WordPress Side Cart Woocommerce (Ajax) plugin <= 2.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update

Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Options Update discovered by Chloe Chamberland in WordPress Side Cart Woocommerce Ajax plugin versions = 2.0. Solution Update the WordPress Side Cart Woocommerce Ajax plugin to the latest available version at least 2.1...

WordPress Permalink Manager Lite plugin <= 2.2.14 - Unauthorized Reflected Cross-Site Scripting (XSS) vulnerability

Unauthorized Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Permalink Manager Lite plugin versions = 2.2.14. Solution Update the WordPress Permalink Manager Lite plugin to the latest available version at least 2.2.15...

WordPress WP Ultimate CSV Importer plugin <= 6.4 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered in WordPress WP Ultimate CSV Importer plugin versions = 6.4. Solution Update the WordPress WP Ultimate CSV Importer plugin to the latest available version at least 6.4.1...

WordPress NextScripts plugin <= 4.3.24 - Post Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Post Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress NextScripts plugin versions = 4.3.24. Solution Update the WordPress NextScripts plugin to the latest available version at least 4.3.25...

WordPress AF Companion plugin <= 1.1.2 - Arbitrary Plugin Installation and Activation via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Plugin Installation and Activation via Cross-Site Request Forgery CSRF vulnerability discovered by WPScanTeam in WordPress AF Companion plugin versions = 1.1.2. Solution Update the WordPress AF Companion plugin to the latest available version at least 1.2.0...

WordPress Brovy theme <= 1.3 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Brovy theme versions = 1.3. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress PHP Everywhere plugin <= 2.0.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Rasi Afeef in WordPress PHP Everywhere plugin versions = 2.0.2. Solution Update the WordPress PHP Everywhere plugin to the latest available version at least 2.0.3...

WordPress Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue plugin <= 3.1.24 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered in WordPress Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue plugin versions = 3.1.24. Solution Update the WordPress Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue plugin to the latest available...

WordPress Simple Image Gallery plugin <= 1.0.6 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Simple Image Gallery plugin versions = 1.0.6. Solution Deactivate and delete. This plugin has been closed as of December 3, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Google Map plugin <= 1.8.0 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Nguyen Van Khanh Patchstack Red Team project in WordPress WP Google Map plugin versions = 1.8.0. Solution Update the WordPress WP Google Map plugin to the latest available version at least 1.8.1...

WordPress Post Duplicator plugin <= 2.26 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Cyber Security Works Pvt. Ltd in WordPress Post Duplicator plugin versions = 2.26. Solution Update the WordPress Post Duplicator plugin to the latest available version at least 2.27...

WordPress Download Manager plugin <= 3.2.21 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Download Manager plugin versions = 3.2.21. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.22...

WordPress Contact Form With Captcha plugin <= 1.6.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Yuga Futatsuki Cryptography Laboratory in Tokyo Denki University in WordPress Contact Form With Captcha plugin versions = 1.6.7. Solution Update the WordPress Contact Form With Captcha plugin to...

WordPress AccessPress Root theme <= 2.5 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress AccessPress Root theme versions = 2.5. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor...

WordPress Punte theme <= 1.1.2 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Punte theme versions = 1.1.2. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress IDPay for Contact Form 7 plugin <= 2.1.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Jeremie Amsellem in WordPress IDPay for Contact Form 7 plugin versions = 2.1.2. Solution Deactivate and delete. This plugin has been closed as of November 23, 2021 and is not available for download. Reason: Security Issue...

WordPress Logo Carousel plugin <= 3.4.1 - Unauthorized Private Post Access vulnerability

Unauthorized Private Post Access vulnerability discovered by apple502j in WordPress Logo Carousel plugin versions = 3.4.1. Solution Update the WordPress Logo Carousel plugin to the latest available version at least 3.4.2...

WordPress Quotes Collection plugin <= 2.5.2 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Quotes Collection plugin versions = 2.5.2. Solution Deactivate and delete. This plugin has been closed as of October 13, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Like Button Rating plugin <= 2.6.37 - Unauthorized Vote Export to Email & IP Addresses Disclosure vulnerability

Unauthorized Vote Export to Email & IP Addresses Disclosure vulnerability discovered by Krzysztof Zając in WordPress Like Button Rating plugin versions = 2.6.37. Solution Update the WordPress Like Button Rating plugin to the latest available version at least 2.6.38...

WordPress Registrations for the Events Calendar plugin <= 2.7.5 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress Registrations for the Events Calendar plugin versions = 2.7.5. Solution Update the WordPress Registrations for the Events Calendar plugin to the latest available version at least 2.7.6...

WordPress WP Data Access plugin <= 4.3.1 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress WP Data Access plugin versions = 4.3.1. Solution Update the WordPress WP Data Access plugin to the latest available version at least 5.0.0...

WordPress Registrations for the Events Calendar plugin <= 2.7.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Registrations for the Events Calendar plugin versions = 2.7.4. Solution Update the WordPress Registrations for the Events Calendar plugin to the latest available version at least 2.7.5...

WordPress eCommerce Product Catalog plugin <= 3.0.38 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress eCommerce Product Catalog plugin versions = 3.0.38. Solution Update the WordPress eCommerce Product Catalog plugin to the latest available version at least 3.0.39...

WordPress Elementor Website Builder plugin <= 3.1.3 - DOM Cross-Site Scripting (XSS) vulnerability

DOM Cross-Site Scripting XSS vulnerability discovered by Joel in WordPress Elementor Website Builder plugin versions = 3.1.3. Solution Update the WordPress Elementor Website Builder plugin to the latest available version at least 3.1.4...

WordPress BetterLinks plugin <= 1.2.5 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Huy Nguyen in WordPress BetterLinks plugin versions = 1.2.5. Solution Update the WordPress BetterLinks plugin to the latest available version at least 1.2.6...

WordPress HAL plugin <= 2.1.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress HAL plugin versions = 2.1.1. Solution Update the WordPress HAL plugin to the latest available version at least 2.2...

WordPress Brizy – Page Builder plugin <= 2.3.11 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ramuel Gall WordFence in WordPress Brizy – Page Builder plugin versions = 2.3.11. Solution Update the WordPress Brizy – Page Builder plugin to the latest available version at least 2.3.12...

WordPress Qwizcards plugin <= 3.61 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Shivam Rai in WordPress Qwizcards plugin versions = 3.61. Solution Update the WordPress Qwizcards plugin to the latest available version at least 3.62...

WordPress 3DPrint Lite plugin <= 1.9.1.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress 3DPrint Lite plugin versions = 1.9.1.5. Solution Update the WordPress 3DPrint Lite plugin to the latest available version at least 1.9.1.6...

WordPress WPSchoolPress plugin <= 2.1.16 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Davide Taraschi in the WordPress WPSchoolPress plugin versions = 2.1.16. Solution Update the WordPress WPSchoolPress plugin to the latest available version at least 2.1.17...

WordPress MAZ Loader plugin <= 1.3.2 - SQL Injection (SQLi) vulnerabilities

SQL Injection SQLi vulnerabilities discovered by apple502j in WordPress MAZ Loader plugin versions = 1.3.2. Solution Update the WordPress MAZ Loader plugin to the latest available version at least 1.3.3...

WordPress Booking.com Product Helper plugin <= 1.0.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Booking.com Product Helper plugin versions = 1.0.1. Solution Update the WordPress Booking.com Product Helper plugin to the latest available version at least 1.0.2...

WordPress Far Future Expiry Header plugin <= 1.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by apple502j in WordPress Far Future Expiry Header plugin versions = 1.4. Solution Update the WordPress Far Future Expiry Header plugin to the latest available version...

WordPress BP Better Messages plugin <= 1.9.9.37 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Brandon Roldan in WordPress BP Better Messages plugin versions = 1.9.9.37. Solution Update the WordPress BP Better Messages plugin to the latest available version or at least to the version 1.9.9.41...

WordPress YITH Maintenance Mode plugin <= 1.3.8 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities discovered by Vlad Visse Patchstack in WordPress YITH Maintenance Mode plugin versions = 1.3.8. Additionally, there are 46 additional parameters fixed that were missed by updating from vulnerable version 1.3.7 to 1.3.8 reporte...

WordPress To Top plugin <= 2.2.2 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress To Top plugin versions = 2.2.2. Solution Update the WordPress To Top plugin to the latest available version at least 2.3...

WordPress Generate Child Theme plugin <= 1.5.3 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Generate Child Theme plugin versions = 1.5.3. Solution Update the WordPress Generate Child Theme plugin to the latest available version at least 1.6...

WordPress YITH Maintenance Mode plugin <= 1.3.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Red Team in WordPress YITH Maintenance Mode plugin versions = 1.3.7. Vulnerable parameter: &yithmaintenancenewslettersubmitlabel. Solution Update the WordPress YITH Maintenance Mode plugin to th...

WordPress Shared Files plugin <= 1.6.56 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Shivam Rai in WordPress Shared Files plugin versions = 1.6.56. Solution Update the WordPress Shared Files plugin to the latest available version at least 1.6.57...

WordPress DearFlip plugin <= 1.7.9 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress DearFlip plugin versions = 1.7.9. Solution Update the WordPress DearFlip plugin to the latest available version at least 1.7.10...

WordPress Appointment Hour Booking plugin <= 1.3.16 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Shivam Rai in WordPress Appointment Hour Booking plugin versions = 1.3.16. Solution Update the WordPress Appointment Hour Booking plugin to the latest available version at least 1.3.17...

WordPress StopBadBots plugin <= 6.59 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Martin Vierula Trustwave in WordPress StopBadBots plugin versions = 6.59. Solution Update the WordPress StopBadBots plugin to the latest available version at least 6.60...

WordPress MoolaMojo plugin <= 0.7.4.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress MoolaMojo plugin versions = 0.7.4.1. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress InviteBox Plugin for viral Refer-a-Friend Promotions <= 1.4.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress InviteBox Plugin for viral Refer-a-Friend Promotions versions = 1.4.1. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Enfold premium theme <= 4.8.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by David Álvarez Robles, Francisco Díaz-Pache Alonso & Sergio Corral Cristo in WordPress Enfold premium theme versions = 4.8.3. Solution Update the WordPress Enfold premium theme to the latest available version at least 4.8.4...

WordPress Booster for WooCommerce plugin <= 5.4.3 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Chloe Chamberland WordFence in WordPress Booster for WooCommerce plugin versions = 5.4.3. Solution Update the WordPress Booster for WooCommerce plugin to the latest available version at least 5.4.4...

WordPress WP SEO Tags plugin <= 2.2.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress WP SEO Tags plugin versions = 2.2.7. Solution This plugin has been closed as of August 12, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Fountain plugin <= 1.5.9 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress WP Fountain plugin versions = 1.5.9. Solution This plugin has been closed as of August 12, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Scribble Maps plugin <= 1.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Scribble Maps plugin versions = 1.2. Solution This plugin has been closed as of August 12, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Fusion Lite plugin <= 3.37.18 - Cross-Site Request Forgery (CSRF) vulnerability leading to Data Deletion

Cross-Site Request Forgery CSRF vulnerability leading to Data Deletion discovered by Xu-Liang Liao in WordPress WP Fusion Lite plugin versions = 3.37.18. Solution This plugin has been closed as of August 6, 2021 and is not available for download. This closure is temporary, pending a full review...