WordPress Yoo Slider plugin <= 2.0.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Yoo Slider plugin versions = 2.0.0. Solution Update the WordPress Yoo Slider plugin to the latest available version at least 2.1.0...

WordPress MapPress Maps for WordPress plugin <= 2.73.12 - Admin+ File Upload leading to Remote Code Execution vulnerability

Admin+ File Upload leading to Remote Code Execution vulnerability discovered by qerogram in WordPress MapPress Maps for WordPress plugin versions = 2.73.12. Solution Update the WordPress MapPress Maps for WordPress plugin to the latest available version at least 2.73.13...

WordPress Page Builder Gutenberg Blocks – Kioken Blocks plugin <= 1.3.9 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Page Builder Gutenberg Blocks – Kioken Blocks plugin versions = 1.3.9. Solution No patched version available...

WordPress Prime Slider – Addons For Elementor plugin <= 2.6.2 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Prime Slider – Addons For Elementor plugin versions = 2.6.2. Solution Update the WordPress Prime Slider – Addons For Elementor plugin to the latest available version at least 2.7.0...

WordPress Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook plugin <= 1.1.8 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook plugin versions = 1.1.8. Solution Update the WordPress Forms to Zapier, Integromat, IFTTT, Workato,...

WordPress Simple Link Directory plugin <= 7.7.1 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Simple Link Directory plugin versions = 7.7.1. Solution Update the WordPress Simple Link Directory plugin to the latest available version at least 7.7.2...

WordPress AppExperts – WordPress to Mobile App – WooCommerce to iOs and Android Apps plugin <= 1.2.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress AppExperts – WordPress to Mobile App – WooCommerce to iOs and Android Apps plugin versions = 1.2.1. Solution Update the WordPress AppExperts – WordPress to Mobile App – WooCommerce to iOs and Android Apps plugin to the latest...

WordPress AdFoxly – Ad Manager, AdSense Ads & Ads.txt plugin <= 1.7.9 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress AdFoxly – Ad Manager, AdSense Ads & Ads.txt plugin versions = 1.7.9. Solution Update the WordPress AdFoxly – Ad Manager, AdSense Ads & Ads.txt plugin to the latest available version at least 1.7.91...

WordPress Genealogical Tree – WordPress Family Tree plugin <= 2.1.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Genealogical Tree – WordPress Family Tree plugin versions = 2.1.4. Solution Update the WordPress Genealogical Tree – WordPress Family Tree plugin to the latest available version at least 2.1.5...

WordPress Elasta theme < 1.0.8 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Elasta theme versions 1.0.8. Solution Update the WordPress Elasta theme to the latest available version at least 1.0.8...

WordPress Menu Image, Icons made easy plugin <= 3.0.5 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Menu Image, Icons made easy plugin versions = 3.0.5. Solution Update the WordPress Menu Image, Icons made easy plugin to the latest available version at least 3.0.6...

WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin < 1.17.0.4 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin versions 1.17.0.4. Solution Update the WordPress Display WP Admin Pages in the Frontend – WP Frontend Admin plugin to the latest...

WordPress RSS Control plugin < 2.0.8 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress RSS Control plugin versions 2.0.8. Solution Update the WordPress RSS Control plugin to the latest available version at least 2.0.8...

WordPress Premmerce Permalink Manager for WooCommerce plugin <= 2.3.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Premmerce Permalink Manager for WooCommerce plugin versions = 2.3.4. Solution Update the WordPress Premmerce Permalink Manager for WooCommerce plugin to the latest available version at least 2.3.5...

WordPress Amelia plugin <= 1.0.45 - Arbitrary Customer Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Customer Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Muhamad Hidayat in WordPress Amelia plugin versions = 1.0.45. Solution Update the WordPress Amelia plugin to the latest available version at least 1.0.46...

WordPress Patreon WordPress plugin <= 1.8.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by José Aguilera in WordPress Patreon WordPress plugin versions = 1.8.1. Solution Update the WordPress Patreon WordPress plugin to the latest available version at least 1.8.2...

WordPress Relevanssi Premium plugin <= 2.16.4 - Unauthorized AJAX Calls vulnerability

Unauthorized AJAX Calls vulnerability discovered by Jan w Oleju in WordPress Relevanssi Premium plugin versions = 2.16.4. Solution Update the WordPress Relevanssi Premium plugin to the latest available version at least 2.16.5...

WordPress CP Blocks plugin <= 1.0.14 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Shweta Mahajan in WordPress CP Blocks plugin versions = 1.0.14. Solution Update the WordPress CP Blocks plugin to the latest available version at least 1.0.15...

WordPress Custom Content Shortcode plugin <= 4.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Francesco Carlucci in WordPress Custom Content Shortcode plugin versions = 4.0.1. Solution Update the WordPress Custom Content Shortcode plugin to the latest available version at least 4.0.2...

WordPress Better Notifications for WP plugin <= 1.8.6 - Email Address Disclosure vulnerability

Email Address Disclosure vulnerability discovered by Krzysztof Zając in WordPress Better Notifications for WP plugin versions = 1.8.6. Solution Update the WordPress Better Notifications for WP plugin to the latest available version at least 1.8.7...

WordPress Embed Swagger plugin <= 1.0.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress Embed Swagger plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of January 24, 2022 and is not available for download. This closure is temporary, pending a...

WordPress ExportFeed: List WooCommerce Products on eBay Store plugin <= 2.0.1.0 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by 0xdecafbad in WordPress ExportFeed: List WooCommerce Products on eBay Store plugin versions = 2.0.1.0. Solution Deactivate and delete. This plugin has been closed as of November 22, 2021 and is not available for download. Reason: Security Issue...

WordPress The Buffer Button plugin <= 1.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Rutuja D Shirke in WordPress The Buffer Button plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of January 3, 2022 and is not available for download. This closure is temporary, pending a...

WordPress LeadMagic plugin <= 1.2.7 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Big Tiger in WordPress LeadMagic plugin versions = 1.2.7. Solution Deactivate and delete. This plugin has been closed as of January 17, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Download Manager plugin <= 3.2.33 - Authenticated SQL injection (SQLi) vulnerability to Reflected XSS vulnerability

Authenticated SQL injection SQLi vulnerability to Reflected XSS vulnerability discovered by Krzysztof Zając in WordPress Download Manager plugin versions = 3.2.33. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.34...

WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.6.9 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities discovered by Yoru Oni in WordPress Contact Form & Lead Form Elementor Builder plugin versions = 1.6.9. Solution Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version at least 1.7.0...

WordPress SupportCandy plugin <= 2.2.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress SupportCandy plugin versions = 2.2.6. Solution Update the WordPress SupportCandy plugin to the latest available version at least 2.2.7...

WordPress WHMCS Bridge plugin <= 6.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered in WordPress WHMCS Bridge plugin versions = 6.1. Solution Update the WordPress WHMCS Bridge plugin to the latest available version at least 6.3...

WordPress UpdraftPlus plugin <= 1.16.66 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress UpdraftPlus plugin versions = 1.16.66. Solution Update the WordPress UpdraftPlus plugin to the latest available version at least 1.16.69...

WordPress Advanced Custom Fields: Extended plugin <= 0.8.8.6 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Advanced Custom Fields: Extended plugin versions = 0.8.8.6. Solution Update the WordPress Advanced Custom Fields: Extended plugin to the latest available version at least 0.8.8.7...

WordPress Simple Download Monitor plugin <= 3.9.8 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by apple502j in the WordPress Simple Download Monitor plugin versions = 3.9.8. Solution Update the WordPress Simple Download Monitor to the latest available version at least 3.9.9...

WordPress Contest Gallery plugin <= 13.1.0.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien in WordPress Contest Gallery plugin versions = 13.1.0.9. Solution Update the WordPress Contest Gallery plugin to the latest available version at least 14.0.0...

WordPress H5P CSS Editor plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress H5P CSS Editor plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of December 3, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress tarteaucitron.js – Cookies legislation & GDPR plugin <= 1.5.4 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by Julio Potier SecuPress.me in WordPress tarteaucitron.js – Cookies legislation & GDPR plugin versions = 1.5.4. Solution Update the WordPress tarteaucitron.js – Cookies legislation & GDPR plugin to the...

WordPress UpdraftPlus plugin <= 1.16.65 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress UpdraftPlus plugin versions = 1.16.65. Solution Update the WordPress UpdraftPlus plugin to the latest available version at least 1.16.66...

WordPress WP Coder plugin <= 2.5.1 - Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF vulnerability

Remote File Inclusion RFI leading to Remote Code Execution RCE via CSRF vulnerability discovered by Krzysztof Zając in WordPress WP Coder plugin versions = 2.5.1. Solution Update the WordPress WP Coder plugin to the latest available version at least 2.5.2...

WordPress Booster for WooCommerce plugin <= 5.4.8 - Reflected Cross-Site Scripting (XSS) vulnerability in Product XML Feeds Module

Reflected Cross-Site Scripting XSS vulnerability in Product XML Feeds Module discovered by Jeremie Amsellem in WordPress Booster for WooCommerce plugin versions = 5.4.8. Solution Update the WordPress Booster for WooCommerce plugin to the latest available version at least 5.4.9...

WordPress Buttonizer plugin <= 2.5.4 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Dipak Panchal in WordPress Buttonizer plugin versions = 2.5.4. Solution Update the WordPress Buttonizer plugin to the latest available version at least 2.5.5...

WordPress Zigcy Cosmetics theme <= 1.0.5 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Zigcy Cosmetics theme versions = 1.0.5. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor...

WordPress Uncode Lite theme <= 1.3.3 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Uncode Lite theme versions = 1.3.3. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress Ripple theme <= 1.2.0 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Ripple theme versions = 1.2.0. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress Swing Lite theme <= 1.1.9 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Swing Lite theme versions = 1.1.9. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress Gwolle Guestbook plugin <= 4.1.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Gwolle Guestbook plugin versions = 4.1.2. Solution Update the WordPress Gwolle Guestbook plugin to the latest available version at least 4.2.0...

WordPress Pixel Cat plugin <= 2.6.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Pixel Cat plugin versions = 2.6.2. Solution Update the WordPress Pixel Cat plugin to the latest available version at least 2.6.3...

WordPress WPO365 plugin <= 15.3 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by AppCheck in WordPress WPO365 plugin versions = 15.3. Solution Update the WordPress WPO365 plugin to the latest available version at least 15.4...

WordPress LoginWP plugin <= 3.0.0.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress LoginWP plugin versions = 3.0.0.4. Solution Update the WordPress LoginWP plugin to the latest available version at least 3.0.0.5...

WordPress Slideshow Gallery plugin <= 1.7.3 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Tyler Miller in WordPress Slideshow Gallery plugin versions = 1.7.3. Solution Update the WordPress Slideshow Gallery plugin to the latest available version at least 1.7.4...

WordPress MAZ Loader plugin <= 1.4.0 - Arbitrary Loader Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Loader Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by apple502j in WordPress MAZ Loader plugin versions = 1.4.0. Solution Update the WordPress MAZ Loader plugin to the latest available version at least 1.4.1...

WordPress Reviews Plus plugin <= 1.2.13 - Reviews Denial of Service (DoS) vulnerability

Reviews Denial of Service DoS vulnerability discovered by Drew Jones in WordPress Reviews Plus plugin versions = 1.2.13. Solution Update the WordPress Reviews Plus plugin to the latest available version at least 1.2.14...

WordPress Advanced Forms plugin <= 1.6.8 - Arbitrary User Email Address Update via IDOR vulnerability

Arbitrary User Email Address Update via IDOR vulnerability discovered by Suppawit Punhakit in WordPress Advanced Forms plugin versions = 1.6.8. Solution Update the WordPress Advanced Forms plugin to the latest available version at least 1.6.9...