WordPress Duplicator plugin <= 1.4.7 - Unauthenticated System Information Disclosure vulnerability

Unauthenticated System Information Disclosure vulnerability discovered by Ihsan Sencan in WordPress Duplicator plugin versions = 1.4.7. Solution Update the WordPress Duplicator plugin to the latest available version at least 1.4.7.1...

WordPress Rich Reviews by Starfish plugin <= 1.9.14 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to review deletion discovered by Ngo Van Thien Patchstack Alliance in WordPress Rich Reviews by Starfish plugin versions = 1.9.14. Solution No patched version available...

WordPress Feed Them Social plugin <= 2.9.9 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Feed Them Social plugin versions = 2.9.9. Solution Update the WordPress Feed Them Social plugin to the latest available version at least 3.0.1...

WordPress Team plugin <= 1.2.6 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Persistent Cross-Site Scripting XSS vulnerabilities were discovered by m0ze Patchstack in the WordPress Team plugin versions = 1.2.6. Solution Deactivate and delete. This plugin has been closed as of May 3, 2022 and is not available for download. Reason: Licensing/Trademark...

WordPress mTouch Quiz plugin <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in WordPress mTouch Quiz plugin versions = 3.1.3. Solution Deactivate and delete. This plugin has been closed as of July 14, 2022 and is not available for download. This...

WordPress Crowdsignal Polls & Ratings plugin <= 3.0.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu SuJrXnm of WuHan University in WordPress Crowdsignal Polls & Ratings plugin versions = 3.0.7. Solution Update the WordPress Polldaddy Polls & Ratings plugin to the latest available version at least 3.0.8...

WordPress Thinkific Uploader plugin <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Raad Haddad in WordPress Thinkific Uploader plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download. This closure is temporary, pending a fu...

WordPress Popup Anything plugin <= 2.1.6 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress Popup Anything plugin versions = 2.1.6. Solution Update the WordPress Popup Anything plugin to the latest available version at least 2.1.7...

WordPress Popup Builder plugin <= 4.1.11 - Cross-Site Request Forgery (CSRF) leading to plugin settings update

Cross-Site Request Forgery CSRF leading to plugin settings update discovered by Rafie Muhammad Yeraisci in WordPress Popup Builder plugin versions = 4.1.11. Solution Update the WordPress Popup Builder plugin to the latest available version at least 4.1.12...

WordPress WP Duplicate Page plugin <= 1.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Sachin Bahl eSec Forte Technologies Pvt Ltd in WordPress WP Duplicate Page plugin versions = 1.2. Solution Update the WordPress WP Duplicate Page plugin to the latest available version at least 1.3...

WordPress Button Widget Smartsoft plugin <= 1.0.1 - Cross-Site Request Forgery (CSRF) vulnerability to Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability to Cross-Site Scripting XSS was discovered by Ryo Onodera Cryptography Laboratory Tokyo Denki University in the WordPress Button Widget Smartsoft plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed as of June 8, 2022 a...

WordPress Flexible Shipping plugin <= 4.11.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Flexible Shipping plugin versions = 4.11.8. Solution Update the WordPress Flexible Shipping plugin to the latest available version at least 4.11.9...

WordPress WordPress Security plugin <= 4.2.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress WordPress Security plugin versions = 4.2.0. Solution Update the WordPress WordPress Security plugin to the latest available version at least 4.2.1...

WordPress miniOrange's Malware Scanner plugin <= 4.5.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress miniOrange's Malware Scanner plugin versions = 4.5.1. Solution Update the WordPress Malware Scanner plugin to the latest available version at least 4.5.2...

WordPress OpenBook Book Data plugin <= 3.5.2 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress OpenBook Book Data plugin versions = 3.5.2. Solution Deactivate and delete. This plugin has been closed as of May 24, 2022 and is not available for download. This closure is temporary, pending a...

WordPress underConstruction plugin <= 1.19 - Construction Mode Deactivation via Cross-Site Request Forgery (CSRF) vulnerability

Construction Mode Deactivation via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress underConstruction plugin versions = 1.19. Solution Update the WordPress underConstruction plugin to the latest available version at least 1.20...

WordPress RB Internal Links plugin <= 2.0.16 - Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability

Stored Cross-Site Scripting XSS via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress RB Internal Links plugin versions = 2.0.16. Solution Deactivate and delete. This plugin has been closed as of May 17, 2022 and is not available for download. This closure is...

WordPress Sideblog plugin <= 6.0 - Arbitrary Settings Update via CSRF to Stored XSS

Arbitrary Settings Update via CSRF to Stored XSS discovered by Daniel Ruf in WordPress Sideblog plugin versions = 6.0. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Zephyr Project Manager plugin <= 3.2.40 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Eduardo Estevao de Oliveira Azevedo in WordPress Zephyr Project Manager plugin versions = 3.2.40. Solution Update the WordPress Zephyr Project Manager plugin to the latest available version at least 3.2.41...

WordPress Themify – WooCommerce Product Filter plugin <= 1.3.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Utkarsh Agrawal in WordPress Themify – WooCommerce Product Filter plugin versions = 1.3.7. Solution Update the WordPress Themify – WooCommerce Product Filter plugin to the latest available version at least 1.3.8...

WordPress RSVPMaker plugin <= 9.3.2 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability was discovered by Muhammad Zeeshan Xib3rR4dAr in the WordPress RSVPMaker plugin versions = 9.3.2. Solution Update the WordPress RSVPMaker plugin to the latest available version at least 9.3.3...

WordPress iQ Block Country plugin <= 1.2.18 - Protection Bypass due to IP Spoofing vulnerability

Protection Bypass due to IP Spoofing vulnerability discovered by Daniel Ruf in WordPress iQ Block Country plugin versions = 1.2.18. Solution Deactivate and delete. This plugin has been closed as of April 20, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Athletics plugin <= 1.1.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Wejdan Alomari in WordPress WP Athletics plugin versions = 1.1.7. Solution Deactivate and delete. This plugin has been closed as of April 28, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress amtyThumb plugin <= 4.2.0 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability was discovered by Daniel Krohmer Fraunhofer IESE, Germany and Shi Chen University of Kaiserslautern, Germany in the WordPress amtyThumb plugin versions = 4.2.0. Solution Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not...

WordPress BannerMan plugin <= 0.2.4 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Fayçal CHENA in the WordPress BannerMan plugin versions = 0.2.4. Solution Deactivate and delete. This plugin has been closed as of April 8, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress WP Slider Plugin <= 1.4.5 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability was discovered by Ngo Van Thien Patchstack Alliance in WordPress WP Slider Plugin versions = 1.4.5. Solution No patched version is available. No reply from the vendor...

WordPress Enable SVG plugin <= 1.3.1 - Stored Cross-Site Scripting (XSS) vulnerability via SVG

Stored Cross-Site Scripting XSS vulnerability via SVG discovered by Luan Pedersini in WordPress Enable SVG plugin versions = 1.3.1. Solution Update the WordPress Enable SVG plugin to the latest available version at least 1.4.0...

WordPress Tripetto plugin <= 5.1.4 - Unauthenticated Cross-Site Scripting (XSS) vulnerability via SVG image upload

Unauthenticated Cross-Site Scripting XSS vulnerability via SVG image upload discovered by Ngo Van Thien Patchstack Alliance in WordPress Tripetto plugin versions = 5.1.4. Solution Update the WordPress Tripetto plugin to the latest available version at least 5.2.0...

WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.6 - PHP File Upload vulnerability

PHP File Upload vulnerability discovered by Gabriel3476 in WordPress VikBooking Hotel Booking Engine & PMS plugin versions = 1.5.6. Solution Update the WordPress VikBooking Hotel Booking Engine & PMS plugin to the latest available version at least 1.5.8...

WordPress MicroPayments plugin <= 1.9.5 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Kosuke Sakai in WordPress MicroPayments plugin versions = 1.9.5. Solution Update the WordPress MicroPayments plugin to the latest available version at least 1.9.6...

WordPress Wbcom BuddyPress Check-ins Pro premium plugin <= 1.3.0 - Arbitrary Plugin Installation, Activation and Deactivation vulnerability

Arbitrary Plugin Installation, Activation and Deactivation vulnerability discovered by Mary JJ Jay in WordPress Wbcom BuddyPress Check-ins Pro premium plugin versions = 1.3.0. Solution Update the WordPress Wbcom BuddyPress Check-ins Pro premium plugin to the latest available version at least 1.4....

WordPress eRoom plugin <= 1.3.8 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cache Deletion

Cross-Site Request Forgery CSRF vulnerability leading to Cache Deletion discovered by Ex.Mi Patchstack in WordPress eRoom plugin versions = 1.3.8. Solution Update the WordPress eRoom plugin to the latest available version at least 1.3.9...

WordPress Plausible Analytics plugin <= 1.2.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by José Aguilera Patchstack Alliance in WordPress Plausible Analytics plugin versions = 1.2.2. Solution Update the WordPress Plausible Analytics plugin to the latest available version at least 1.2.3...

WordPress SiteGround Security plugin <= 1.2.5 - Authentication Bypass via 2-Factor Authentication Setup vulnerability

Authentication Bypass via 2-Factor Authentication Setup vulnerability discovered by Chloe Chamberland Wordfence in WordPress SiteGround Security plugin versions = 1.2.5. Solution Update the WordPress SiteGround Security plugin to the latest available version at least 1.2.6...

WordPress Events Shortcodes For The Events Calendar plugin <= 1.9 - Arbitrary Plugin Installation vulnerability

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet NinTechNet in WordPress Events Shortcodes For The Events Calendar plugin versions = 1.9. Solution Update the WordPress Events Shortcodes For The Events Calendar plugin to the latest available version at least 2.0...

WordPress Text Hover plugin <= 4.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Rohan Chaudhari in WordPress Text Hover plugin versions = 4.1. Solution Update the WordPress Text Hover plugin to the latest available version at least 4.2...

WordPress Favicon by RealFaviconGenerator plugin <= 1.3.22 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Favicon by RealFaviconGenerator plugin version = 1.3.22. Solution Update the WordPress Favicon by RealFaviconGenerator plugin to the latest available version at least 1.3.23...

WordPress iQ Block Country plugin <= 1.2.12 - Arbitrary File Deletion vulnerability via Zip Slip

Arbitrary File Deletion vulnerability via Zip Slip discovered by Ceylan Bozogullarindan in WordPress iQ Block Country plugin versions = 1.2.12. Solution Update WordPress iQ Block Country plugin to the latest available version at least 1.2.13...

WordPress Church Admin plugin <= 3.4.134 - Unauthenticated Plugin's Backup Disclosure vulnerability

Unauthenticated Plugin's Backup Disclosure vulnerability discovered by cydave in WordPress Church Admin plugin versions = 3.4.134. Solution Update the WordPress Church Admin plugin to the latest available version at least 3.4.135...

WordPress Menu Image, Icons made easy plugin <= 3.0.7 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Menu Image, Icons made easy plugin versions = 3.0.7. Solution Update the WordPress Menu Image, Icons made easy plugin to the latest available version at least 3.0.8...

WordPress Contact Widgets For Elementor plugin <= 1.0.5 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Contact Widgets For Elementor plugin versions = 1.0.5. Solution Update the WordPress Contact Widgets For Elementor plugin to the latest available version at least 1.0.6...

WordPress Product Size Charts Plugin for WooCommerce plugin <= 2.2.2 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Product Size Charts Plugin for WooCommerce plugin versions = 2.2.2. Solution Update the WordPress Product Size Charts Plugin for WooCommerce plugin to the latest available version at least 2.2.3...

WordPress WCC SEO Keyword Research plugin <= 1.0.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress WCC SEO Keyword Research plugin versions = 1.0.0. Solution No patched version available...

WordPress CartPops – High Converting Add To Cart Popup For WooCommerce plugin <= 1.4.16 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress CartPops – High Converting Add To Cart Popup For WooCommerce plugin versions = 1.4.16. Solution Update the WordPress CartPops – High Converting Add To Cart Popup For WooCommerce plugin to the latest available version at least...

WordPress Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin < 1.4.2 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin versions 1.4.2. Solution Update the WordPress Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin to the latest available version at...

WordPress Media Cloud for Amazon S3, Imgix, Google Cloud Storage, DigitalOcean Spaces and more plugin <= 4.2.37 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Media Cloud for Amazon S3, Imgix, Google Cloud Storage, DigitalOcean Spaces and more plugin versions = 4.2.37. Solution Update the WordPress Media Cloud for Amazon S3, Imgix, Google Cloud Storage, DigitalOcean Spaces and more...

WordPress Panorama Viewer – 360 Degree Image + Video Viewer plugin <= 1.0.7 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Panorama Viewer – 360 Degree Image + Video Viewer plugin versions = 1.0.7. Solution Update the WordPress Panorama Viewer – 360 Degree Image + Video Viewer plugin to the latest available version at leas...

WordPress "Really Simple Featured Video – Featured video support for Posts, Pages & WooCommerce Products" plugin <= 0.5.1 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress "Really Simple Featured Video – Featured video support for Posts, Pages & WooCommerce Products" plugin versions = 0.5.1. Solution Update the WordPress Really Simple Featured Video – Featured video support for Posts, Pages &...

WordPress "Unlimited Elements For Elementor (Free Widgets, Addons, Templates)" plugin < 1.5.3 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress "Unlimited Elements For Elementor Free Widgets, Addons, Templates" plugin versions 1.5.3. Solution Update the WordPress "Unlimited Elements For Elementor Free Widgets, Addons, Templates" plugin to the latest available version ...

WordPress Smart Protect plugin <= 1.1 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Smart Protect plugin versions = 1.1. Solution No patched version available...