WordPress GTranslate plugin <= 2.8.51 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Gaurav in WordPress GTranslate plugin versions = 2.8.51. Solution Update the WordPress GTranslate plugin to the latest available version at least 2.8.52...

WordPress Page Builder by SiteOrigin plugin <= 2.10.15 - Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Reflected Cross-Site Scripting XSS discovered by WordFence in WordPress Page Builder by SiteOrigin plugin versions = 2.10.15. Solution Update the WordPress Page Builder by SiteOrigin plugin to the latest available version at least 2.10.16...

WordPress Page Builder by SiteOrigin plugin <= 2.10.15 - Cross-Site Request Forgery (CSRF) vulnerability leading to Reflected Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Reflected Cross-Site Scripting XSS discovered by WordFence in WordPress Page Builder by SiteOrigin plugin versions = 2.10.15. Solution Update the WordPress Page Builder by SiteOrigin plugin to the latest available version at least 2.10.16...

WordPress iframe plugin <= 4.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Guilherme Rubert in WordPress iframe plugin versions = 4.4. Solution Update the WordPress iframe plugin to the latest available version at least 4.5...

WordPress LearnPress plugin <= 3.2.6.7 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered in WordPress LearnPress plugin versions = 3.2.6.7. Solution Update the WordPress LearnPress plugin to the latest available version at least 3.2.6.8...

WordPress Catch Breadcrumb plugin <= 1.5.6 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress Catch Breadcrumb plugin versions = 1.5.6. Solution Update the WordPress Catch Breadcrumb plugin to the latest available version at least 1.5.7...

WordPress Buddypress Component Stats plugin <= 1.0 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress Buddypress Component Stats plugin versions = 1.0. Solution Plugin closed. Deactivate and delete...

WordPress 10Web Map Builder for Google Maps <= 1.0.63 - Unauthenticated Stored Cross-Site Scripting (XSS) via Plugin Settings Change vulnerability

Unauthenticated Stored Cross-Site Scripting XSS via Plugin Settings Change vulnerability found by Sean Murphy, QA Lead Matt Rusnak, and QA Engineer Ramuel Gall Wordfence in WordPress 10Web Map Builder for Google Maps = 1.0.63. Solution Update the WordPress 10Web Map Builder for Google Maps plugin...

WordPress Modern Events Calendar Lite plugin <= 5.1.6 - Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities

Multiple Stored Cross-Site Scripting XSS Vulnerabilities discovered by WordFence in WordPress Modern Events Calendar Lite plugin versions = 5.1.6. Solution Update the WordPress Modern Events Calendar Lite plugin to the latest available version at least 5.1.7...

WordPress Code Snippets plugin <= 2.13.3 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability

Cross-Site Request Forgery CSRF to Remote Code Execution RCE vulnerability found by Chloe Chamberland in WordPress Code Snippets plugin versions = 2.13.3. Solution Update the WordPress Code Snippets plugin to the latest available version at least 2.14.0...

WordPress Chatbot with IBM Watson plugin <= 0.8.20 - DOM Cross-Site Scripting (XSS) vulnerability

DOM Cross-Site Scripting XSS vulnerability found by Hooper Labs in WordPress Chatbot with IBM Watson plugin versions = 0.8.20. Solution Update the WordPress Chatbot with IBM Watson plugin to the latest available version at least 0.8.21...

WordPress YITH WooCommerce Cart Messages plugin <=1.4.4 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability

Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Cart Messages plugin versions =1.4.4. Solution Update the WordPress YITH WooCommerce Cart Messages plugin to the latest available version at least 1.4.5...

WordPress YITH WooCommerce Waiting List plugin <=1.3.10 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability

Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Waiting List plugin versions =1.3.10. Solution Update the WordPress YITH WooCommerce Waiting List plugin to the latest available version at least 1.3.11...

WordPress Visualizer plugin <= 3.3.0 - Server-Side Request Forgery (SSRF)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks. Solution Update the plugin to the latest version...

WordPress WooCommerce Product Feed plugin <= 3.1.14 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability found by Damian Ebelties in WordPress WooCommerce Product Feed plugin versions = 3.1.14. Solution Update the WordPress WooCommerce Product Feed plugin to the latest available version at least 3.1.15...

WordPress HandL UTM Grabber plugin <= 2.6.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found in WordPress HandL UTM Grabber plugin versions = 2.6.4. Solution Update the WordPress HandL UTM Grabber plugin to the latest available version at least 2.6.5...

WordPress Easy Forms for Mailchimp plugin <= 6.5.2 - Code Injection vulnerability

Code Injection vulnerability found by Henri Salo in WordPress Easy Forms for Mailchimp plugin versions = 6.5.2. Solution Update the WordPress Easy Forms for Mailchimp plugin to the latest available version at least 6.5.3...

WordPress WP SVG Icons plugin <= 3.2.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by zeroauth in WordPress WP SVG Icons plugin versions = 3.2.2. Solution Update the WordPress WP SVG Icons plugin to the latest available version at least 3.2.3...

WordPress WPGraphQL plugin <= 0.2.3 - Multiple Vulnerabilities

Multiple Vulnerabilities found in WordPress WPGraphQL plugin versions = 0.2.3. Solution Update the WordPress WPGraphQL plugin to the latest available version at least 0.3.0...

WordPress Ninja Forms File Uploads Extension premium plugin <= 3.0.22 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Jasper Weijts Onvio in WordPress Ninja Forms File Uploads Extension premium plugin versions = 3.0.22. Solution Update the WordPress Ninja Forms File Uploads Extension premium plugin to the latest available version at least 3.0.23...

WordPress WP Google Maps plugin <= 7.10.41 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Tim Coen in WordPress WP Google Maps plugin versions = 7.10.41. Solution Update the WordPress WP Google Maps plugin to the latest available version at least 7.10.43...

WordPress Contact Form Email plugin <= 1.2.65 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Tim Coen in WordPress Contact Form Email plugin versions = 1.2.65. Solution Update the WordPress Contact Form Email plugin to the latest available version at least 1.2.66...

WordPress Google XML Sitemaps plugin <= 4.0.9 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability found by takagisan in WordPress Google XML Sitemaps plugin version = 4.0.9. Solution Update the WordPress Google XML Sitemaps plugin to the latest available version at least 4.1.0...

WordPress <= 5.0 - File Upload to XSS on Apache Web Servers vulnerability

File Upload to XSS on Apache Web Servers vulnerability found by Tim Coen and Slavco in WordPress versions = 5.0. Solution Update WordPress to the latest available version at least 5.0.1...

WordPress Gift Voucher plugin <=1.0.5 - Authenticated Blind SQL Injection (SQLi) vulnerability

Authenticated Blind SQL Injection SQLi vulnerability found by Renos Nikolaou in WordPress Gift Voucher plugin versions =2.0.1. Solution 2018.09.01 - we were unable to find information about fixed vulnerability...

WordPress Plainview Activity Monitor plugin <= 20161228 - Remote Command Execution (RCE) vulnerability

Remote Command Execution RCE vulnerability found by "aas" in WordPress Plainview Activity Monitor plugin versions = 20161228. Solution Update the WordPress Plainview Activity Monitor plugin to the latest available version at least 20180826...

WordPress wpForo Forum plugin <=1.4.9 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection via a search with the /forum/ wpfo parameter found by cate4cafe in WordPress wpForo Forum plugin versions =1.4.9. Solution Update the WordPress wpForo Forum plugin to the latest available version at least 1.4.11...

WordPress Activity Log plugin <=2.4.0 - Multiple Cross-Site Scripting (XSS) vulnerabilities

Multiple Cross-Site Scripting XSS vulnerabilities found in WordPress Activity Log plugin versions =2.4.0 Solution Update the WordPress Activity Log plugin to the latest available version at least 2.4.1...

WordPress Social Media Widget by Acurax plugin <=3.2.5 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Panagiotis Vagenas in WordPress Social Media Widget by Acurax plugin versions =3.2.5. Solution Update the WordPress Social Media Widget by Acurax plugin to the latest available version at least 3.2.6...

WordPress Coming Soon plugin <=1.1.18 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by d4wner in WordPress Coming Soon plugin versions =1.1.18. Solution Update the WordPress Coming Soon plugin to the latest available version at least 1.1.19...

WordPress Email Subscribers & Newsletters plugin <=3.4.7 - Missing Function Level Access Control vulnerability

Missing Function Level Access Control vulnerability that causes leakage of subscribers list found by ThreatPress in WordPress Email Subscribers & Newsletters plugin versions =3.4.7. Solution Update the WordPress Email Subscribers & Newsletters plugin to the latest available version at least 3.4.8...

WordPress SagePay Server Gateway for WooCommerce plugin <=1.0.8 - Unauthenticated Cross-Site Scripting (XSS) vulnerability

Unauthenticated Cross-Site Scripting XSS vulnerability found in WordPress SagePay Server Gateway for WooCommerce plugin versions =1.0.8. Solution Update the WordPress SagePay Server Gateway for WooCommerce plugin to the latest available version at least 1.0.9...

WordPress ImageInject plugin 1.15 - Stored Cross-Site Scripting vulnerability

Stored Cross-Site Scripting vulnerability found by wpl0v3r in WordPress ImageInject plugin version 1.15. Vulnerable via the flickrappid parameter to wp-admin/options-general.php. Solution 1/9/2018 - we were unable to find a patched version of the plugin. Dangerous to use...

WordPress Affiliate Ads for Clickbank Products plugin <= 1.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability found by Neorichi in WordPress Affiliate Ads for Clickbank Products plugin versions = 1.6. It is vulnerable to a Cross-Site Scripting XSS vulnerability via the textadsajax.php bordercolor parameter. Solution Update the WordPress Affiliate Ads for...

WordPress Smart Google Code Inserter plugin <=3.4 - Authorization bypass vulnerability

Authorization bypass vulnerability found by Benjamin Lim in WordPress Smart Google Code Inserter plugin versions =3.4. Solution Update the WordPress Smart Google Code Inserter plugin to the latest available version at least version 3.5...

WordPress WP Simple Booking Calendar Premium plugin 5.0–5.4 <= Unauthenticated Data leak

The booking notes are shown in the source code of the page. Solution Update the plugin to 5.5 version...

WordPress WatuPRO plugin 5.5.1 - SQL Injection vulnerability

SQL Injection vulnerability found by Manich Koomsusi in WatuPRO 5.5.1 WordPress plugin. Data sent with “watuproquestions” parameter not sanitized before SQL statement. Solution Update the WatuPRO WordPress plugin to the latest available version at least 5.5.3.7...

WordPress plugin WP Support Plus Responsive Ticket System <= 7.1.3 - Privilege Escalation

WordPress plugin WP Support Plus Responsive Ticket System 7.1.3 earlier versions and 7.1.4 vulnerable to privilege escalation. It is possible to log in as any user without knowing password due to the incorrect usage of "wpsetauthcookie". Solution Update the plugin to the latest version atleast...

WordPress BBS e-Franchise Plugin <= 1.1.1 - SQL Injection

This plugin is prone to an SQL injection vulnerability. It allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress YITH WooCommerce Compare Plugin <= 2.0.9 - PHP Object injection

Because of this vulnerability, attackers can execute arbitrary PHP code. Solution Update the plugin...

WordPress W3 Total Cache Plugin <= 0.9.4.1 - Arbitrary File Upload

This plugin is prone to an authenticated arbitrary file upload vulnerability. Solution Update the plugin...

WordPress Contact Bank Plugin <= 2.1.21 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

WordPress Simplified Content Plugin <= 1.0.0 - Reflected XSS

This plugin is prone to a cross site scripting vulnerability. Solution Update the plugin...

WordPress Indexisto Plugin <= 1.0.5 - Reflected XSS

This plugin is prone to a cross site scripting vulnerability. Solution Upgrade the plugin...

WordPress <= 4.5.2 - Denial of Service Attacks

Because of oEmbed protocol implementation in WordPress, an attacker can cause a denial of service via unspecified vectors. Solution Update WordPress...

WordPress EWWW Image Optimizer Plugin <= 2.8.3 - Remote Code Execution

Because of this vulnerability, attackers can create a backdoor or take a site down altogether. Solution Upgrade this plugin...

WordPress Anti Plagiarism Plugin <= 3.60 - Cross-Site Scripting (XSS)

This plugin is prone to a cross site scripting vulnerability, because the variable "m" appears to send unsanitized data back to the users browser. Solution Update the plugin...

WordPress <= 4.4.1 - SSRF

The vulnerability allows an attacker to conduct these server-side request forgery attacks via a zero value in the first octet of an IPv4 address in the "u" parameter to wp-admin/press-this.php. Solution Update WordPress...

WordPress Booking Calendar Contact Form Plugin 1.1.23 - Unauthenticated SQL Injection

This WordPress Booking Calendar Contact Form plugin's "action=cpabcappointmentscheckIPNverification" parameter is prone to an unauthenticated SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the...

WordPress Wordfence Plugin <= 5.1.4 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update plugin...