WordPress Events Manager plugin <=5.8.1.1 - Unauthenticated Stored XSS vulnerability

Unauthenticated Stored XSS vulnerability found in WordPress Events Manager plugin versions =5.8.1.1. Solution Update the WordPress Events Manager plugin to the latest version at least 5.8.1.2...

WordPress WP Retina 2x plugin <=5.2.0 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found in WordPress WP Retina 2x plugin versions =5.2.0. The vulnerability allows an attacker to inject arbitrary web script or HTML via unspecified vectors. Solution Update the WordPress WP Retina 2x plugin to the latest available version at least 5.2.2...

WordPress NextGEN Gallery plugin <=2.2.46 - Gallery Paths Not Secured

Telefonica Cybersecurity Unit found an issue with insecure paths in WordPress NextGEN Gallery plugin versions =2.2.46. Solution Update the WordPress NextGEN Gallery plugin to the latest available version at least 2.2.50...

WordPress Instagram Feed plugin <=1.5.1 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found Dumpcore in WordPress Instagram Feed plugin versions =1.5.1. Solution Update the WordPress Instagram Feed plugin to the latest available version at least 1.6...

WordPress Booking calendar plugin <=2.1.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by d4wner in WordPress Booking calendar plugin versions =2.1.7. Solution Update the WordPress Booking calendar plugin to the latest available version at least 2.1.8...

WordPress GD Rating System plugin 2.3 - Cross-Site Scripting (XSS) vulnerability

A Cross-Site Scripting XSS vulnerability found by d4wner in WordPress GD Rating System plugin version 2.3. Vulnerable via the wp-admin/admin.php panel parameter for the gd-rating-system-about page. Solution 1/9/2018 - we were unable to find a patched version of this plugin...

WordPress CSV Import-Export plugin <=1.1.0 - Multiple Cross-Site Scripting (XSS) vulnerabilities

Multiple Cross-Site Scripting XSS vulnerabilities found in WordPress CSV Import-Export plugin versions =1.1.0. Solution Dec 20, 2017 - we were unable to find a patched version of this plugin last updated three years ago. Uninstall or use it at your own risk...

WordPress Duplicator plugin <=1.2.28 – Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability found by Ricardo Sanchez in WordPress Duplicator plugin versions =1.2.28. The plugin is vulnerable due to incorrectly filtered values "urlnew" and "logging". Solution Update the WordPress Duplicator plugin to the latest available version at least...

WordPress User Login History plugin <=1.5 - Multiple Cross-Site Scripting (XSS) vulnerabilities

Multiple Cross-Site Scripting XSS vulnerabilities found in WordPress User Login History plugin versions =1.5. Solution Update the WordPress User Login History plugin to the latest available version at least version 1.6...

WordPress WP Simple Booking Calendar Premium plugin 5.0–5.4 <= Unauthenticated Data leak

The booking notes are shown in the source code of the page. Solution Update the plugin to 5.5 version...

WordPress YouTube Embed Plus plugin <=11.8.1 - Cross-Site Request Forgery (CSRF) vulnerability

WordPress YouTube Embed Plus plugin version 11.8.1 vulnerable to the Cross-Site Request Forgery CSRF vulnerability. This vulnerability allows an attacker to change plugin settings if he manages to trick admin user to follow the forged link. Solution Please update WordPress YouTube Embed plugin to...

WordPress WatuPRO plugin 5.5.1 - SQL Injection vulnerability

SQL Injection vulnerability found by Manich Koomsusi in WatuPRO 5.5.1 WordPress plugin. Data sent with “watuproquestions” parameter not sanitized before SQL statement. Solution Update the WatuPRO WordPress plugin to the latest available version at least 5.5.3.7...

WordPress plugin WP Support Plus Responsive Ticket System <= 7.1.3 - Privilege Escalation

WordPress plugin WP Support Plus Responsive Ticket System 7.1.3 earlier versions and 7.1.4 vulnerable to privilege escalation. It is possible to log in as any user without knowing password due to the incorrect usage of "wpsetauthcookie". Solution Update the plugin to the latest version atleast...

WordPress YITH WooCommerce Compare Plugin <= 2.0.9 - PHP Object injection

Because of this vulnerability, attackers can execute arbitrary PHP code. Solution Update the plugin...

WordPress Defa Online Image Protector Plugin <= 3.3 - XSS

This WordPress plugin is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the plugin...

WordPress Infusionsoft Gravity Forms Add-on Plugin <= 1.5.11 - XSS

This plugin is prone to a cross site scripting vulnerability. Solution Upgrade the plugin...

WordPress Ajax Random Post Plugin <= 2.00 - Cross Site Scripting (XSS)

Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress Advanced Video Plugin 1.0 - Local File Inclusion

Advanced Video plugin is prone to a local file inclusion vulnerability. Solution Upgrade the plugin...

WordPress Church Admin Plugin 0.800 - Stored XSS

Better Church Admin plugins is prone to a stored XSS vulnerability that allow to steal cookies or gain privileged access to the affected site. Solution Fixed in version 0.810...

WordPress Landing Pages Plugin <= 1.8.4 - XSS

Cross-site scripting XSS vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/post-new.php. Solution Upgrade the plugin...

WordPress WP Feed Plugin 2015.0426 - SQL Injection

This WordPress WP Feed plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin to 2015.0514...

WordPress GRAND Flash Album Gallery Plugin <= 2.55 - SQL Injection

Because of this vulnerability, remote authenticated users can execute arbitrary SQL commands. Vulnerable parameter "gid". Solution Update the plugin...

WordPress WP Cumulus Plugin <= 1.22 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

WordPress Contact Form DB Plugin <= 2.8.26 - XSS

This vulnerability allows an attacker to inject arbitrary web script or HTML via the "submittime" parameter in the CF7DBPluginSubmissions page to wp-admin/admin.php. Solution Update the plugin...

WordPress Contact Form DB Plugin <= 2.8.31 - CSRF

Because of this vulnerability, the attackers can hijack the authentication of administrators for requests that delete all plugin records. Solution Upgrade the plugin...

WordPress WPLMS Learning Management System Theme <= 1.8.4.1 - Privilege Escalation

Because of this vulnerability, the attackers can have an administrator account on the target's website. Solution Update the theme...

WordPress Banner Effect Header Plugin <= 1.2.7 - XSS

This vulnerability allows an attacker to inject arbitrary web script or HTML via the "bannereffectdivid" parameter. Solution Update the plugin...

WordPress Pie Register Plugin 2.0.13 - Privilege Escalation

This vulnerability allows anyone to import CSV file and the plugin import users from this "pie-register\pie-register.php" file. Solution Update to version 2.0.14...

WordPress Another WordPress Classifieds Plugin - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the query string to the default URI. Solution Update the plugin...

WordPress Facebook Like Box Plugin <= 2.8.2 - Multiple CSRF and XSS

Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution Update the plugin...

WordPress Cart66 Lite Plugin <= 1.5.3 - SQL Injection

This vulnerability allows authenticated users to execute arbitrary SQL commands via the "q" parameter in a promotionProductSearch action to wp-admin/admin-ajax.php. Solution Update the plugin...

WordPress Simple Visitor Stat Plugin <= 4.5.2 BYPASS

Because of these vulnerabilities, the attackers can inject arbitrary HTML or web script via the HTTP User-Agent or HTTP Referer header. Solution No fix have been released...

WordPress Download Manager Plugin 2.7.2 - Privilege Escalation

Download Manager plugin is prone tu vulnerability that allows an attacker to take control of every group change name, description, avatar and settings. In this case, every registered user can update every WordPress options using basicsettings function. Solution Update to version 2.7.3...

WordPress SP Client Document Manager Plugin 2.4.1 - SQL Injection

This WordPress SP Client Document Manager plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...

WordPress XCloner Plugin <= 3.1.1 - Remote Database Download & Local File Permissions

The attackers can obtain sensitive information via a direct request to a backup file in administrators/backups/, because the plugin stores database backup files with predictable names under the web root with insufficient access control. Solution Update the plugin...

WordPress XCloner Plugin <= 3.1.1 - Clear Text MySQL Database Password

Because of this vulnerability, the attackers can obtain sensitive information via unspecified vectors. Solution Update the plugin...

WordPress Spreadsheet Plugin <= 0.62 - XSS

Because of this vulnerability in sshandler.php, the attackers can inject arbitrary web script or HTML via the "ssid" parameter. Solution Update the plugin...

WordPress EWWW Image Optimizer Cloud Plugin <= 2.0.1 - XSS

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

WordPress WP Support Plus Responsive Ticket System Plugin 2.0 - Multiple Vulnerabilities

There are 4 multiple vulnerabilities in this plugin. 1. SQL injection. 2. Full path disclosure. With this vulnerability full path to the file will be shown to the user after the file has been uploaded. 3. Directory traversal that allows download any file from the server. 4. Broken authentication...

WordPress Huge IT Image Gallery Plugin 1.0.1 - Authenticated SQL Injection

An authenticated SQL injection allows an attacker to bypass a web application’s authentication mechanism and retrieve the contents of database. Solution Upgrade the plugin...

WordPress Mobile Pack Plugin <= 2.0.1 - Information Disclosure

Because of this vulnerability, the attackers can obtain sensitive information via an exportarticles action to export/content.php. Solution Update the plugin...

WordPress Disqus Plugin 2.7.5 - Admin Stored CSRF and XSS

Disqus plugin is prone to an admin stored CSRF and XSS vulnerabilities. Solution Update the plugin...

WordPress <= 3.9.1 - XSS

This vulnerability is in the wp-includes/pluggable.php. It allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. Solution Update WordPress...

WordPress SI CAPTCHA Plugin <= 2.7.4 - XSS

Because of this vulnerability in captcha-secureimage/test/index.php, the attackers can inject arbitrary web script or HTML via the PATHINFO. Solution Update the plugin...

WordPress Zedity Plugin <= 2.4.0 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Upgrade the plugin...

WordPress Vitamin Plugin <= 1.0.9 - Multiple Directory Traversal

Because of these vulnerabilities, the attackers can access arbitrary files in the "path" parameter. Solution Update the plugin...

WordPress FB Gorilla Plugin - SQL Injection

This WordPress FB Gorilla plugin's "gameplay.php" is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...

WordPress Meta Slider Plugin <= 2.5 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "id" parameter to wp-admin/admin.php. Solution Update the plugin...

WordPress BSK PDF Manager Plugin - Multiple SQL Injection Vulnerabilities

BSK PDF Manager plugin's "wp-admin/admin.php" is prone to multiple SQL injection vulnerabilities that allow to compromise the application, modify or access data. Also, exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress Silverlight Media Player Plugin <= 0.8 - XSS

Because of this vulnerability in uploader.php, the attackers can inject arbitrary web script or HTML via the "postid" parameter. Solution Update the plugin...