37.14. Solution Update the WordPress LifterLMS plugin to the latest available version at least 3.37.15...

WordPress Blogtopdf plugin <= 1.0.2 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress Blogtopdf plugin versions = 1.0.2. Solution Plugin closed. Deactivate and delete...

WordPress WP-Client Lite plugin <= 1.1.1 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress WP-Client Lite plugin versions = 1.1.1. Solution Plugin closed. Deactivate and delete...

WordPress SAML SP Single Sign On plugin <= 4.8.83 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability discovered by Zeroauth in WordPress SAML SP Single Sign On plugin versions = 4.8.83. Solution Update the WordPress SAML SP Single Sign On plugin to the latest available version at least 4.8.84...

WordPress Gistpress plugin <= 3.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Paul Ritchie in WordPress Gistpress plugin versions = 3.0.1. Solution Update the WordPress Gistpress plugin to the latest available version at least 3.0.2...

WordPress YITH WooCommerce Bulk Product Editing plugin <=1.2.14 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability

Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Bulk Product Editing plugin versions =1.2.14. Solution Update the WordPress YITH WooCommerce Bulk Product Editing plugin to the latest available version at least 1.2.15...

WordPress WP DSGVO Tools (GDPR) plugin <= 2.2.18 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability found in WordPress WP DSGVO Tools GDPR plugin versions = 2.2.18. Solution Update the WordPress WP DSGVO Tools GDPR plugin to the latest available version at least 2.2.19...

WordPress Social LikeBox & Feed plugin <= 2.8.4 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found in WordPress Social LikeBox & Feed plugin versions = 2.8.4. Solution Update the WordPress Social LikeBox & Feed plugin to the latest available version at least 2.8.5...

WordPress Simple Membership plugin <= 3.8.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by rubyman in WordPress Simple Membership plugin versions = 3.8.4. Solution Update the WordPress Simple Membership plugin to the latest available version at least 3.8.5...

WordPress Everest Forms plugin <= 1.4.9 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability found by Tin Duong in WordPress Everest Forms plugin versions = 1.4.9. Solution Update the WordPress Everest Forms plugin to the latest available version at least 1.5.0...

WordPress WP Statistics plugin <= 12.6.3 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found in WordPress WP Statistics plugin versions = 12.6.3. Solution Update the WordPress WP Statistics plugin to the latest available version at least 12.6.4...

WordPress Ultimate Member plugin <= 2.0.39 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Georg Knabl in WordPress Ultimate Member plugin versions = 2.0.39. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.0.40...

WordPress WP Live Chat Support plugin <= 8.0.17 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Tim Coen in WordPress WP Live Chat Support plugin versions = 8.0.17. Solution Update the WordPress WP Live Chat Support plugin to the latest available version at least 8.0.18...

WordPress Font Organizer plugin <=2.1.1 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found Tim Coen in WordPress Font Organizer plugin versions =2.1.1. Solution 22 March 2019 - we were unable to find a patched version of this plugin. There is a notice on the WordPress plugin repository "This plugin was closed on March 18, 2019 and is no long...

WordPress Give plugin <= 2.3.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability found by Tim Coen in WordPress Give plugin versions = 2.3.0. Solution Update the WordPress Give plugin to the latest available version at least 2.3.1...

WordPress WP Fastest Cache plugin <= 0.8.9.0 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability found by Sebastian Neef in WordPress WP Fastest Cache plugin versions = 0.8.9.0. Solution Update the WordPress WP Fastest Cache plugin to the latest available version at least 0.8.9.1...

WordPress Ajax BootModal Login plugin <= 1.4.3 - CAPTCHA reuse vulnerability

CAPTCHA reuse required only once per user session vulnerability found by Lydéric Lefebvre and Fabien Haureils in WordPress Ajax BootModal Login plugin versions = 1.4.3. Solution 2018.09.01 - we were unable to find a patched version of this plugin...