WordPress Advanced Forms plugin <= 1.6.8 - Arbitrary User Email Address Update via IDOR vulnerability

Arbitrary User Email Address Update via IDOR vulnerability discovered by Suppawit Punhakit in WordPress Advanced Forms plugin versions = 1.6.8. Solution Update the WordPress Advanced Forms plugin to the latest available version at least 1.6.9...

WordPress Simple Job Board plugin <= 2.9.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress Simple Job Board plugin versions = 2.9.4. Solution Update the WordPress Simple Job Board plugin to the latest available version at least 2.9.5...

WordPress Sassy Social Share plugin <= 3.3.23 - Missing Authorization Controls to PHP Object Injection vulnerability

Missing Authorization Controls to PHP Object Injection vulnerability discovered by Chloe Chamberland WordFence in WordPress Sassy Social Share plugin versions = 3.3.23. Solution Update the WordPress Sassy Social Share plugin to the latest available version at least 3.3.24...

WordPress Forminator plugin <= 1.15.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Shivam Rai in WordPress Forminator plugin versions = 1.15.2. Solution Update the WordPress Forminator plugin to the latest available version at least 1.15.4...

WordPress Image to WebP plugin <= 1.8 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by apple502j in WordPress Image to WebP plugin versions = 1.8. Solution Update the WordPress Image to WebP plugin to the latest available version at least 1.9...

WordPress SEO Redirection plugin <= 8.1 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress SEO Redirection plugin versions = 8.1. Solution Update the WordPress SEO Redirection plugin to the latest available version at least 8.2...

WordPress Print-O-Matic plugin <= 2.0.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Zain Ahmed in WordPress Print-O-Matic plugin versions = 2.0.2. Solution Update the WordPress Print-O-Matic plugin to the latest available version at least 2.0.3...

WordPress Events Made Easy plugin <= 2.2.23 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Huy Nguyen in WordPress Events Made Easy plugin versions = 2.2.23. Solution Update the WordPress Events Made Easy plugin to the latest available version or at least to the version 2.2.24...

WordPress Ninja Forms Contact Form plugin <= 3.5.7 - Unprotected REST-API to Email Injection vulnerability

Unprotected REST-API to Email Injection vulnerability discovered by Chloe Chamberland WordFence in WordPress Ninja Forms Contact Form plugin versions = 3.5.7. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.5.8...

WordPress Compact WP Audio Player plugin <= 1.9.6 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by apple502j in WordPress Compact WP Audio Player plugin versions = 1.9.6. Solution Update the WordPress Compact WP Audio Player plugin to the latest available version at least 1.9.7...

WordPress Simple Social Media Share Buttons plugin <= 3.2.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Simple Social Media Share Buttons plugin versions = 3.2.3. Solution Update the WordPress Simple Social Media Share Buttons plugin to the latest available version at least 3.2.4...

WordPress Poll Maker plugin <= 3.4.1 - Unauthenticated Time-Based SQL Injection (SQLi) vulnerability

Unauthenticated Time-Based SQL Injection SQLi vulnerability discovered by apple502j in WordPress Poll Maker plugin versions = 3.4.1. Solution Update the WordPress Poll Maker plugin to the latest available version at least 3.4.2...

WordPress Simple Matted Thumbnails plugin <= 1.01 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Simple Matted Thumbnails plugin versions = 1.01. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress WordPress Simple Shop plugin <= 1.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress WordPress Simple Shop plugin versions = 1.2. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress RSVPmaker Excel plugin <= 1.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress RSVPmaker Excel plugin versions = 1.1. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress TranslatePress plugin <= 2.0.8 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Nosa Shandy in WordPress TranslatePress plugin versions = 2.0.8. Solution Update the WordPress TranslatePress plugin to the latest available version at least 2.0.9...

WordPress Timetable and Event Schedule by MotoPress plugin <= 2.3.18 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities discovered by Martin Vierula Trustwave in WordPress Timetable and Event Schedule by MotoPress plugin versions = 2.3.18. Solution Update the WordPress Timetable and Event Schedule by MotoPress plugin to the latest available version at least...

WordPress Bold Page Builder plugin <= 3.1.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by dc11 in WordPress Bold Page Builder plugin versions = 3.1.5. Solution Update the WordPress Bold Page Builder plugin to the latest available version at least 3.1.6...

WordPress FluentSMTP plugin <= 2.0.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by YoshiKen in WordPress FluentSMTP plugin versions = 2.0.0. Solution Update the WordPress FluentSMTP plugin to the latest available version at least 2.0.1...

WordPress Diary & Availability Calendar plugin <= 1.0.3 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar in WordPress Diary & Availability Calendar plugin versions = 1.0.3. Solution This plugin has been closed as of May 19, 2021 and is not available for download. Reason: Security Issue...

WordPress Maintenance plugin <= 4.02 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Emil Kylander in WordPress Maintenance plugin versions = 4.02. Solution Update the WordPress Maintenance plugin to the latest available version at least 4.03...

WordPress MDTF - Meta Data & Taxonomies Filter premium plugin <= 2.2.7.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Ryoma Nishioka in WordPress MDTF - Meta Data & Taxonomies Filter premium plugin versions = 2.2.7.2. Solution Update the WordPress MDTF - Meta Data & Taxonomies Filter premium plugin to the latest available version at least 2.2.8...

WordPress Workreap premium theme <= 2.2.1 - Multiple Cross-Site Scripting (CSRF) + Insecure Direct Object References (IDOR) vulnerabilities

Multiple Cross-Site Scripting CSRF + Insecure Direct Object References IDOR vulnerabilities discovered by Harald Eilertsen Jetpack in WordPress Workreap premium theme versions = 2.2.1. Solution Update the WordPress Workreap premium theme to the latest available version at least 2.2.2...

WordPress W3 Total Cache plugin <= 2.1.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by renniepak in WordPress W3 Total Cache plugin versions = 2.1.4. Solution Update the WordPress W3 Total Cache plugin to the latest available version at least 2.1.5...

WordPress Include Me plugin <= 1.2.1 - Path traversal and Local File Inclusion (LFI) vulnerability leading to Remote Code Execution (RCE)

Path traversal and Local File Inclusion LFI vulnerability leading to Remote Code Execution RCE discovered by Mesut Cetin in WordPress Include Me plugin versions = 1.2.1. Solution Update the WordPress Include Me plugin to the latest available version at least 1.2.2...

WordPress Easy Cookies Policy plugin <= 1.6.2 - Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS)

Broken Access Control vulnerability leading to Stored Cross-Site Scripting XSS discovered by 0xB9 in WordPress Easy Cookies Policy plugin versions = 1.6.2. Solution This plugin has been closed as of April 28, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Advanced AJAX Product Filters plugin <= 1.5.4.6 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by dc11 in WordPress Advanced AJAX Product Filters plugin versions = 1.5.4.6. Solution Update the WordPress Advanced AJAX Product Filters plugin to the latest available version at least 1.5.4.7...

WordPress Qtranslate Slug plugin <= 1.1.18 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by NinTechNet in WordPress Qtranslate Slug plugin versions = 1.1.18. Solution This plugin has been closed as of February 11, 2021 and is not available for download. Reason: Security Issue...

WordPress Fancy Product Designer premium plugin <= 4.6.8 - Unauthenticated Arbitrary File Upload and Remote Code Execution (RCE) vulnerabilities

Unauthenticated Arbitrary File Upload and Remote Code Execution RCE vulnerabilities discovered by WordFence in WordPress Fancy Product Designer premium plugin versions = 4.6.8. Solution Update the WordPress Fancy Product Designer premium plugin to the latest available version at least 4.6.9...

WordPress NinjaFirewall plugin <= 4.3.3 - Authenticated PHAR Deserialization vulnerability

Authenticated PHAR Deserialization vulnerability discovered by Chloe Chamberland in WordPress NinjaFirewall plugin versions = 4.3.3. Solution Update the WordPress NinjaFirewall plugin to the latest available version at least 4.3.4...

WordPress JobSearch premium plugin <= 1.7.3 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress JobSearch premium plugin versions = 1.7.3. Solution Update the WordPress JobSearch premium plugin to the latest available version at least 1.7.4...

WordPress Funnel Builder by CartFlows plugin <= 1.6.12 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress Funnel Builder by CartFlows plugin versions = 1.6.12. Solution Update the WordPress Funnel Builder by CartFlows plugin to the latest available version at least 1.6.13...

WordPress Popup by Supsystic plugin <= 1.10.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Popup by Supsystic plugin versions = 1.10.4. Solution Update the WordPress Popup by Supsystic plugin to the latest available version at least 1.10.5...

WordPress HT Slider Range for Amazon affiliates plugin <= 1.1.9 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Frank Liauw in WordPress HT Slider Range for Amazon affiliates plugin versions = 1.1.9. Solution Update the WordPress HT Slider Range for Amazon affiliates plugin to the latest available version at least 1.1.10...

WordPress OpenID Connect Generic Client plugin <= 3.8.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Austin Bentley in WordPress OpenID Connect Generic Client plugin versions = 3.8.1. Solution Update the WordPress OpenID Connect Generic Client plugin to the latest available version at least 3.8.2...

WordPress Cooked Pro premium plugin <= 1.7.5.5 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Jinson Varghese Behanan in WordPress Cooked Pro premium plugin versions = 1.7.5.5. Solution Update the WordPress Cooked Pro premium plugin to the latest available version at least 1.7.5.6...

WordPress wpDataTables plugin <= 3.4.1 - Multiple SQL Injection (SQLi) vulnerabilities

Multiple SQL Injection SQLi vulnerabilities discovered by Veno Eivazian and Massimiliano Ferraresi in the WordPress wpDataTables plugin versions = 3.4.1. Solution Update the WordPress wpDataTables plugin to the latest available version at least 3.4.2...

WordPress The Plus Addons for Elementor premium plugin <= 4.1.6 - Privilege Escalation vulnerability

Privilege Escalation vulnerability found by Ville Korhonen in WordPress The Plus Addons for Elementor premium plugin versions = 4.1.6. Solution Update the WordPress The Plus Addons for Elementor premium plugin to the latest available version at least 4.1.7...

WordPress 301 Redirects – Easy Redirect Manager plugin <= 2.50 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability found by Nguyen Van Khanh in WordPress 301 Redirects – Easy Redirect Manager plugin versions = 2.50. Solution Update the WordPress 301 Redirects – Easy Redirect Manager plugin to the latest available version at least 2.5.1...

WordPress DiveBook plugin <= 1.1.4 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability found by Hooper Labs in WordPress DiveBook plugin versions = 1.1.4. Solution 2020-12-09 - we were unable to find a patched version of this plugin Last updated: 10 years ago...

WordPress AIT CSV Import / Export plugin <= 3.0.3 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability found by Ryan WPScan in WordPress AIT CSV Import / Export plugin versions = 3.0.3. Solution 2020-11-13 - we were unable to find a patched version of this plugin...

WordPress Autoptimize plugin <= 2.7.7 - Arbitrary File Upload via "Import Settings" vulnerability

Arbitrary File Upload via "Import Settings" vulnerability discovered by Marcin Węgłowski in WordPress Autoptimize plugin versions = 2.7.7. Solution Update the WordPress Autoptimize plugin to the latest available version at least 2.7.8...

WordPress Autoptimize plugin <= 2.7.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Marcin Węgłowski in WordPress Autoptimize plugin versions = 2.7.7. Solution Update the WordPress Autoptimize plugin to the latest available version at least 2.7.8...

WordPress Product Input Fields for WooCommerce plugin <= 1.2.6 - Unauthenticated Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download vulnerability discovered by NinTechNet in WordPress Product Input Fields for WooCommerce plugin versions = 1.2.6. Solution Update the WordPress Product Input Fields for WooCommerce plugin to the latest available version at least 1.2.7...

WordPress GTranslate plugin <= 2.8.51 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Gaurav in WordPress GTranslate plugin versions = 2.8.51. Solution Update the WordPress GTranslate plugin to the latest available version at least 2.8.52...

WordPress Page Builder by SiteOrigin plugin <= 2.10.15 - Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Reflected Cross-Site Scripting XSS discovered by WordFence in WordPress Page Builder by SiteOrigin plugin versions = 2.10.15. Solution Update the WordPress Page Builder by SiteOrigin plugin to the latest available version at least 2.10.16...

WordPress Page Builder by SiteOrigin plugin <= 2.10.15 - Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Reflected Cross-Site Scripting XSS discovered by WordFence in WordPress Page Builder by SiteOrigin plugin versions = 2.10.15. Solution Update the WordPress Page Builder by SiteOrigin plugin to the latest available version at least 2.10.16...

WordPress iframe plugin <= 4.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Guilherme Rubert in WordPress iframe plugin versions = 4.4. Solution Update the WordPress iframe plugin to the latest available version at least 4.5...

WordPress LearnPress plugin <= 3.2.6.7 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered in WordPress LearnPress plugin versions = 3.2.6.7. Solution Update the WordPress LearnPress plugin to the latest available version at least 3.2.6.8...

WordPress Catch Breadcrumb plugin <= 1.5.6 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress Catch Breadcrumb plugin versions = 1.5.6. Solution Update the WordPress Catch Breadcrumb plugin to the latest available version at least 1.5.7...