WordPress WP Customer Area Plugin < 8.1.4 is vulnerable to Remote Code Execution (RCE)

Software WP Customer Area Type Plugin Vulnerable versions 8.1.4 Fixed in 8.1.4 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2022-4745 Patch priority Low CVSS severity Low 9.1 Developer Claim ownership PSID fc8e26b37a92 Credits rezaduty Required privilege...

WordPress Enable Media Replace Plugin < 4.0.2 is vulnerable to Arbitrary File Upload

Software Enable Media Replace Type Plugin Vulnerable versions 4.0.2 Fixed in 4.0.2 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2023-0255 Patch priority High CVSS severity High 9.1 Developer ShortPixel PSID 1a8eac52cb81 Credits dc11 Required privilege Author Published 1...

WordPress Paid Memberships Pro Plugin <= 2.9.7 is vulnerable to SQL Injection

Software Paid Memberships Pro Type Plugin Vulnerable versions = 2.9.7 Fixed in 2.9.8 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-23488 Patch priority High CVSS severity High 8.2 Developer Claim ownership PSID ac5e3d7c8149 Credits Joshua Martinelle Required privilege...

WordPress soundblast Theme < 10 is vulnerable to Arbitrary File Upload

Software soundblast Type Theme Vulnerable versions 10 Fixed in N/A OWASP Top 10 A6: Security Misconfiguration Classification Arbitrary File Upload CVE CVE-2022-0316 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 8aee103c2d72 Credits Joshua Small Required privilege...

WordPress Betheme premium theme <= 26.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to post title change discovered by Dave Jong Patchstack in the WordPress Betheme premium theme versions = 26.6.1. Solution Update the WordPress Betheme theme to the latest available version at least 26.6.3...

WordPress Crowdsignal Dashboard plugin <= 3.0.9 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Nosa "apapedulimu" Shandy Patchstack Alliance in the WordPress Crowdsignal Dashboard plugin versions = 3.0.9. Solution Update the WordPress Polldaddy Polls & Ratings plugin to the latest available version at least 3.0.10...

WordPress Add Multiple Marker plugin <= 1.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by ptsfence Patchstack Alliance in WordPress Add Multiple Marker plugin versions = 1.2. Solution No patched version is available...

WordPress WP CSV Exporter plugin <= 1.3.6 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Asif Nawaz Minhas in the WordPress WP CSV Exporter plugin versions = 1.3.6. Solution Update the WordPress WP CSV Exporter plugin to the latest available version at least 1.3.7...

WordPress WPML Multilingual CMS premium plugin <= 4.5.10 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to plugin settings change selected language for legacy widgets can be changed, and default behavior for media content can be changed discovered by Dave Jong in WordPress WPML Multilingual CMS premium plugin versions = 4.5.10. Solution Update the WordPre...

WordPress HTML Forms plugin <= 1.3.24 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Nguyen Duy Quoc Khanh in the WordPress HTML Forms plugin versions = 1.3.24. Solution Update the WordPress HTML Forms plugin to the latest available version at least 1.3.25...

WordPress Find and Replace All plugin <= 1.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Vinay Varma Mudunuri and Krishna Harsha Kondaveeti in WordPress Find and Replace All plugin versions = 1.2. Solution Update the WordPress Find and Replace All plugin to the latest available version at least 1.3...

WordPress Google Forms plugin <= 0.95 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by zhangyunpei in WordPress Google Forms plugin versions = 0.95. Solution Deactivate and delete. This plugin has been closed as of November 2, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to Plugin Settings Change discovered by Lana Codes Patchstack Alliance in WordPress miniOrange's Google Authenticator plugin versions = 5.6.1. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at leas...

WordPress WP Glossary plugin <= 3.1.2 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Tien Nguyen Anh Patchstack Alliance in the WordPress WP Glossary plugin versions = 3.1.2. Solution No patched version is available. No reply from the vendor...

WordPress Modula plugin <= 2.6.9 - Unauth. Plugin Settings Change vulnerability

Unauth. Plugin Settings Change vulnerability discovered by Nguyen Anh Tien Patchstack Alliance in the WordPress Modula plugin versions = 2.6.9. Solution Update the WordPress Modula Image Gallery plugin to the latest available version at least 2.6.91...

WordPress Booster for WooCommerce plugin <= 5.6.6 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to plugin settings reset discovered by Muhammad Daffa Patchstack Alliance in WordPress Booster for WooCommerce plugin versions = 5.6.6. Solution Update the WordPress Booster for WooCommerce plugin to the latest available version at least 5.6.7...

WordPress Spacer plugin <= 3.0.6 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by gem in WordPress Spacer plugin versions = 3.0.6. Solution Update the WordPress Spacer plugin to the latest available version at least 3.0.7...

WordPress SEO Plugin by Squirrly SEO plugin <= 12.1.10 - Auth. Arbitrary File Upload vulnerability

Auth. Arbitrary File Upload vulnerability discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in WordPress SEO Plugin by Squirrly SEO plugin versions = 12.1.10. Solution Update the WordPress SEO Plugin by Squirrly SEO plugin to the latest available version at least 12.1.11...

WordPress IP Blacklist Cloud plugin <= 5.00 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Mika Patchstack Alliance in the WordPress IP Blacklist Cloud plugin versions = 5.00. Solution Deactivate and delete. This plugin has been closed as of September 28, 2022 and is not available for download. This closure is temporary, pending a fu...

WordPress Quiz And Survey Master plugin <= 7.3.10 - Bypass vulnerability

Bypass vulnerability discovered by Thura Moe Myint Patchstack Alliance in WordPress Quiz And Survey Master plugin versions = 7.3.10. Solution Update the WordPress Quiz And Survey Master plugin to the latest available version at least 7.3.11...

WordPress Quiz And Survey Master plugin <= 7.3.4 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Auth. Stored Cross-Site Scripting XSS vulnerabilities were discovered by Vlad Vector Patchstack in WordPress Quiz And Survey Master plugin versions = 7.3.4. Solution Update the WordPress Quiz And Survey Master plugin to the latest available version at least 7.3.5...

WordPress Quiz And Survey Master plugin <= 7.3.4 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Vlad Vector Patchstack in WordPress Quiz And Survey Master plugin versions = 7.3.4. Solution Update the WordPress Quiz And Survey Master plugin to the latest available version at least 7.3.5...

WordPress core <= 6.0.2 - Sender’s Email Address Exposure vulnerability

Sender’s Email Address Exposure vulnerability via wp-mail.php was discovered by Toshitsugu Yoneyama Mitsui Bussan Secure Directions, Inc. via JPCERT in the WordPress core versions = 6.0.2. Solution Update the WordPress to the latest available version at least 6.0.3...

WordPress core <= 6.0.2 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability in the Widget block discovered in WordPress core versions = 6.0.2 Solution Update the WordPress to the latest available version at least 6.0.3...

WordPress Complianz plugin 6.3.3 - Auth. SQL Injection (SQLi) vulnerability

Auth. SQL Injection SQLi vulnerability discovered by Sakri Rafael Koskimies saggre in the WordPress Complianz plugin versions 6.3.3. Solution Update the WordPress Complianz – GDPR/CCPA Cookie Consent plugin to the latest available version at least 6.3.4...

WordPress Envira Gallery Lite plugin <= 1.8.4.6 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress Envira Gallery Lite plugin versions = 1.8.4.6. Solution Update the WordPress Envira Photo Gallery plugin to the latest available version at least 1.8.4.7...

WordPress SeoSamba for WordPress Webmasters plugin <= 1.0.5 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by ptsfence Patchstack Alliance in WordPress SeoSamba for WordPress Webmasters plugin versions = 1.0.5. Solution No patched version is available. No reply from the vendor...

WordPress Customizer Export/Import plugin <= 0.9.4 - Authenticated PHP Objection Injection vulnerability

Authenticated PHP Objection Injection vulnerability discovered by Nguyen Duy Quoc Khanh in the WordPress Customizer Export/Import plugin versions = 0.9.4. Solution Update the WordPress Customizer Export/Import plugin to the latest available version at least 0.9.5...

WordPress WP-Polls plugin <= 2.76.0 - Race Condition vulnerability

Race Condition vulnerability leading to voting manipulation discovered by Nguy Minh Tuan Patchstack Alliance in the WordPress WP-Polls plugin versions = 2.76.0. Solution Update the WordPress WP-Polls plugin to the latest available version at least 2.77.0...

WordPress Media Library Assistant plugin <= 3.00 - Unauthenticated Error Log Disclosure vulnerability

Unauthenticated Error Log Disclosure vulnerability discovered by Brandon Roldan Patchstack Alliance in WordPress Media Library Assistant plugin versions = 3.00. Solution Update the WordPress Media Library Assistant plugin to the latest available version at least 3.01...

WordPress Search Logger plugin <= 0.9 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Mika in WordPress Search Logger plugin versions = 0.9. Solution Deactivate and delete. This plugin has been closed as of September 5, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Enable Media Replace plugin <= 3.6.3 - Auth. Path Traversal vulnerability

Auth. Path Traversal vulnerability discovered by Raad Haddad Cloudyrion GmbH in the WordPress Enable Media Replace plugin versions = 3.6.3. Solution Update the WordPress Enable Media Replace plugin to the latest available version at least 4.0.0...

WordPress Cryptocurrency Pricing list and Ticker plugin <= 1.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Jeremie Amsellem in WordPress Cryptocurrency Pricing list and Ticker plugin versions = 1.5. Solution Deactivate and delete. This plugin has been closed as of September 8, 2022 and is not available for download. This closure is...

WordPress Contact Form By Mega Forms plugin <= 1.2.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress Contact Form By Mega Forms plugin versions = 1.2.4. Solution Update the WordPress Contact Form By Mega Forms – Drag and Drop Form Builder plugin to the latest available version at...

WordPress SVG Support plugin <= 2.4.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Chafik Amraoui in WordPress SVG Support plugin versions = 2.4.2. Solution Update the WordPress SVG Support plugin to the latest available version at least 2.5...

WordPress NinjaForms plugin <= 3.6.12 - Authenticated PHP Objection Injection vulnerability

Authenticated PHP Objection Injection vulnerability discovered by Alessio Santoru in WordPress NinjaForms plugin versions = 3.6.12. Solution Update the WordPress Ninja Forms plugin to the latest available version at least 3.6.13...

WordPress Post SMTP Mailer/Email Log plugin <= 2.1.6 - Authenticated Blind Server-Side Request Forgery (SSRF) vulnerability

Authenticated Blind Server-Side Request Forgery SSRF vulnerability discovered by Raad Haddad Cloudyrion GmbH in WordPress Post SMTP Mailer/Email Log plugin versions = 2.1.6. Solution Update the WordPress Post SMTP Mailer/Email Log plugin to the latest available version at least 2.1.7...

WordPress WHA Crossword plugin <= 1.1.10 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress WHA Crossword plugin versions = 1.1.10. Solution Deactivate and delete. No reply from the vendor...

WordPress WPvivid Backup plugin 0.9.76 - Authenticated Arbitrary File Deletion vulnerability

Authenticated Arbitrary File Deletion vulnerability discovered by WPScan in WordPress WPvivid Backup plugin versions 0.9.76. Solution Update the WordPress WPvivid Backup and Migration plugin to the latest available version at least 0.9.77...

WordPress Better Delete Revision plugin <= 1.6.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Lana Codes Patchstack Alliance in WordPress Better Delete Revision plugin versions = 1.6.1. Solution Deactivate and delete. This plugin has been closed as of August 26, 2022 and is not available for download. This closur...

WordPress Autoptimize Plugin <= 3.1.0 - Authenticated Stored Cross-Site Scripting vulnerability

Authenticated Stored Cross-Site Scripting vulnerability discovered by Raad Haddad in Autoptimize versions = 3.1.0 Solution Update the WordPress Autoptimize plugin to the latest available version at least 3.1.1...

WordPress Affiliates Manager Plugin <= 2.9.13 - CSV Injection vulnerability

CSV Injection vulnerability discovered by WPScan in Affiliates Managers versions = 2.9.13 Solution Update the WordPress Affiliates Manager plugin to the latest available version at least 2.9.14...

WordPress Alpine PhotoTile for Pinterest plugin <= 1.3.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence in WordPress Alpine PhotoTile for Pinterest plugin versions = 1.3.1. Solution Deactivate and delete. This plugin has been closed as of August 10, 2022 and is not available for download. This closure is temporary,...

WordPress Yotpo Reviews for WooCommerce (Unofficial) plugin <= 2.0.4 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Johannes Gangsö in WordPress Yotpo Reviews for WooCommerce Unofficial plugin versions = 2.0.4. Solution Deactivate and delete. This plugin has been closed as of July 27, 2022 and is not available for downloa...

WordPress Simple SEO plugin <= 1.7.91 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Jorgson in WordPress Simple SEO plugin versions = 1.7.91. Solution Update the WordPress Simple SEO plugin to the latest available version at least 1.7.92...

WordPress WP phpMyAdmin plugin <= 5.2.0.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Raad Haddad in WordPress WP phpMyAdmin plugin versions = 5.2.0.3. Solution Update the WordPress WP phpMyAdmin plugin to the latest available version at least 5.2.0.4...

WordPress Automations By Autonami plugin <= 2.1.1 - Automation Creation vulnerability

Automation Creation vulnerability discovered by Krzysztof Zając in WordPress Automations By Autonami plugin versions = 2.1.1. Solution Update the WordPress Automation By Autonami plugin to the latest available version at least 2.1.2...

WordPress Stockists Manager for Woocommerce plugin <= 1.0.2.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS by Yuta Kikuchi in WordPress Stockists Manager for Woocommerce plugin versions = 1.0.2.1. Solution Deactivate and delete. This plugin has been closed as of July 12, 2022 and is not available for download. Thi...

WordPress YaySMTP plugin <= 2.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Rafshanzani Suhada in WordPress YaySMTP plugin versions = 2.2. Solution Update the WordPress YaySMTP plugin to the latest available version at least 2.2.1...

WordPress User Private Files plugin <= 1.1.2 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by Raad Haddad in WordPress User Private Files plugin versions = 1.1.2. Solution Update the WordPress User Private Files plugin to the latest available version at least 1.1.3...