WordPress uListing plugin <= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability

Authenticated Insecure Direct Object References IDOR vulnerability discovered by m0ze Patchstack Red Team in WordPress uListing plugin versions = 2.0.5. Solution Update the WordPress uListing plugin to the latest available version at least 2.0.6...

WordPress Simple Banner plugin <= 2.10.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Simple Banner plugin versions = 2.10.3. Solution Update the WordPress Simple Banner plugin to the latest available version at least 2.10.4...

WordPress Post Index plugin <= 0.7.5 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Kentaro Kuroki Cryptography Laboratory - Tokyo Denki University in WordPress Post Index plugin versions = 0.7.5. Solution This plugin has been closed as of July 20, 2021 and is not available for...

WordPress Simple Events Calendar plugin <= 1.4.0 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar in WordPress Simple Events Calendar plugin versions = 1.4.0. Solution This plugin has been closed as of June 2, 2021 and is not available for download. Reason: Security Issue...

WordPress Alipay plugin <= 3.7.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Syed Sheeraz Ali Codevigilant in WordPress Alipay plugin versions = 3.7.2. Solution Deactivate and delete. This plugin has been closed as of May 13, 2021 and is not available for download. Reason: Security Issue...

WordPress Wonder PDF Embed plugin <= 1.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Wonder PDF Embed plugin versions = 1.6. Solution Update the WordPress Wonder PDF Embed plugin to the latest available version at least 1.7...

WordPress Handsome Testimonials & Reviews <= 2.1.0 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress Handsome Testimonials & Reviews versions = 2.1.0. Solution Update the WordPress Handsome Testimonials & Reviews to the latest available version at least 2.1.1...

WordPress Survey Maker plugin <= 1.5.5 - Authenticated Blind SQL Injection (SQLi) vulnerability

Authenticated Blind SQL Injection SQLi vulnerability discovered by To Quang Duong in WordPress Survey Maker plugin versions = 1.5.5. Solution Update the WordPress Survey Maker plugin to the latest available version at least 1.5.6...

WordPress Poll Maker plugin <= 3.2.0 - Authenticated Blind SQL Injection (SQLi) vulnerability

Authenticated Blind SQL Injection SQLi vulnerability discovered by To Quang Duong in WordPress Poll Maker plugin versions = 3.2.0. Solution Update the WordPress Poll Maker plugin to the latest available version at least 3.2.1...

WordPress Fudousan Pro (single) premium plugin <= 5.7.0 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability discovered by Yu Iwama in WordPress Fudousan Pro single premium plugin versions = 5.7.0. Solution Update the WordPress Fudousan Pro single premium plugin to the latest available version at least 5.7.2...

WordPress Staff Directory Plugin: Company Directory <= 3.6 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Jerome Bruandet NinTechNet in WordPress Staff Directory Plugin: Company Directory versions = 3.6. Solution Update the WordPress Staff Directory Plugin: Company Directory to the latest available version at least 4.0...

WordPress Advanced Popups plugin <= 1.1.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Jerome Bruandet NinTechNet in WordPress Advanced Popups plugin versions = 1.1.1. Solution Update the WordPress Advanced Popups plugin to the latest available version at least 1.1.2...

WordPress Welcart e-Commerce plugin <= 2.2.3 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability discovered by Yu Iwama in WordPress Welcart e-Commerce plugin versions = 2.2.3. Solution Update the WordPress Welcart e-Commerce plugin to the latest available version at least 2.2.4...

WordPress WP Hardening plugin <= 1.2.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by dc11 in WordPress WP Hardening plugin versions = 1.2.1. Solution Update the WordPress WP Hardening plugin to the latest available version at least 1.2.2...

WordPress Instant Images – One Click Unsplash Uploads plugin <= 4.4.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress Instant Images – One Click Unsplash Uploads plugin versions = 4.4.0. Solution Update the WordPress Instant Images – One Click Unsplash Uploads plugin to the latest available version at least 4.4.0.1...

WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Unprotected AJAX Actions vulnerability

Unprotected AJAX Actions vulnerability discovered by WordFence in WordPress Redirection for Contact Form 7 plugin versions = 2.3.3. Solution Update the WordPress Redirection for Contact Form 7 plugin to the latest available version at least 2.3.4...

WordPress Contact Form by Supsystic plugin <= 1.7.14 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Contact Form by Supsystic plugin versions = 1.7.14. Solution Update the WordPress Contact Form by Supsystic plugin to the latest available version at least 1.7.15...

WordPress QIWI for WooCommerce plugin <= 0.0.9 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Frank Liauw in WordPress QIWI for WooCommerce plugin versions = 0.0.9. Solution This plugin has been closed as of April 12, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress HT Mega plugin <= 1.5.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities discovered by WordFence in WordPress HT Mega plugin versions = 1.5.5. Solution Update the WordPress HT Mega plugin to the latest available version at least 1.5.7...

WordPress Business Directory Plugin <= 5.11.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Business Directory Plugin versions = 5.11.1. Solution Update the WordPress Business Directory Plugin to the latest available version at least 5.11.2...

WordPress WP Page Builder plugin <= 1.2.3 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities discovered by WordFence in WordPress WP Page Builder plugin versions = 1.2.3. Solution Update the WordPress WP Page Builder plugin to the latest available version at least 1.2.4...

WordPress Business Hours Pro plugin <= 5.5.0 - Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by Harald Eilertsen in WordPress Business Hours Pro plugin versions = 5.5.0. Solution No patched version is available. Deactivate and delete...

WordPress Advanced Booking Calendar plugin <= 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by iohex in WordPress Advanced Booking Calendar plugin versions = 1.6.7. Solution Update the WordPress Advanced Booking Calendar plugin to the latest available version at least 1.6.8...

WordPress WP-Curriculo Vitae Free plugin <= 6.3 - Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by Jin Huang in WordPress WP-Curriculo Vitae Free plugin versions = 6.3. Solution Plugin closed. Deactivate and delete...

WordPress Patreon WordPress plugin <= 1.6.9 - Cross-Site Request Forgery (CSRF) vulnerability allowing disconnection of the website from Patreon

Cross-Site Request Forgery CSRF vulnerability allowing disconnection of the website from Patreon discovered by Jetpack Scan team in WordPress Patreon WordPress plugin versions = 1.6.9. Solution Update the WordPress Patreon WordPress plugin to the latest available version at least 1.7.0...

WordPress Bello - Directory & Listing premium theme <= 1.5.9 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by m0ze Patchstack Red Team in WordPress Bello - Directory & Listing premium theme versions = 1.5.9. Solution Update the WordPress Bello - Directory & Listing premium theme to the latest available version at least 1.6.0...

WordPress Mediumish premium theme <= 1.0.47 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress Mediumish premium theme versions = 1.0.47. Solution No information about the patched version available...

WordPress Database Backups plugin <= 1.2.2.6 - Cross-Site Request Forgery (CSRF) vulnerability leading to backup download

Cross-Site Request Forgery CSRF vulnerability leading to backup download discovered by 0xB9 in WordPress Database Backups plugin versions = 1.2.2.6. Solution 2021-03-18 - we were unable to find a patched version of this plugin. WordPress.org plugin repository notice: "This plugin has been closed ...

WordPress Map Block for Google Maps plugin <= 1.31 - Google API Key Manipulation vulnerability

Google API Key Manipulation vulnerability found in WordPress Map Block for Google Maps plugin versions = 1.31. Solution Update the WordPress Map Block for Google Maps plugin to the latest available version at least 1.32...

WordPress WP Database Reset plugin <= 3.1 - Unauthenticated Database Reset vulnerability

Unauthenticated Database Reset vulnerability discovered by WordFence in WordPress WP Database Reset plugin versions = 3.1. Solution Update the WordPress WP Database Reset plugin to the latest available version at least 3.15...

WordPress Name Directory plugin <= 1.17.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Yuta in WordPress Name Directory plugin versions = 1.17.4. Solution Update the WordPress Name Directory plugin to the latest available version at least 1.18...

WordPress EasyBook premium theme <= 1.2.1 - Persistent Cross-Site Scripting (XSS) vulnerability

Persistent Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress EasyBook premium theme versions = 1.2.1. Solution Update the WordPress EasyBook premium theme to the latest available version at least 1.2.2...

WordPress Easy WP SMTP plugin <= 1.4.2 - Unauthenticated Admin Password Reset

Unauthenticated Admin Password Reset vulnerability found by mathieg2 in WordPress Easy WP SMTP plugin versions = 1.4.2. Solution Update the WordPress Easy WP SMTP plugin to the latest available version at least 1.4.3. Attention! Please make sure you have a directory listing disabled since it coul...

WordPress Themify Portfolio Post plugin <= 1.1.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found by Nguyen Anh Tien SunCSR in WordPress Themify Portfolio Post plugin versions = 1.1.5. Solution Update the WordPress Themify Portfolio Post plugin to the latest available version at least 1.1.6...

WordPress Dynamic Content for Elementor premium plugin <= 1.9.5.6 - Authenticated Remote Code Execution (RCE) vulnerability

Authenticated Remote Code Execution RCE vulnerability found by CompuNet in WordPress Dynamic Content for Elementor premium plugin versions = 1.9.5.6. Solution Update the WordPress Dynamic Content for Elementor premium plugin to the latest available version at least 1.9.6...

WordPress Microsoft Office 365 / Azure AD | LOGIN plugin <= 11.6 - JWT Signature Verification Bypass vulnerability

JWT Signature Verification Bypass vulnerability found by Philip Akesson in WordPress Microsoft Office 365 / Azure AD | LOGIN plugin versions = 11.6. Solution Update the WordPress Microsoft Office 365 / Azure AD | LOGIN plugin to the latest available version at least 11.7...

WordPress Chamber Dashboard Business Directory plugin <= 3.3.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found by Mihkel Raba in WordPress Chamber Dashboard Business Directory plugin versions = 3.3.0. Solution Update the WordPress Chamber Dashboard Business Directory plugin to the latest available version at least 3.3.1...

WordPress Divi Builder plugin <= 4.5.2 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Divi Builder plugin versions = 4.5.2. Solution Update the WordPress Divi Builder plugin to the latest available version at least 4.5.3...

WordPress Extra premium theme <= 4.5.2 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Extra premium theme versions = 4.5.2. Solution Update the WordPress Extra premium theme to the latest available version at least 4.5.3...

WordPress KingComposer plugin <= 2.9.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WordFence in WordPress KingComposer plugin versions = 2.9.4. Solution Update the WordPress KingComposer plugin to the latest available version at least 2.9.5...

WordPress LearnPress plugin <= 3.2.6.8 - Authenticated Page Creation and Status Modification vulnerability

Authenticated Page Creation and Status Modification vulnerability discovered by WordFence in WordPress LearnPress plugin versions = 3.2.6.8. Solution Update the WordPress LearnPress plugin to the latest available version at least 3.2.6.9...

WordPress Media Library Assistant plugin <= 2.81 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Daniel Monzón stark0de in WordPress Media Library Assistant plugin versions = 2.81. Solution Update the WordPress Media Library Assistant plugin to the latest available version at least 2.82...

WordPress IMPress for IDX Broker plugin <= 2.6.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by WordFence in WordPress IMPress for IDX Broker plugin versions = 2.6.1. Solution Update the WordPress IMPress for IDX Broker plugin to the latest available version at least 2.6.2...

WordPress Abstract Submission plugin <= 0.6 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress Abstract Submission plugin versions = 0.6. Solution Plugin closed. Deactivate and delete...

WordPress Yottis premium theme <= 1.0 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by WordFence in WordPress Yottis premium theme versions = 1.0. Solution Update the WordPress Yottis premium theme to the latest available version at least 1.0.1...

WordPress Chained Quiz plugin <= 1.1.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Ben Armstrong in WordPress Chained Quiz plugin versions = 1.1.8.1. Solution Update the WordPress Chained Quiz plugin to the latest available version at least 1.1.8.2...

WordPress EasyBook premium theme <= 1.2.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress EasyBook premium theme versions = 1.2.1. Solution Update the WordPress EasyBook premium theme to the latest available version at least 1.2.2...

WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin <=5.127.3 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found in WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin versions =5.127.3. Solution Update the WordPress Spam protection, AntiSpam, FireWall by CleanTalk plugin to the latest available version at least 5.127.4...

WordPress YITH Color and Label Variations for WooCommerce plugin <=1.8.12 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability

Authenticated Settings Change YITH Plugin Framework =3.3.8 vulnerability found by Jerome Bruandet in WordPress YITH Color and Label Variations for WooCommerce plugin versions =1.8.12. Solution Update the WordPress YITH Color and Label Variations for WooCommerce plugin to the latest available...

WordPress Variation Swatches for WooCommerce plugin <= 1.0.61 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability found in WordPress Variation Swatches for WooCommerce plugin versions = 1.0.61. Solution Update the WordPress Variation Swatches for WooCommerce plugin to the latest available version at least 1.0.62...