WordPress Ultimate Reviews plugin <= 3.0.15 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Red Team project in WordPress Ultimate Reviews plugin versions = 3.0.15. Solution Update the WordPress Ultimate Reviews plugin to the latest available version at least 3.0.16...

WordPress Post Snippets plugin <= 3.1.3 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Muhammad Adel in WordPress Post Snippets plugin versions = 3.1.3. Solution Update the WordPress Post Snippets plugin to the latest available version at least 3.1.4...

WordPress SupportCandy plugin <= 2.2.6 - Arbitrary Ticket Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Ticket Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Brandon Roldan in WordPress SupportCandy plugin versions = 2.2.6. Solution Update the WordPress SupportCandy plugin to the latest available version at least 2.2.7...

WordPress Advanced Cron Manager Pro premium plugin <= 2.5.2 - Arbitrary Events/Schedules Creation/Deletion vulnerability

Arbitrary Events/Schedules Creation/Deletion vulnerability discovered by Krzysztof Zając in WordPress Advanced Cron Manager Pro premium plugin versions = 2.5.2. Solution Update the WordPress Advanced Cron Manager Pro premium plugin to the latest available version at least 2.5.3...

WordPress Contact Form 7 Skins plugin <= 2.5.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Contact Form 7 Skins plugin versions = 2.5.0. Solution Update the WordPress Contact Form 7 Skins plugin to the latest available version at least 2.5.1...

WordPress Domain Check plugin <= 1.0.17 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ceylan Bozogullarindan in WordPress Domain Check plugin versions = 1.0.17. Solution Update the WordPress Domain Check plugin to the latest available version at least 1.0.18...

WordPress WP User Frontend plugin <= 3.5.25 - SQL Injection (SQLi) to Reflected Cross-Site Scripting (XSS)

SQL Injection SQLi to Reflected Cross-Site Scripting XSS discovered by Krzysztof Zając in WordPress WP User Frontend plugin versions = 3.5.25. Solution Update the WordPress WP User Frontend plugin to the latest available version at least 3.5.26...

WordPress WebP Converter for Media plugin <= 4.0.2 - Unauthenticated Open redirect vulnerability

Unauthenticated Open redirect vulnerability discovered by Krzysztof Zając in WordPress WebP Converter for Media plugin versions = 4.0.2. Solution Update the WordPress WebP Converter for Media plugin to the latest available version at least 4.0.3...

WordPress Eightmedi Lite theme <= 2.1.8 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Eightmedi Lite theme versions = 2.1.8. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor...

WordPress Ultra Seven theme <= 1.2.8 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Ultra Seven theme versions = 1.2.8. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue plugin <= 3.1.24 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered in WordPress Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue plugin versions = 3.1.24. Solution Update the WordPress Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue plugin to the latest available...

WordPress Lets-Box premium plugin <= 1.13.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Trainer Red in WordPress Lets-Box premium plugin versions = 1.13.2. Solution Update the WordPress Lets-Box premium plugin to the latest available version at least 1.13.3...

WordPress 10Web Social Photo Feed plugin <= 1.4.28 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress 10Web Social Photo Feed plugin versions = 1.4.28. Solution Update the WordPress 10Web Social Photo Feed plugin to the latest available version at least 1.4.29...

WordPress Events Made Easy plugin <= 2.2.35 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress Events Made Easy plugin versions = 2.2.35. Solution Update the WordPress Events Made Easy plugin to the latest available version at least 2.2.36...

WordPress Button Generator – easily Button Builder plugin <= 2.3.2 - Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF vulnerability

Remote File Inclusion RFI leading to Remote Code Execution RCE via CSRF vulnerability discovered by Krzysztof Zając in WordPress Button Generator – easily Button Builder plugin versions = 2.3.2. Solution Update the WordPress Button Generator – easily Button Builder plugin to the latest available...

WordPress Asgaros Forum plugin <= 1.15.13 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Mohammed Aadhil Ashfaq in WordPress Asgaros Forum plugin versions = 1.15.13. Solution Update the WordPress Asgaros Forum plugin to the latest available version at least 1.15.14...

WordPress Zigcy Baby theme <= 1.0.6 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Zigcy Baby theme versions = 1.0.6. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress The Monday theme <= 1.4.1 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress The Monday theme versions = 1.4.1. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress Punte theme <= 1.1.2 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Punte theme versions = 1.1.2. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress Directorist plugin <= 7.0.6.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Remote File Upload

Cross-Site Request Forgery CSRF vulnerability leading to Remote File Upload discovered by lostbytes1 in WordPress Directorist plugin versions = 7.0.6.1. Solution Update the WordPress Directorist plugin to the latest available version at least 7.0.6.2...

WordPress Backup Migration plugin <= 1.1.5 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability discovered by Vlad Visse Patchstack in WordPress Backup Migration plugin versions = 1.1.5. Solution Update the WordPress Backup Migration plugin to the latest available version at least 1.1.6...

WordPress Ultimate Nofollow plugin <= 1.4.8 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Quentin VILLAIN 3wsec in WordPress Ultimate Nofollow plugin versions = 1.4.8. Solution Deactivate and delete. This plugin has been closed as of November 3, 2021 and is not available for download. This closure is temporary, pending a full...

WordPress Pixel Cat plugin <= 2.6.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by JrXnm in WordPress Pixel Cat plugin versions = 2.6.1. Solution Update the WordPress Pixel Cat plugin to the latest available version at least 2.6.2...

WordPress WP Reset PRO Premium Plugin <= 5.98 - Authenticated Database Reset vulnerability

Database Reset vulnerability discovered by Dave Jong Patchstack in WordPress WP Reset PRO premium plugin versions = 5.98. Solution Update the WordPress WP Reset PRO premium plugin to the latest available version at least v5.99...

WordPress Get Custom Field Values plugin <= 3.9.4 - Arbitrary Post Metadata Access vulnerability

Arbitrary Post Metadata Access vulnerability discovered by Francesco Carlucci in WordPress Get Custom Field Values plugin versions = 3.9.4. Solution Update the WordPress Get Custom Field Values plugin to the latest available version at least 4.0...

WordPress Cost Calculator plugin <= 1.4 - Local File Inclusion (LFI) vulnerability

Local File Inclusion LFI vulnerability discovered by apple502j in WordPress Cost Calculator plugin versions = 1.4. Solution Deactivate and delete. This plugin has been closed as of November 3, 2021 and is not available for download. Reason: Security Issue...

WordPress Shop Page WP plugin <= 1.2.7 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Mika in WordPress Shop Page WP plugin versions = 1.2.7. Solution Update the WordPress Shop Page WP plugin to the latest available version at least 1.2.8...

WordPress Ninja Forms Contact Form plugin <= 3.6.3 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by JrXnm in WordPress Ninja Forms Contact Form plugin versions = 3.6.3. Solution Update the WordPress Ninja Forms Contact Form plugin to the latest available version at least 3.6.4...

WordPress Helpful plugin <= 4.4.58 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Mika in WordPress Helpful plugin versions = 4.4.58. Solution Update the WordPress Helpful plugin to the latest available version at least 4.4.59...

WordPress Content Staging <= 2.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress Content Staging versions = 2.0.1. Solution Deactivate and delete. This plugin has been closed as of October 15, 2021 and is not available for download. This closure is temporary, pending...

WordPress WPSchoolPress plugin <= 2.1.16 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Davide Taraschi in the WordPress WPSchoolPress plugin versions = 2.1.16. Solution Update the WordPress WPSchoolPress plugin to the latest available version at least 2.1.17...

WordPress WPSchoolPress plugin <= 2.1.9 - Multiple Authenticated SQL Injections (SQLi) vulnerabilities

Multiple Authenticated SQL Injections SQLi vulnerabilities discovered by JrXnm in WordPress WPSchoolPress plugin versions = 2.1.9. Solution Update the WordPress WPSchoolPress plugin to the latest available version at least 2.1.10...

WordPress SpiderCatalog plugin <= 1.7.3 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress SpiderCatalog plugin versions = 1.7.3. Solution Deactivate and delete. This plugin has been closed as of June 18, 2021 and is not available for download. Reason: Security Issue...

WordPress WP Bannerize plugin 2.0.0 – 4.0.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Margaux Dabert Intrinsec in WordPress WP Bannerize plugin versions = 2.0.0 – 4.0.2. Solution Deactivate and delete. This plugin has been closed as of July 19, 2021 and is not available for download. Reason: Security Issue...

WordPress Perfect Survey plugin <= 1.5.2 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Perfect Survey plugin versions = 1.5.2. Solution Deactivate and delete. This plugin has been closed as of October 5, 2021 and is not available for download. Reason: Security Issue...

WordPress Simple Download Monitor plugin <= 3.9.5.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Simple Download Monitor plugin versions = 3.9.5.1. Solution Update the WordPress Simple Download Monitor plugin to the latest available version at least 3.9.6...

WordPress JobSearch premium plugin <= 1.8.1 - Authenticated Arbitrary WordPress Options Change vulnerability

Authenticated Arbitrary WordPress Options Change vulnerability discovered by Jerome Bruandet NinTechNet in WordPress JobSearch premium plugin versions = 1.8.1. Solution Update the WordPress JobSearch premium plugin to the latest available version at least 1.8.2...

WordPress Connections Business Directory plugin <= 10.4.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Huy Nguyen in WordPress Connections Business Directory plugin versions = 10.4.2. Solution Update the WordPress Connections Business Directory plugin to the latest available version or at least to the version 10.4.3...

WordPress Special Text Boxes plugin <= 5.9.109 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Akash Rajendra Patil in WordPress Special Text Boxes plugin versions = 5.9.109. Solution Update the WordPress Special Text Boxes plugin to the latest available version at least 5.9.110...

WordPress Tutor LMS plugin <= 1.9.8 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities were discovered by Shivam Rai in the WordPress Tutor LMS plugin versions = 1.9.8. Solution Update the WordPress Tutor LMS plugin to the latest available version at least 1.9.9...

WordPress Support Board plugin <= 3.3.3 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities

Multiple Unauthenticated SQL Injection SQLi vulnerabilities were discovered by John Jefferson Li in the WordPress Support Board plugin versions = 3.3.3. Solution Update the WordPress Support Board plugin to the latest available version at least 3.3.4...

WordPress Yet Another bol.com plugin <= 1.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Yet Another bol.com plugin versions = 1.4. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Easy Social Icons plugin <= 3.0.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ram Gall WordFence in WordPress Easy Social Icons plugin versions = 3.0.8. Solution Update the WordPress Easy Social Icons plugin to the latest available version at least 3.0.9...

WordPress WooCommerce Dynamic Pricing & Discounts premium plugin <= 2.4.1 - Unauthenticated Settings Export vulnerability

Unauthenticated Settings Export vulnerability discovered by Jerome Bruandet NinTechNet in WordPress WooCommerce Dynamic Pricing & Discounts premium plugin versions = 2.4.1. Solution Update the WordPress WooCommerce Dynamic Pricing & Discounts premium plugin to the latest available version at leas...

WordPress Nested Pages plugin <= 3.1.15 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Post Deletion and Modification

Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Post Deletion and Modification discovered by Ramuel Gall WordFence in WordPress Nested Pages plugin versions = 3.1.15. Solution Update the WordPress Nested Pages plugin to the latest available version at least 3.1.16...

WordPress Advanced Custom Fields plugin <= 5.9.9 - Arbitrary ACF Data/Field Groups View and Fields Move vulnerability

Arbitrary ACF Data/Field Groups View and Fields Move vulnerability discovered by Keitaro Yamazaki in WordPress Advanced Custom Fields plugin versions = 5.9.9. Solution Update the WordPress Advanced Custom Fields plugin to the latest available version at least 5.10...

WordPress Comment Link Remove and Other Comment Tools plugin <= 2.1.4 - Cross-Site Request Forgery (CSRF) vulnerability leading to bulk comment deletion

Cross-Site Request Forgery CSRF vulnerability leading to bulk comment deletion discovered by Martin Vierula Trustwave in WordPress Comment Link Remove and Other Comment Tools plugin versions = 2.1.4. Solution Update the WordPress Comment Link Remove and Other Comment Tools plugin to the latest...

WordPress The Sorter plugin <= 1.0 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Syed Sheeraz Ali in WordPress The Sorter plugin versions = 1.0. Solution This plugin has been closed as of May 13, 2021 and is not available for download. Reason: Security Issue...

WordPress Page Contact plugin <= 1.0 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Syed Sheeraz Ali in WordPress Page Contact plugin versions = 1.0. Solution This plugin has been closed as of May 13, 2021 and is not available for download. Reason: Security Issue...

WordPress Icegram plugin <= 2.0.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Icegram plugin versions = 2.0.2. Vulnerable at "Headline" &messagedata16headline input. Solution Update the WordPress Icegram plugin to the latest available version at least 2.0.3...