WordPress WCFM – Frontend Manager for WooCommerce Plugin <= 6.5.13 is vulnerable to Cross Site Request Forgery (CSRF)

Software WCFM – Frontend Manager for WooCommerce Type Plugin Vulnerable versions = 6.5.13 Fixed in 6.6.0 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2022-4938 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 825435f567d9...

WordPress eRoom – Zoom Meetings & Webinar Plugin <= 1.4.6 is vulnerable to Broken Access Control

Software eRoom – Zoom Meetings & Webinar Type Plugin Vulnerable versions = 1.4.6 Fixed in 1.4.7 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2022-43472 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID 5064cfd61ac8 Credits István...

WordPress ConvertBox Auto Embed WordPress plugin Plugin <= 1.0.19 is vulnerable to Cross Site Scripting (XSS)

Software ConvertBox Auto Embed WordPress plugin Type Plugin Vulnerable versions = 1.0.19 Fixed in 1.0.20 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-23664 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 859421b50cad Credit...

WordPress Shortcodes Ultimate Plugin < 5.12.8 is vulnerable to Sensitive Data Exposure

Software Shortcodes Ultimate Type Plugin Vulnerable versions 5.12.8 Fixed in 5.12.8 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2023-0911 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 466e8901614e Credits Erwan LR WPScan Requir...

WordPress Custom Content Shortcode Plugin <= 4.0.2 is vulnerable to Local File Inclusion

Software Custom Content Shortcode Type Plugin Vulnerable versions = 4.0.2 Fixed in N/A OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2023-0340 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 54e338b50ba0 Credits Erwan LR WPScan Required...

WordPress Classic Editor and Classic Widgets Plugin <= 1.2.5 is vulnerable to Cross Site Request Forgery (CSRF)

Software Classic Editor and Classic Widgets Type Plugin Vulnerable versions = 1.2.5 Fixed in 1.2.6 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-27434 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID c89f9ac26cdb Credits...

WordPress WP Dynamic Keywords Injector Plugin <= 2.3.15 is vulnerable to Cross Site Request Forgery (CSRF)

Software WP Dynamic Keywords Injector Type Plugin Vulnerable versions = 2.3.15 Fixed in 2.3.16 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2022-47141 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID c2248ca9d15a Credits...

WordPress CSS JS Manager Plugin <= 2.4.49 is vulnerable to Cross Site Request Forgery (CSRF)

Software CSS JS Manager Type Plugin Vulnerable versions = 2.4.49 Fixed in 2.4.49.1 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2022-47154 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID d901e9767d13 Credits rezaduty Require...

WordPress Wicked Folders Plugin <= 2.18.16 is vulnerable to Cross Site Request Forgery (CSRF)

Software Wicked Folders Type Plugin Vulnerable versions = 2.18.16 Fixed in 2.18.17 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-0726 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID b813357081c1 Credits Marco Wotschka...

WordPress ContentStudio Plugin < 1.2.6 is vulnerable to Sensitive Data Exposure

Software ContentStudio Type Plugin Vulnerable versions 1.2.6 Fixed in 1.2.6 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2023-0557 Patch priority Medium CVSS severity Medium 5.3 Developer Claim ownership PSID fbef17e08b06 Credits Chloe Chamberland Requir...

WordPress Bootstrap Shortcodes Plugin <= 3.4.0 is vulnerable to Cross Site Scripting (XSS)

Software Bootstrap Shortcodes Type Plugin Vulnerable versions = 3.4.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-4777 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID b9c1c40bdcb0 Credits István Márton...

WordPress Spotlight Social Media Feeds Plugin < 1.4.3 is vulnerable to Cross Site Scripting (XSS)

Software Spotlight Social Media Feeds Type Plugin Vulnerable versions 1.4.3 Fixed in 1.4.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0379 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 727812743302 Credits Lana...

WordPress Paid Memberships Pro Plugin <= 2.9.7 is vulnerable to SQL Injection

Software Paid Memberships Pro Type Plugin Vulnerable versions = 2.9.7 Fixed in 2.9.8 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-23488 Patch priority High CVSS severity High 8.2 Developer Claim ownership PSID ac5e3d7c8149 Credits Joshua Martinelle Required privilege...

WordPress Royal Elementor Addons Plugin <= 1.3.59 is vulnerable to Broken Access Control

Software Royal Elementor Addons Type Plugin Vulnerable versions = 1.3.59 Fixed in 1.3.60 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2022-4704 Patch priority Medium CVSS severity Medium 5.4 Developer WProyal PSID 11224a1dc02d Credits Ramuel Gall Required...

WordPress club-theme Theme < 10 is vulnerable to Arbitrary File Upload

Software club-theme Type Theme Vulnerable versions 10 Fixed in N/A OWASP Top 10 A6: Security Misconfiguration Classification Arbitrary File Upload CVE CVE-2022-0316 Patch priority High CVSS severity High 10 Developer Claim ownership PSID c1148e89d858 Credits Joshua Small Required privilege...

WordPress Smart Slider 3 <= 3.5.1.9 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Vlad Vector Patchstack in the WordPress Smart Slider 3 versions = 3.5.1.9. Solution Update the WordPress Smart Slider 3 plugin to the latest available version at least 3.5.1.11...

WordPress SMSA Shipping for WooCommerce premium plugin <= 1.0.4 - Auth. Arbitrary File Download vulnerability

Auth. Arbitrary File Download vulnerability discovered by WPScan in WordPress SMSA Shipping for WooCommerce premium plugin versions = 1.0.4. Solution Update the WordPress SMSA Shipping for WooCommerce plugin to the latest available version at least 1.0.5...

WordPress Welcart e-Commerce plugin <= 2.8.3 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Auth. Stored Cross-Site Scripting XSS vulnerabilities discovered by Lana Codes in the WordPress Welcart e-Commerce plugin versions = 2.8.3. Solution Update the WordPress Welcart e-Commerce plugin to the latest available version at least 2.8.4...

WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Dave Jong in the WordPress Betheme premium theme versions = 26.6.1. Solution Update the WordPress Betheme theme to the latest available version at least 26.6.3...

WordPress StopBadBots plugin <= 7.23 - Auth. Arbitrary Plugin Installation vulnerability

Auth. Arbitrary Plugin Installation vulnerability discovered by Lana Codes in WordPress StopBadBots plugin versions = 7.23. Solution Update the WordPress StopBadBots plugin to the latest available version at least 7.24...

WordPress Plugin for Google Reviews plugin <= 2.2.2 - Auth. Broken Access Control vulnerability

Auth. Broken Access Control vulnerability leading to arbitrary feed creation discovered by Tien Nguyen Anh Patchstack Alliance in the WordPress Plugin for Google Reviews plugin versions = 2.2.2. Solution Update the WordPress Plugin for Google Reviews plugin to the latest available version at leas...

WordPress Chameleon plugin <= 1.4.3 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Hoang Van Hiep aka sk4rl1ghT Patchstack Alliance in the WordPress Chameleon plugin versions = 1.4.3. Solution Update the WordPress Chameleon plugin to the latest available version at least 1.4.4...

WordPress Export customers list csv for WooCommerce plugin <= 2.0.64 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Francesco Carlucci in WordPress Export customers list csv for WooCommerce plugin versions = 2.0.64. Solution Update the WordPress Export customers list csv for WooCommerce plugin to the latest available version at least 2.0.69...

WordPress Subscribe to Category plugin <= 2.7.3 - Auth. Broken Access Control vulnerability

Auth. Broken Access Control vulnerability discovered by Nguyen Anh Tien Patchstack Alliance in the WordPress Subscribe to Category plugin versions = 2.7.1. Solution No patched version is available. No reply from the vendor...

WordPress Restaurant Menu <= 2.3.0 - Missing Authorization on AJAX Actions vulnerability

Missing Authorization on AJAX Actions vulnerability discovered by ptsfence in WordPress Restaurant Menu versions = 2.3.0. Solution Update the WordPress Restaurant Menu – Food Ordering System – Table Reservation plugin to the latest available version at least 2.3.1...

WordPress Five Star Restaurant Reservations plugin <= 2.4.11 - Unauth. Arbitrary Payment Status Update leading to Stored Cross-Site Scripting (XSS) vulnerability

Unauth. Arbitrary Payment Status Update leading to Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Five Star Restaurant Reservations plugin versions = 2.4.11. Solution Update the WordPress Five Star Restaurant Reservations plugin to the latest available...

WordPress WP Best Quiz plugin <= 1.0 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Alpaca in WordPress WP Best Quiz plugin versions = 1.0. Solution No patched version available...

WordPress Easy Digital Downloads plugin <= 3.1.0.1.1 - Unauth. CSV Injection vulnerability

Unauth. CSV Injection vulnerability discovered by Francesco Carlucci in WordPress Easy Digital Downloads plugin versions = 3.1.0.1.1. Solution Update the WordPress Easy Digital Downloads plugin to the latest available version at least 3.1.0.2...

WordPress Log HTTP Requests plugin <= 1.3.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Etan Imanol Castro Aldrete in WordPress Log HTTP Requests plugin versions = 1.3.1. Solution Update the WordPress Log HTTP Requests plugin to the latest available version at least 1.3.2...

WordPress core <= 6.0.2 - Data Exposure vulnerability via REST API

Data Exposure vulnerability via REST API discovered by Than Taintor in WordPress core versions = 6.0.2. Solution Update the WordPress to the latest available version at least 6.0.3...

WordPress FluentForm plugin <= 4.3.12 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Francesco Carlucci in WordPress FluentForm plugin versions = 4.3.12. Solution Update the WordPress Contact Form Plugin plugin to the latest available version at least 4.3.13...

WordPress Complianz plugin 6.3.3 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Sakri Rafael Koskimies saggre in the WordPress Complianz plugin versions 6.3.3. Solution Update the WordPress Complianz – GDPR/CCPA Cookie Consent plugin to the latest available version at least 6.3.4...

WordPress Easy WP SMTP plugin <= 1.4.9 - Auth. PHP Objection Injection vulnerability

Auth. PHP Objection Injection vulnerability discovered by Nguyen Duy Quoc Khanh in WordPress Easy WP SMTP plugin versions = 1.4.9. Solution Update the WordPress Easy WP SMTP plugin to the latest available version at least 1.5.0...

WordPress WP Humans.txt plugin <= 1.0.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Rahul Selvakumar in WordPress WP Humans.txt plugin versions = 1.0.6. Solution Deactivate and delete. This plugin has been closed as of October 3, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Tutor LMS plugin <= 2.0.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by lucy in WordPress Tutor LMS plugin versions = 2.0.9. Solution Update the WordPress Tutor LMS plugin to the latest available version at least 2.0.10...

WordPress Customer Reviews for WooCommerce plugin <= 5.3.5 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability was discovered by Muhammad Daffa Patchstack Alliance in the WordPress Customer Reviews for WooCommerce plugin versions = 5.3.5. Solution Update the WordPress Customer Reviews for WooCommerce plugin to the latest available version at least 5.3.6...

WordPress We’re Open! plugin <= 1.41 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress We’re Open! plugin versions = 1.41. Solution Update the WordPress We’re Open! plugin to the latest available version at least 1.42...

WordPress reSmush.it Image Optimizer plugin <= 0.4.5 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability discovered by Raad Haddad Cloudyrion GmbH in WordPress reSmush.it Image Optimizer plugin versions = 0.4.5. Solution Update the WordPress reSmush.it plugin to the latest available version at least 0.4.6...

WordPress CPO Shortcodes plugin <= 1.5.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress CPO Shortcodes plugin versions = 1.5.0 . Solution Deactivate and delete. This plugin has been closed as of September 14, 2022 and is not available for download. This closure is...

WordPress Wordfence Security – Firewall & Malware Scan plugin <= 7.6.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ori Gabriel in WordPress Wordfence Security – Firewall & Malware Scan plugin versions = 7.6.0. Solution Update the WordPress Wordfence plugin to the latest available version at least 7.6.1...

WordPress Torro Forms plugin <= 1.0.16 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Torro Forms plugin versions = 1.0.16. Solution Deactivate and delete. No reply from the vendor...

WordPress WHA Crossword plugin <= 1.1.10 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities were discovered by Vlad Vector Patchstack in the WordPress WHA Crossword plugin versions = 1.1.10. Solution Deactivate and delete. No reply from the vendor...

WordPress Bitcoin Satoshi Tools plugin <= 1.7.0 - Unauthorized AJAX Call to Stored Cross-Site Scripting (XSS) vulnerability

Unauthorized AJAX Call to Stored Cross-Site Scripting XSS vulnerability discovered by Lana Codes in WordPress Bitcoin Satoshi Tools plugin versions = 1.7.0 Solution Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is temporar...

WordPress WP Shop plugin <= 3.9.6 - Unauthenticated Plugin Settings Change & Data Deletion vulnerabilities

Unauthenticated Plugin Settings Change & Data Deletion vulnerabilities were discovered by ptsfence Patchstack Alliance in the WordPress WP Shop plugin versions = 3.9.6. Solution Deactivate and delete. No reply from the vendor...

WordPress WP Users Exporter plugin <= 1.4.2 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Zhouyuan Yang in WordPress WP Users Exporter plugin versions = 1.4.2. Solution Deactivate and delete. This plugin has been closed as of January 8, 2020 and is not available for download. Reason: Security Issue...

WordPress WPvivid Backup plugin 0.9.76 - Authenticated Arbitrary File Deletion vulnerability

Authenticated Arbitrary File Deletion vulnerability discovered by WPScan in WordPress WPvivid Backup plugin versions 0.9.76. Solution Update the WordPress WPvivid Backup and Migration plugin to the latest available version at least 0.9.77...

WordPress Launcher: Coming Soon & Maintenance Mode plugin <= 1.0.11 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Alliance in WordPress Launcher: Coming Soon & Maintenance Mode plugin versions = 1.0.11. Solution No patched version is available. Ignored by the vendor...

WordPress Poll, Survey, Questionnaire and Voting system plugin <= 1.7.4 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability discovered by Kim Jong Min aka Universe Patchstack Alliance in WordPress Poll, Survey, Questionnaire and Voting system plugin versions = 1.7.4. Solution No patched version available...

WordPress Gallery PhotoBlocks plugin <= 1.2.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities were discovered by Ngo Van Thien Patchstack Alliance in the WordPress Gallery PhotoBlocks plugin versions = 1.2.6. Solution Deactivate and delete. This plugin has been closed as of August 10, 2022 and is not available for...

WordPress Export All URLs plugin <= 4.3 - Authenticated Arbitrary System File Removal vulnerability

Authenticated Arbitrary System File Removal vulnerability discovered by Raad Haddad in WordPress Export All URLs plugin versions = 4.3. Solution Update the WordPress Export All URLs plugin to the latest available version at least 4.4...