WordPress Ad Injection plugin <= 1.2.0.19 - Stored Cross-Site Scripting (XSS) & RCE vulnerabilities

Stored Cross-Site Scripting XSS & RCE vulnerabilities discovered by Asif Nawaz Minhas in WordPress Ad Injection plugin versions = 1.2.0.19. Solution Deactivate and delete. This plugin has been closed as of March 18, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Greenshift – animation and page builder blocks plugin < 1.1.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Greenshift – animation and page builder blocks plugin versions 1.1.4. Solution Update the WordPress Greenshift – animation and page builder blocks plugin to the latest available version at least 1.1.4...

WordPress Premmerce Pinterest for WooCommerce plugin <= 1.2.3 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Premmerce Pinterest for WooCommerce plugin versions = 1.2.3. Solution No patched version available...

WordPress WooCommerce plugin <= 6.2.0 - Path Traversal via Importers vulnerability

Path Traversal via Importers vulnerability discovered in WordPress WooCommerce plugin versions = 6.2.0. Solution Update the WordPress WooCommerce plugin to the latest available version at least 6.2.1...

WordPress Symposium Plugin <= 15.7- SQL Injection

This vulnerability allows an attacker to execute arbitrary SQL commands via the "size" parameter to getalbumitem.php. Solution Update the plugin...

WordPress Euclid Theme 1.x.x - CSRF

WordPress Euclid theme is prone to a cross-site request forgery vulnerability. It allows an attacker to gain unauthorized access to the affected application by performing certain actions in the context of an authorized user's session. Solution Upgrade the theme...

WordPress WP Contact Slider plugin <= 2.4.7 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress WP Contact Slider plugin versions = 2.4.7. Solution Update the WordPress WP Contact Slider plugin to the latest available version at least 2.4.8...

WordPress Shortcodes Ultimate plugin <= 5.12.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Preset Settings Change discovered by Dave Jong Patchstack in WordPress Shortcodes Ultimate plugin versions = 5.12.0. Solution Update the WordPress Shortcodes Ultimate plugin to the latest available version at least 5.12.1...

WordPress WPQA premium plugin <= 5.4 - Unauthenticated Private Message Disclosure vulnerability

Unauthenticated Private Message Disclosure vulnerability discovered by Veshraj Ghimire in WordPress WPQA premium plugin versions = 5.4. Solution Update the WordPress WPQA premium plugin to the latest available version at least 5.5...

WordPress KingComposer plugin <= 2.9.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress KingComposer plugin versions = 2.9.6. Solution No patched version is available. This plugin has been closed as of February 2, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Salon booking system plugin <= 7.6.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered by Huli Cymetrics in WordPress Salon booking system plugin versions = 7.6.1. Solution Update the WordPress Salon booking system plugin to the latest available version at least 7.6.3...

WordPress Divi premium theme <= 4.5.2 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Divi premium theme versions = 4.5.2. Solution Update the WordPress Divi premium theme to the latest available version at least 4.5.3...

WordPress JSmol2WP plugin <= 1.07 - Unauthenticated Cross-Site Scripting (XSS) vulnerability

Unauthenticated Cross-Site Scripting XSS vulnerability in WordPress JSmol2WP plugin versions = 1.07. Solution 08.01.2019 - we were unable to find a patched version of this plugin. According to WordPess.org plugin repository, this plugin was closed on January 7, 2019 and is no longer available for...

WordPress Brozzme Scroll Top Plugin <= 1.8.5 is vulnerable to Cross Site Scripting (XSS)

Software Brozzme Scroll Top Type Plugin Vulnerable versions = 1.8.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-34426 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 40ba77316890 Credits Cronus Required privilege Administrat...

WordPress Enable SVG, WebP & ICO Upload plugin <= 1.0.3 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by Kim Jong Min aka Universe Patchstack Alliance in WordPress Enable SVG, WebP & ICO Upload plugin versions = 1.0.3. Solution No patched version available...

WordPress Vision Interactive plugin < 1.5.2 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by WPScanTeam in WordPress Vision Interactive plugin versions 1.5.2. Solution Update the WordPress Vision Interactive plugin to the latest available version at least 1.5.2...

WordPress <= 4.4.1 - CSRF

WordPress before 4.5 is prone to a cross-site request forgery CSRF vulnerability. In the wpajaxwpcompressiontest function in wp-admin/includes/ajax-actions.php file attackers can hijack the authentication of administrators when they change the script compression option. Solution Update WordPress ...

WordPress Image and Video Lightbox, Image PopUp Plugin <= 2.1.5 is vulnerable to Cross Site Scripting (XSS)

Software Image and Video Lightbox, Image PopUp Type Plugin Vulnerable versions = 2.1.5 Fixed in 2.1.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-24004 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 4d9c16d4d9c1 Credits...

WordPress Advanced Custom Fields plugin <= 5.12.2 - Unauthenticated File Upload vulnerability

Unauthenticated File Upload vulnerability discovered by James Golovich in WordPress Advanced Custom Fields plugin versions = 5.12.2. Solution Update the WordPress Advanced Custom Fields plugin to the latest available version at least 5.12.3...

WordPress Transposh WordPress Translation plugin <= 1.0.8.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered by Julien Ahrens in WordPress Transposh WordPress Translation plugin versions = 1.0.8.1. Solution Deactivate and delete. This plugin has been closed as of February 7, 2022 and is not available for download. Reason: Security Issue...

WordPress ToolBar to Share plugin <= 2.0 - Cross-Site Request Forgery (CSRF) vulnerability to Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by Sho Sakata Cryptography Laboratory at Tokyo Denki University in WordPress ToolBar to Share plugin versions = 2.0. Solution Deactivate and delete. This plugin has been closed as of May 31, 2022 and is n...

WordPress Yoo Slider plugin <= 2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Slider Creation / Modification

Cross-Site Request Forgery CSRF vulnerability leading to Slider Creation / Modification discovered by Ex.Mi Patchstack in WordPress Yoo Slider plugin versions = 2.0.0. Solution Update the WordPress Yoo Slider plugin to the latest available version at least 2.1.0...

WordPress Perfect Survey plugin <= 1.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by apple502j in WordPress Perfect Survey plugin versions = 1.5.0. Solution Vulnerability fixed in 1.5.2 version, but plugin closed due to other security issues. This plugin has been closed as of October 5, 2021 and is not available for...

WordPress WOOCS – WooCommerce Currency Switcher plugin <= 1.3.6.2 - Local File Inclusion (LFI) leading vulnerability to Remote Code Execution (RCE)

Local File Inclusion LFI leading vulnerability to Remote Code Execution RCE discovered by Marc Montpas Automattic in WordPress WOOCS – WooCommerce Currency Switcher plugin versions = 1.3.6.2. Solution Update the WordPress WOOCS – WooCommerce Currency Switcher plugin to the latest available versio...

WordPress <= 5.5.1 - Cross-Site Scripting (XSS) via Global Variables vulnerability

Cross-Site Scripting XSS via Global Variables vulnerability found by Marc Montas in WordPress versions = 5.5.1. Solution Update the WordPress to the latest available version at least 5.5.2...

WordPress <= 4.2.2 - XSS

WordPress 4.2.2 is prone to a cross site scripting vulnerability that allows an authenticated user to bypass intended access restrictions and create drafts by leveraging the Subscriber role. Also, it allows to inject web script or HTML by leveraging the Author role to place a crafted shortcode...

WordPress WPML Plugin <= 3.1.9.1 - Multiple Vulnerabilities

WPML is prone to SQL injection, page or post menu deletion and reflected cross-site scripting vulnerabilities. Solution Update the plugin...

WordPress Really Simple SSL Plugin 9.0.0-9.1.1.1 is vulnerable to Broken Authentication

Software Really Simple SSL Type Plugin Vulnerable versions 9.0.0-9.1.1.1 Fixed in 9.1.2 OWASP Top 10 A1: Broken Access Control Classification Broken Authentication CVE CVE-2024-10924 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 8effdc8642db Credits István Márton...

WordPress GutenKit Plugin <= 2.1.0 is vulnerable to Arbitrary File Upload

Software GutenKit Type Plugin Vulnerable versions = 2.1.0 Fixed in 2.1.1 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-9234 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 084e0f3075d0 Credits Sean Murphy Required privilege Unauthenticated...

WordPress BuddyForms Plugin <= 2.8.8 is vulnerable to Arbitrary File Download

Software BuddyForms Type Plugin Vulnerable versions = 2.8.8 Fixed in 2.8.9 OWASP Top 10 A4: Insecure Design Classification Arbitrary File Download CVE CVE-2024-32830 Patch priority High CVSS severity High 8.6 Developer Claim ownership PSID df4ae0005bef Credits Yudistira Arya Required privilege...

WordPress WC Marketplace Plugin <= 3.8.11.8 - Unauthorized AJAX Calls Vulnerability

Unauthorized AJAX Calls vulnerability discovered by ptsfence in WordPress WC Marketplace plugin versions = 3.8.11.8. Solution Update the WordPress WC Marketplace plugin to the latest available version at least 3.8.12...

WordPress Request a Quote plugin <= 2.3.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Benachi in WordPress Request a Quote plugin versions = 2.3.7. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary, pending a full revi...

WordPress <= 5.9.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ben Bidner in WordPress versions = 5.9.1. Solution Update the WordPress to the latest available version at least 5.9.2...

WordPress File Upload plugin <= 4.16.2 - Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE)

Contributor+ Path Traversal vulnerability leading to Remote Code Execution RCE discovered by apple502j in WordPress File Upload plugin versions = 4.16.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.16.3...

WordPress PowerPack Lite for Beaver Builder plugin <= 1.2.9.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress PowerPack Lite for Beaver Builder plugin versions = 1.2.9.2. Solution Update the WordPress PowerPack Lite for Beaver Builder plugin to the latest available version at least 1.2.9.3...

WordPress Paid Memberships Pro <= 2.6.6 - Unauthenticated Blind SQL Injection (SQLi) vulnerability

Unauthenticated Blind SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress Paid Memberships Pro versions = 2.6.6. Solution Update the WordPress Paid Memberships Pro to the latest available version at least 2.6.7...

WordPress Ignition premium theme <= 1.59 - Unauthenticated Arbitrary File Upload and Option Deletion

Unauthenticated Arbitrary File Upload and Option Deletion discovered by WordFence in WordPress Ignition premium theme versions = 1.59. Solution Update the WordPress Ignition premium theme to the latest available version at least 2.0.0...

WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities

Simple Backup plugin is prone to multiple vulnerabilities, such as arbitrary file deletion and file download vulnerabilities. Because of these issues, an attacker can download remote files from the webserver delete arbitrary files without any authentication and permission. Solution Update the...

WordPress All In One WP Security Plugin 3.8.2 - SQL Injection

This WordPress All In One WP Security plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress Portable phpMyAdmin Plugin - Authentication Bypass

Portable phpMyAdmin plugins is prone to authentication bypass vulnerability. It allows an attacker to gain sensitive information. Solution Upgrade to version 1.3.1...

WordPress Category Ajax Filter Plugin <= 2.8.2 is vulnerable to Local File Inclusion

Software Category Ajax Filter Type Plugin Vulnerable versions = 2.8.2 Fixed in 2.8.3 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2024-10871 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 41b4026eef43 Credits Le Ngoc Anh Required privilege...

WordPress Contact Form to Any API Plugin <= 1.2.2 is vulnerable to Cross Site Scripting (XSS)

Software Contact Form to Any API Type Plugin Vulnerable versions = 1.2.2 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-7617 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 8a05dbbe144d Credits Jorgson...

WordPress WPCargo Track & Trace plugin <= 6.9.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Raul in WordPress WPCargo Track & Trace plugin versions = 6.9.4. Solution Update the WordPress WPCargo Track & Trace plugin to the latest available version at least 6.9.5...

WordPress wpDataTables plugin <= 2.1.27 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Daffa Patchstack Alliance in WordPress wpDataTables plugin versions = 2.1.27. Solution Update the WordPress wpDataTables plugin to the latest available version at least 2.1.28...

WordPress RegistrationMagic plugin <= 5.0.1.5 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress RegistrationMagic plugin versions = 5.0.1.5. Solution Update the WordPress RegistrationMagic plugin to the latest available version at least 5.0.1.6...

WordPress NEX-Forms – Ultimate Form Builder plugin <= 8.1 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Shivam Rai in WordPress NEX-Forms – Ultimate Form Builder plugin versions = 8.1. Solution Deactivate and delete. This plugin has been closed as of October 4, 2021 and is not available for download. This closure is...

WordPress Age Gate plugin <= 2.16.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Martin Vierula Trustwave in WordPress Age Gate plugin versions = 2.16.3. Solution Update the WordPress Age Gate plugin to the latest available version at least 2.16.4...

WordPress Contact Form 7 plugin <= 5.3.1 - Unrestricted File Upload vulnerability

Unrestricted File Upload vulnerability found by Jinson Varghese Behanan in WordPress Contact Form 7 plugin versions = 5.3.1. Solution Update the WordPress Contact Form 7 plugin to the latest available version at least 5.3.2...

WordPress WP e-Commerce Shop Styling plugin <= 2.9.1 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress WP e-Commerce Shop Styling plugin versions = 2.9.1. Solution Plugin closed. Deactivate and delete...

WordPress 3.9-5.1 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Simon Scannell in WordPress versions 3.9-5.1. Solution Update WordPress to the latest available version at least 5.1.1...