WordPress iQ Block Country plugin <= 1.2.18 - Block BYPASS vulnerability

Block BYPASS vulnerability was discovered by Brandon Roldan Patchstack Alliance in the WordPress iQ Block Country plugin versions = 1.2.18. Solution Update the WordPress iQ Block Country plugin to the latest available version at least 1.2.19...

WordPress Helpful plugin <= 4.5.25 - Information Disclosure vulnerability

Information Disclosure vulnerability discovered by Aleksi Kistauri in WordPress Helpful plugin versions = 4.5.25. Solution Deactivate and delete. This plugin has been closed as of August 26, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Custom Cursors plugin <= 3.0 - Arbitrary Cursor Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Cursor Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Lana Codes in WordPress WP Custom Cursors plugin versions = 3.0. Solution Update the WordPress WP Custom Cursors plugin to the latest available version at least 3.0.1...

WordPress Import all XML, CSV & TXT plugin <= 6.5.7 - Missing Authorization vulnerability

Missing Authorization vulnerability discovered by Sanjay Das in WordPress Import all XML, CSV & TXT plugin versions = 6.5.7. Solution Update the WordPress WP Ultimate CSV Importer plugin to the latest available version at least 6.5.8...

WordPress Awesome Filterable Portfolio plugin <= 1.9.7 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Awesome Filterable Portfolio plugin versions = 1.9.7. Solution Deactivate and delete. This plugin has been closed as of September 14, 2022 and is not available for download...

WordPress RD Station plugin <= 5.2.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Rasi Afeef Patchstack Alliance in the WordPress RD Station plugin versions = 5.2.0. Solution Update the WordPress RD Station plugin to the latest available version at least 5.2.1...

WordPress Frontend File Manager plugin <= 21.2 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by Raad Haddad Cloudyrion GmbH in WordPress Frontend File Manager plugin versions = 21.2. Solution Update the WordPress Frontend File Manager plugin to the latest available version at least 21.3...

WordPress Ultimate SMS Notifications for WooCommerce plugin <= 1.4.1 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Zhouyuan Yang in WordPress Ultimate SMS Notifications for WooCommerce plugin versions = 1.4.1. Solution Update the WordPress Ultimate SMS Notifications for WooCommerce plugin to the latest available version at least 1.4.2...

WordPress Zephyr Project Manager plugin <= 3.2.42 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities

Multiple Unauthenticated SQL Injection SQLi vulnerabilities were discovered by Rizacan Tufan in the WordPress Zephyr Project Manager plugin versions = 3.2.42. Solution Update the WordPress Zephyr Project Manager plugin to the latest available version at least 3.2.5...

WordPress Gettext override translations plugin <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Su Xue Ming in WordPress Gettext override translations plugin versions = 1.0.1. Solution Update the WordPress Gettext override translations plugin to the latest available version at least 2.0.0...

WordPress WPvivid Backup Plugin <= 0.9.74 - Authenticated PHAR Deserialization vulnerability

Authenticated PHAR Deserialization vulnerability discovered by Rasoul Jahanshahi in WPvivid Backup plugin versions = 0.9.74 Solution Update the WordPress WPvivid Backup and Migration plugin to the latest available version at least 0.9.75...

WordPress WP STAGING Plugin <= 2.9.17 - Authenticated Stored Cross-Site Scripting vulnerability

Authenticated Stored Cross-Site Scripting vulnerability discovered by Raad Haddad in WP STAGING versions = 2.9.17 Solution Update the WordPress WP STAGING – Backup Duplicator & Migration plugin to the latest available version at least 2.9.18...

WordPress WP Hide & Security Enhancer plugin <= 1.7.9.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WP Hide & Security Enhancer plugin versions = 1.7.9.2. Solution Update the WordPress WP Hide Security Enhancer plugin to the latest available version at least 1.8...

WordPress Social Slider Feed plugin <= 2.0.4 - Authenticated Arbitrary API Key Update vulnerability leading to Stored Cross-Site Scripting (XSS)

Authenticated Arbitrary API Key Update vulnerability leading to Stored Cross-Site Scripting XSS discovered by WPScan in WordPress Social Slider Feed plugin versions = 2.0.4. Solution Update the WordPress Social Slider Feed plugin to the latest available version at least 2.0.5...

WordPress ЮKassa для WooCommerce plugin <= 2.3.0 - Authenticated Arbitrary Settings Update vulnerability

Authenticated Arbitrary Settings Update vulnerability discovered by ptsfence Patchstack Alliance in WordPress ЮKassa для WooCommerce plugin versions = 2.3.0. Solution Update the WordPress ЮKassa для WooCommerce plugin to the latest available version at least 2.3.1...

WordPress Homepage Product Organizer for WooCommerce plugin <= 1.1 - Multiple Authenticated SQL Injection (SQLi) vulnerabilities

Multiple Authenticated SQL Injection SQLi vulnerabilities were discovered by Lenon Leite Patchstack Alliance in the WordPress Homepage Product Organizer for WooCommerce plugin versions = 1.1. Solution No patched version is available. We were unable to contact the vendor...

WordPress Easy Student Results plugin <= 2.2.8 - Sensitive Information Disclosure via REST API vulnerability

Sensitive Information Disclosure via REST API vulnerability discovered by Raad Haddad in WordPress Easy Student Results plugin versions = 2.2.8. Solution Deactivate and delete. This plugin has been closed as of July 11, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Flexi Quote Rotator plugin <= 0.9.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Daniel Ruf in WordPress Flexi Quote Rotator plugin versions = 0.9.4. Solution Deactivate and delete. This plugin has been closed as of July 6, 2022 and is not available for download. This closure is temporary, pending a ful...

WordPress Progressive License plugin <= 1.1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Daniel Ruf in WordPress Progressive License plugin versions = 1.1.0. Solution Deactivate and delete. This plugin has been closed as of June 22, 2022 and is not available for download. This closu...

WordPress Image Slider plugin <= 1.1.123 - Cross-Site Request Forgery (CSRF) vulnerability leading to Post Duplication

Cross-Site Request Forgery CSRF vulnerability leading to Post Duplication discovered by Marco Wotschka in WordPress Image Slider plugin versions = 1.1.123. Solution No patched version available...

WordPress SP Project & Document Manager plugin <= 4.57 - Sensitive File Disclosure vulnerability

Sensitive File Disclosure vulnerability discovered by Viktor Markopoulos in WordPress SP Project & Document Manager plugin versions = 4.57. Solution Update the WordPress SP Project & Document Manager plugin to the latest available version at least 4.58...

WordPress Contact Form 7 Captcha plugin <= 0.1.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress Contact Form 7 Captcha plugin versions = 0.1.1. Solution Update the WordPress Contact Form 7 Captcha plugin to the latest available version at least 0.1.2...

WordPress Cache Images plugin <= 3.2 - Image Upload / Import via Cross-Site Request Forgery (CSRF) vulnerability

Image Upload / Import via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress Cache Images plugin versions = 3.2. Solution Update the WordPress Cache Images plugin to the latest available version at least 3.2.1...

WordPress Admin Management Xtended plugin <= 2.4.4 - Post Visibility/Date/Comment Status Update via CSRF vulnerability

Post Visibility/Date/Comment Status Update via CSRF vulnerability discovered by Daniel Ruf in WordPress Admin Management Xtended plugin versions = 2.4.4. Solution Update the WordPress Admin Management Xtended plugin to the latest available version at least 2.4.5...

WordPress WP Contact Slider plugin <= 2.4.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress WP Contact Slider plugin versions = 2.4.6. Solution Update the WordPress WP Contact Slider plugin to the latest available version at least 2.4.7...

WordPress HTML2WP plugin <= 1.0.0 - Authenticated Arbitrary File Deletion vulnerability

Authenticated Arbitrary File Deletion vulnerability discovered by Daniel Ruf in WordPress HTML2WP plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of May 4, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Mobile Browser Color Select plugin <= 1.0.1 - Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability

Stored Cross-Site Scripting XSS via Cross-Site Request Forgery CSRF vulnerability was discovered by Tsubasa Imaizumi Cryptography Laboratory at Tokyo Denki University in the WordPress Mobile Browser Color Select plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed ...

WordPress Modern Events Calendar Lite plugin < 6.3.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Tsutomu Aramaki Mitsui Bussan Secure Directions, Inc in WordPress Modern Events Calendar Lite plugin versions 6.3.0. Solution Fixed in version 6.3.0, but the plugin is closed. This plugin has been closed as of May 11, 2022...

WordPress Print, PDF, Email by PrintFriendly plugin <= 5.2.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Muhamad Hidayat Solution Update the WordPress Print, PDF, Email by PrintFriendly plugin to the latest available version at least 5.2.3...

WordPress WPlite plugin <= 1.3.1 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress WPlite plugin versions = 1.3.1. Solution Deactivate and delete. This plugin has been closed as of May 23, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Image Slider by NextCode plugin <= 1.1.2 - Slider Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Slider Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Image Slider by NextCode plugin versions = 1.1.2. Solution Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This...

WordPress Private Messages For WordPress plugin <= 2.1.10 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Private Messages For WordPress plugin versions = 2.1.10. Solution Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This...

WordPress Custom Share Buttons with Floating Sidebar plugin <= 4.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Custom Share Buttons with Floating Sidebar plugin versions = 4.1. Solution Update the WordPress Custom Share Buttons with Floating Sidebar plugin to the latest available version at least 4.2...

WordPress Change Uploaded File Permissions plugin <= 4.0.0 - File Permission Update via Cross-Site Request Forgery (CSRF) vulnerability

File Permission Update via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress Change Uploaded File Permissions plugin versions = 4.0.0. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This...

WordPress Like Button Rating LikeBtn plugin <= 2.6.44 - Arbitrary e-mail Sending vulnerability

Arbitrary e-mail Sending vulnerability discovered by Krzysztof Zając in WordPress Like Button Rating LikeBtn plugin versions = 2.6.44. Solution Update the WordPress Like Button Rating LikeBtn plugin to the latest available version at least 2.6.45...

WordPress New User Email Set Up plugin <= 0.5.2 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress New User Email Set Up plugin versions = 0.5.2. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This closure is...

WordPress OnePress Social Locker plugin <= 5.6.2 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress OnePress Social Locker plugin versions = 5.6.2. Solution Deactivate and delete. This plugin has been closed as of May 6, 2022 and is not available for download. This closure is...

WordPress Popup Box plugin <= 2.1.2 - Authenticated Local File Inclusion (LFI) vulnerability

Authenticated Local File Inclusion LFI vulnerability discovered by 0xB9 Patchstack Alliance in WordPress Popup Box plugin versions = 2.1.2. Solution Update the WordPress Popup Box plugin to the latest available version at least 2.2...

WordPress CUBE SLIDER plugin <= 1.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability was discovered by Daniel Krohmer Fraunhofer IESE, Germany and Shi Chen University of Kaiserslautern, Germany in the WordPress CUBE SLIDER plugin versions = 1.2. Solution Deactivate and delete. This plugin has been closed as of May 3, 2022 and is not...

WordPress hpb Dashboard plugin <= 1.3.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability was discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in the WordPress hpb Dashboard plugin versions = 1.3.1. Solution Deactivate and delete. This plugin has been closed as of April 29, 2022 and is not available for download. This closu...

WordPress Countdown & Clock plugin <= 2.4.7 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Persistent Cross-Site Scripting XSS vulnerabilities discovered by Ex.Mi in WordPress Countdown & Clock plugin versions = 2.4.7. Solution No patched version is available...

WordPress Donate Extra plugin <= 2.02 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Donate Extra plugin versions = 2.02. Solution Deactivate and delete. This plugin has been closed as of April 7, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Simple Ajax Chat plugin <= 20220115 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered by Ex.Mi Patchstack in WordPress Simple Ajax Chat plugin versions = 20220115. Solution Update the WordPress Simple Ajax Chat plugin to the latest available version at least 20220216...

WordPress Easily Generate Rest API Url plugin <= 1.0.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by websafe2021 in WordPress Easily Generate Rest API Url plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of 29 March 2022 and is not available for download. This closure is temporary, pending a full...

WordPress CalderaWP License Manager plugin <= 1.2.11 - Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Reflected Cross-Site Scripting XSS discovered by mirphak Patchstack Alliance in WordPress CalderaWP License Manager plugin versions = 1.2.11. Solution Deactivate and delete. The plugin is closed and no more maintained...

WordPress Themify - Post Type Builder Search Addon premium plugin <= 1.3.9 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Kevin Barbón García, David Álvarez Robles, Francisco Díaz-Pache Alonso & Sergio Corral Cristo in WordPress Themify - Post Type Builder Search Addon premium plugin versions = 1.3.9. Solution Update the WordPress Themify - Post Type...

WordPress Fast Flow plugin <= 1.2.10 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Fast Flow plugin versions = 1.2.10. Solution Update the WordPress Fast Flow plugin to the latest available version at least 1.2.11...

WordPress Donations plugin <= 1.8 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Donations plugin versions = 1.8. Solution Deactivate and delete. This plugin has been closed as of February 28, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Anti-Malware Security and Brute-Force Firewall plugin <= 4.20.95 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Taurus Omar in WordPress Anti-Malware Security and Brute-Force Firewall plugin versions = 4.20.95. Solution Update the WordPress Anti-Malware Security and Brute-Force Firewall plugin to the latest available version at least 4.20.96...

WordPress Product Table for WooCommerce plugin <= 3.1.1 - Unauthenticated Arbitrary Function Call vulnerability

Unauthenticated Arbitrary Function Call vulnerability discovered by Mark Costlow in WordPress Product Table for WooCommerce plugin versions = 3.1.1. Solution Update the WordPress Product Table for WooCommerce plugin to the latest available version at least 3.1.2...