WordPress Brute Force Login Protection plugin <= 1.5.3 - Arbitrary IP Removal/Add via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary IP Removal/Add via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Brute Force Login Protection plugin versions = 1.5.3. Solution Deactivate and delete. This plugin has been closed as of April 7, 2022 and is not available for download. This closure is temporary,...

WordPress VideoWhisper Live Streaming Integration Plugin <= 4.27.2 - XSS

Because of this vulnerability in ls/vvlogin.php, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress Flash & HTML5 Video Plugin - Cross Site Request Forgery

This Flash & HTML5 Video plugin is prone to a CSRF vulnerability. It allows an attacker to perform certain actions that lead to further attacks. Solution Update the plugin...

WordPress Participants Database Plugin 1.5.4.8 - SQL Injection

SQL Injection in Participants Database plugin allows an unauthenticated user to execute arbitrary SQL statements. Solution Update the plugin...

WordPress iMember360 Plugin 3.8.012 - 3.9.001 - Multiple Vulnerabilities

WordPress iMember360 plugin is prone to multiple vulnerabilities, such as XSS, arbitrary user deletion, arbitrary code execution and disclosure of database credentials vulnerabilities. Solution Upgrade the plugin...

WordPress Buddypress Plugin 1.9.1 - Privilege Escalation

Buddypress plugin is prone tu vulnerability that allows an attacker to take control of every group change name, description, avatar and settings. Solution Upgrade the plugin...

WordPress <= 3.3.2 - Cross Site Scripting

Because of this vulnerability in wp-includes/default-filters.php, the attackers can inject arbitrary web script or HTML via an editable slug field. Solution Update the plugin...

WordPress Download Manager Free & Pro Plugin 2.5.8 - Persistent Cross Site Scripting

Download Manager Free & Pro plugin is prone to a persistent XSS vulnerability. The title input field is not sanitized and therefor vulnerable to persistent cross site scripting. Solution Upgrade the plugin...

WordPress Tweet Blender Plugin <= 4.0.1 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "tbtabindex" parameter to wp-admin/options-general.php. Solution Update the plugin...

WordPress Related Posts Plugin <= 2.6.1 - CSRF

Because of this vulnerability, the attackers can hijack the authentication of users for requests that change settings via unspecified vectors. Solution Update the plugin...

WordPress SWFUpload Plugin <= 3.5.1 - XSS

This plugin is prone to a cross site scripting vulnerability. Solution Update the plugin...

WordPress TinyMCE Media Plugin <= 3.5.1 - Content Spoofing

A moxieplayer.as does not consider the presence of a character during extraction of the QUERYSTRING. In that way the attackers can pass arbitrary parameters to a Flash application and conduct content-spoofing attacks. Solution Update the plugin...

WordPress <= 3.5.1 - Full Path Disclosure

Because of this vulnerability, the attackers can obtain sensitive information via an invalid upload request. Solution Update the plugin...

WordPress Organizer Plugin <= 1.2.1 - Multiple XSS

Because of these vulnerabilities in organizer/page/users.php, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress Mingle Forum Plugin <= 1.0.34 - Multiple CSRF

Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests. Solution Update the plugin...

WordPress AJAX Post Search Plugin <= 1.2 - SQL Injection

Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "srchtxt" parameter. Solution Update the plugin...

WordPress Sentinel Plugin <= 1.0.0 - Cross Site Scripting

Because of this vulnerability in wordpresssentinel.php, the attackers can inject arbitrary web script or HTML via unknown vectors. Solution Update the plugin...

WordPress Sentinel Plugin <= 1.0.0 - CSRF

Because of this vulnerability in wordpresssentinel.php, the attackers can hijack the authentication of an administrator for requests that trigger snapshots. Solution Update the plugin...

WordPress Akismet Plugin - Multiple Cross Site Scripting Vulnerabilities

WordPress Akismet plugin is prone to multiple cross-site scripting vulnerabilities. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based...

WordPress Count Per Day Plugin <= 3.1 - Multiple XSS

Because of these vulnerabilities in userperspan.php, the attackers can inject arbitrary web script or HTML via 3 parameters: "page", "datemax" or "datemin". Solution Update the plugin...

WordPress All-in-One Event Calendar Plugin 1.4 - Multiple Parameter XSS

WordPress All-in-One Event Calendar plugin's /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php multiple parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browse...

WordPress Video Embed & Thumbnail Generator Plugin <= 1.9 - Remote Code Execution

Because of this vulnerability, the attackers can execute arbitrary commands via unspecified vectors. Solution Update the plugin...

WordPress Slideshow Gallery Plugin 1.1.x - Cross Site Scripting

WordPress Slideshow Gallery plugin's "border" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can...

WordPress <= 0.70 - PHP remote file inclusion

Because of this vulnerability in wp-links/links.all.php, attackers can execute arbitrary PHP code via a URL in the $abspath variable. Solution Update the plugin...

WordPress Users Plugin <= 1.3 - SQL Injection

Because of this vulnerability in wp-users.php, the attackers can execute arbitrary SQL commands via the "uid" parameter to index.php. Solution Update the plugin...

WordPress Cover WP Theme 1.6.5 - Cross Site Scripting

WordPress Cover WP theme's "s" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-base...

WordPress <= 3.0.4 - Multiple Security Vulnerabilities

Because of these vulnerabilities, remote authenticated users can read draft posts or private posts via a modified "attachmentid" parameter. Solution Update WordPress...

WordPress CformsII Plugin 11.5 / 13.1 - Multiple Cross-Site Scripting Vulnerabilities

CformsII plugin is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based authentication...

WordPress MU <= 2.7 - 'HOST' HTTP Header XSS Vulnerability

WordPress MU prior to version 2.7 fails to sanitize the Host header correctly in chooseprimaryblog function and can be hacked. Sites running in based virtual hosting setup are not affected while they are not the default virtual host. Solution Upgrade WordPress...

WordPress <= 2.3 - XSS

Because of this vulnerability in wp-admin/edit-post-rows.php, the attackers can inject arbitrary web script or HTML via the "postscolumns" array parameter. Solution Update WordPress...

WordPress Pool Theme <= 1.0.7 - XSS

Because of this vulnerability in index.php, the attackers can inject arbitrary web script or HTML via the PATHINFO. Solution Update the theme...

WordPress <= 2.2.1 - SQL Injection

Because of this vulnerability in options.php, the authenticated administrators can execute arbitrary SQL commands via the "pageoptions" parameter. Solution Update WordPress...

WordPress <= 2.1.2 - Security BYPASS

The authenticated users with the contributor role can bypass intended access restrictions and invoke the publishposts functionality. Solution Update the WordPress to the latest available version at least 2.1.3...

WordPress Article Management Plugin <= 3.40 - SQL Injection

Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "wcHeadlines" parameter. Solution Update the WordPress Article Management plugin to the latest available version at least 3.41...

WordPress <= 2.0.4 - Denial of Service Attacks

The authenticated users can cause a denial of service attacks, because this WordPress version does not properly store a profile containing a string representation of a serialized object. Solution Update WordPress...

WordPress <= 2.0.2 - Direct Static Code Injection

Because of this vulnerability, the attackers can execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, when it is appended after a special comment sequence into files. Solution Update the WordPress to the latest available version at least 2.0.3...

WordPress <= 1.5.1 - Multiple Vulnerabilities

Because of these vulnerabilities, the attackers can obtain sensitive information via a direct request to wp-admin/upgrade-functions.php, wp-includes/vars.php, wp-admin/edit-form.php, wp-content/plugins/hello.php, wp-settings.php or wp-admin/edit-form-comment.php. Solution Update the WordPress to...

WordPress Kirki – Freeform Page Builder, Website Builder & Customizer plugin <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Form Submission Data Exposure vulnerability discovered by Z3no in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions = 6.0.6...

NPM: Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE

NPM: Better Auth: OAuth callback accepts mismatched state when cookie-backed state storage is used without PKCE vulnerability discovered by ? in WordPress Npm better-auth versions 1.6.2...

WordPress Gravity Forms plugin <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by tadokun in WordPress Plugin Gravity Forms versions = 2.10.0...

WordPress WP Directory Kit plugin <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover vulnerability

Authentication Bypass to Privilege Escalation via Account Takeover vulnerability discovered by Ryan Kozak in WordPress Plugin WP Directory Kit versions 1.4.0-1.4.4...

WordPress Funnel Builder by FunnelKit Plugin <= 3.11.1 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k in WordPress Plugin Funnel Builder by FunnelKit versions = 3.11.1...

WordPress MasterStudy LMS Pro plugin <= 4.7.0 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Foxyyy in WordPress Plugin MasterStudy LMS Pro versions = 4.7.0...

WordPress Gravity Forms CSS Themes with Fontawesome and Placeholders plugin <= 8.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin Gravity Forms CSS Themes with Fontawesome and Placeholders versions = 8.5...

WordPress Indeed Ultimate Learning Pro plugin <= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Parameter vulnerability

Authenticated Administrator+ SQL Injection via postid Parameter vulnerability discovered by Pham Van Tam in WordPress Plugin Indeed Ultimate Learning Pro versions = 3.9...

WordPress Simple Side Tab Plugin <= 2.1.14 is vulnerable to Cross Site Scripting (XSS)

Software Simple Side Tab Type Plugin Vulnerable versions = 2.1.14 Fixed in 2.2.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10551 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 2f20e42d5a25 Credits Krugov Artyom Required...

WordPress GamiPress Plugin <= 7.1.5 is vulnerable to Broken Access Control

Software GamiPress Type Plugin Vulnerable versions = 7.1.5 Fixed in 7.1.6 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-11036 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 528614ec92ef Credits Arkadiusz Hydzik Required...

WordPress The Novel Design Store Directory Plugin <= 4.3.0 is vulnerable to Arbitrary File Upload

Software The Novel Design Store Directory Type Plugin Vulnerable versions = 4.3.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-51788 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 7c858add083e Credits stealthcopter Required...

WordPress mFolio Lite Plugin <= 1.2.1 is vulnerable to Broken Access Control

Software mFolio Lite Type Plugin Vulnerable versions = 1.2.1 Fixed in 1.2.2 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-9307 Patch priority Low CVSS severity Low 9.1 Developer Claim ownership PSID 19ba5b646cd3 Credits Francesco Carlucci Required...

WordPress Table of Contents Plus Plugin <= 2411 is vulnerable to Cross Site Scripting (XSS)

Software Table of Contents Plus Type Plugin Vulnerable versions = 2411 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-5578 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 487fd7341438 Credits Dmitrii Ignatyev...