WordPress Software License Manager plugin <= 4.4.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex in WordPress Software License Manager plugin versions = 4.4.7. Solution Update the WordPress Software License Manager plugin to the latest available version at least 4.4.8...

WordPress Product Limited Time Availability Date for WooCommerce plugin <= 1.0.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex and WPScanTeam in WordPress Product Limited Time Availability Date for WooCommerce plugin versions = 1.0.1. Solution 2021-08-27 - no patched version available...

WordPress Business Hours Indicator plugin <= 2.3.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Business Hours Indicator plugin versions = 2.3.4. Solution Update the WordPress Business Hours Indicator plugin to the latest available version at least 2.3.5...

WordPress youForms plugin <= 1.0.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by xiahao in WordPress youForms plugin versions = 1.0.5. Solution This plugin has been closed as of July 30, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress uListing plugin <= 2.0.5 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by m0ze Patchstack Red Team in WordPress uListing plugin versions = 2.0.5. Solution Update the WordPress uListing plugin to the latest available version at least 2.0.6...

WordPress WP Upload Restriction plugin <= 2.2.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Angelo Righi in WordPress WP Upload Restriction plugin versions = 2.2.3. Solution Update the WordPress WP Upload Restriction plugin to the latest available version at least 2.2.4...

WordPress Profile Builder plugin <= 3.4.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Akash Rajendra Patil in WordPress Profile Builder plugin versions = 3.4.7. Solution Update the WordPress Profile Builder plugin to the latest available version at least 3.4.8...

WordPress Portfolio Responsive Gallery plugin <= 1.1.7 - Authenticated Blind SQL Injection (SQLi) vulnerability

Authenticated Blind SQL Injection SQLi vulnerability discovered by To Quang Duong in WordPress Portfolio Responsive Gallery plugin versions = 1.1.7. Solution Update the WordPress Portfolio Responsive Gallery plugin to the latest available version at least 1.1.8...

WordPress Advanced Popups plugin <= 1.1.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Jerome Bruandet NinTechNet in WordPress Advanced Popups plugin versions = 1.1.1. Solution Update the WordPress Advanced Popups plugin to the latest available version at least 1.1.2...

WordPress Contact Form 7 Style plugin <= 3.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Jerome Bruandet NinTechNet in WordPress Contact Form 7 Style plugin versions = 3.2. Solution This plugin has been closed as of February 1, 2021 and is not available for download. Reason: Security Issue...

WordPress simple sort&search plugin <= 0.0.3 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress simple sort&search plugin versions = 0.0.3. Solution This plugin has been closed as of May 19, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Request a Quote plugin <= 2.3.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ajay Sandipan Thorbole in WordPress Request a Quote plugin versions = 2.3.0. Solution Update the WordPress Request a Quote plugin to the latest available version at least 2.3.4...

WordPress WP SVG images plugin <= 3.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability via uploaded SVG file

Authenticated Stored Cross-Site Scripting XSS vulnerability via uploaded SVG file discovered by Rasi in WordPress WP SVG images plugin versions = 3.3. Solution Update the WordPress WP SVG images plugin to the latest available version at least 3.4...

WordPress Admin Columns PRO premium plugin <= 5.4.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Daniel Elkabes WhiteSource in WordPress Admin Columns PRO premium plugin versions = 5.4.4. Solution Update the WordPress Admin Columns PRO premium plugin to the latest available version at least 5.5.1...

WordPress Sendit WP Newsletter plugin <= 2.5.1 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar in WordPress Sendit WP Newsletter plugin versions = 2.5.1. Solution This plugin has been closed as of April 29, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress <= 5.7.1 - Object injection in PHPMailer vulnerability

Object injection in PHPMailer vulnerability discovered in WordPress one security issue affecting WordPress versions between 3.7 and 5.7. Solution Update the WordPress to the latest available version at least 5.7.2. All WordPress versions since 3.7 have also been updated to fix the following...

WordPress Speed Booster Pack plugin <= 4.1.3 - Authenticated Remote Code Execution (RCE) vulnerability

Authenticated Remote Code Execution RCE vulnerability discovered by m0ze in WordPress Speed Booster Pack plugin versions = 4.1.3 to be more precise = 4.2.0-beta. Solution Update the WordPress Speed Booster Pack plugin to the latest available version at least 4.2.0...

WordPress Ultimate Member plugin <= 2.1.19 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Riki Aji in WordPress Ultimate Member plugin versions = 2.1.19. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.1.20...

WordPress Accordion plugin <= 2.2.29 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by iohex in WordPress Accordion plugin versions = 2.2.29. Solution Update the WordPress Accordion plugin to the latest available version at least 2.2.30...

WordPress Redirection for Contact Form 7 plugin <= 2.3.3 - Unprotected AJAX Actions vulnerability

Unprotected AJAX Actions vulnerability discovered by WordFence in WordPress Redirection for Contact Form 7 plugin versions = 2.3.3. Solution Update the WordPress Redirection for Contact Form 7 plugin to the latest available version at least 2.3.4...

WordPress Contact Form by Supsystic plugin <= 1.7.14 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by 0xB9 in WordPress Contact Form by Supsystic plugin versions = 1.7.14. Solution Update the WordPress Contact Form by Supsystic plugin to the latest available version at least 1.7.15...

WordPress WPGraphQL plugin <= 1.3.5 - Denial of Service vulnerability

Denial of Service vulnerability discovered by Dolev Farhi in WordPress WPGraphQL plugin versions = 1.3.5. Solution Update the WordPress WPGraphQL plugin to the latest available version at least 1.3.6...

WordPress Business Hours Pro plugin <= 5.5.0 - Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by Harald Eilertsen in WordPress Business Hours Pro plugin versions = 5.5.0. Solution No patched version is available. Deactivate and delete...

WordPress WorkScout premium theme <= 2.0.31 - Cross-Frame Scripting (XFS) vulnerability

Cross-Frame Scripting XFS vulnerability discovered by m0ze Patchstack Red Team in WordPress WorkScout premium theme versions = 2.0.31. Solution Update the WordPress WorkScout premium theme to the latest available version at least 2.0.32...

WordPress WooCommerce Help Scout plugin <= 2.9 - Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Unauthenticated Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by Ville Korhonen in WordPress WooCommerce Help Scout plugin versions = 2.9. Solution Update the WordPress WooCommerce Help Scout plugin to the latest available version at least 2.9.1...

WordPress Map Block for Google Maps plugin <= 1.31 - Google API Key Manipulation vulnerability

Google API Key Manipulation vulnerability found in WordPress Map Block for Google Maps plugin versions = 1.31. Solution Update the WordPress Map Block for Google Maps plugin to the latest available version at least 1.32...

WordPress WPS Hide Login plugin <= 1.6.1 - Login Page Protection Bypass vulnerability

Login Page Protection Bypass vulnerability discovered by Sebastian Schmitt in WordPress WPS Hide Login plugin versions = 1.6.1. Solution Update the WordPress WPS Hide Login plugin to the latest available version at least 1.7...

WordPress Directories Pro premium plugin <= 1.3.45 - Authenticated Self-Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Self-Reflected Cross-Site Scripting XSS vulnerability found by ack Misiura The Missing Link in WordPress Directories Pro premium plugin versions = 1.3.45. Solution Update the WordPress Directories Pro premium plugin to the latest available version at least 1.3.46...

WordPress Easy WP SMTP plugin <= 1.4.2 - Unauthenticated Admin Password Reset

Unauthenticated Admin Password Reset vulnerability found by mathieg2 in WordPress Easy WP SMTP plugin versions = 1.4.2. Solution Update the WordPress Easy WP SMTP plugin to the latest available version at least 1.4.3. Attention! Please make sure you have a directory listing disabled since it coul...

WordPress Media Library Assistant plugin <= 2.84 - Authenticated Blind SQL Injection (SQLi) vulnerability

Authenticated Blind SQL Injection SQLi vulnerability found by Lenon Leite in WordPress Media Library Assistant plugin versions = 2.84. Solution Update the WordPress Media Library Assistant plugin to the latest available version at least 2.9.0...

WordPress Augmented Reality plugin <= 1.2.0 - Unauthenticated PHP File Upload leading to Remote Code Execution (RCE) vulnerability

Unauthenticated PHP File Upload leading to Remote Code Execution RCE vulnerability found by Robert Wiggins in WordPress Augmented Reality plugin versions = 1.2.0. Solution Note from wordpress.org plugin repository: This plugin has been closed as of September 3, 2020 and is not available for...

WordPress NewsMag theme <= 2.4.1 - Unauthenticated Function Injection vulnerability

Unauthenticated Function Injection vulnerability found by Jerome Bruandet NinTechNet WordPress NewsMag theme versions = 2.4.1. Solution Update the WordPress NewsMag theme to the latest available version at least 2.4.2...

WordPress WP Courses LMS plugin <= 2.0.28 - Broken Access Controls leading to Courses Content Disclosure vulnerability

Broken Access Controls leading to Courses Content Disclosure vulnerability found by Marco Ortisi redtimmysec in WordPress WP Courses LMS plugin versions = 2.0.28. Solution Update the WordPress WP Courses LMS plugin to the latest available version at least 2.0.29...

WordPress Divi Builder plugin <= 4.5.2 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Divi Builder plugin versions = 4.5.2. Solution Update the WordPress Divi Builder plugin to the latest available version at least 4.5.3...

WordPress Extra premium theme <= 4.5.2 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Extra premium theme versions = 4.5.2. Solution Update the WordPress Extra premium theme to the latest available version at least 4.5.3...

WordPress ACF to REST API plugin <= 3.2.0 - Unauthenticated Sensitive Information Disclosure vulnerability

Unauthenticated Sensitive Information Disclosure vulnerability discovered by Mariusz Poplawski in WordPress ACF to REST API plugin versions = 3.2.0. Solution Update the WordPress ACF to REST API plugin to the latest available version at least 3.3.0...

WordPress Advanced Custom Fields plugin <= 5.8.11 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found in WordPress Advanced Custom Fields plugin versions = 5.8.11. Solution Update the WordPress Advanced Custom Fields plugin to the latest available version at least 5.8.12...

WordPress LearnPress plugin <= 3.2.6.8 - Authenticated Page Creation and Status Modification vulnerability

Authenticated Page Creation and Status Modification vulnerability discovered by WordFence in WordPress LearnPress plugin versions = 3.2.6.8. Solution Update the WordPress LearnPress plugin to the latest available version at least 3.2.6.9...

WordPress Media Library Assistant plugin <= 2.81 - Authenticated Remote Code Execution (RCE) vulnerability

Authenticated Remote Code Execution RCE vulnerability discovered in WordPress Media Library Assistant plugin versions = 2.81. Solution Update the WordPress Media Library Assistant plugin to the latest available version at least 2.82...

WordPress Import Export WordPress Users plugin <= 1.3.8 - Arbitrary User Creation vulnerability

Arbitrary User Creation vulnerability discovered by WordFence in WordPress Import Export WordPress Users plugin versions = 1.3.8. Solution Update the WordPress Import Export WordPress Users plugin to the latest available version at least 1.3.9...

WordPress Login by Auth0 plugin <= 3.11.2 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability found by Muhamad Visat in WordPress Login by Auth0 plugin versions = 3.11.2. Solution Update the WordPress Login by Auth0 plugin to the latest available version at least 3.11.3...

WordPress Ultimate Member plugin <= 2.1.2 - Insecure Direct Object Reference (IDOR) vulnerability

Insecure Direct Object Reference IDOR vulnerability found in WordPress Ultimate Member plugin versions = 2.1.2. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.1.3...

WordPress Awesome Support plugin <= 5.8.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by 0xPablito in WordPress Awesome Support plugin versions = 5.8.2. Solution Update the WordPress Awesome Support plugin to the latest available version at least 6.0.0...

WordPress WP Spell Check plugin <= 7.1.9 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Takuya Yamaguchi in WordPress WP Spell Check plugin versions = 7.1.9. Solution Update the WordPress WP Spell Check plugin to the latest available version at least 7.1.10...

WordPress WP SlackSync premium plugin <= 1.8.5 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability found by fs0c131y in WordPress WP SlackSync premium plugin versions = 1.8.5. Solution Update the WordPress WP SlackSync premium plugin to the latest available version at least 1.8.6...

WordPress EU Cookie Law plugin <= 3.0.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability found by Tobias Fink SBA Research in WordPress EU Cookie Law plugin versions = 3.0.6. Solution 17 October 2019 - we were unable to find a patched version of this plugin...

WordPress WP Social Feed Gallery plugin <= 2.4.7 - Authorization Check vulnerability

Authorization Check vulnerability found in WordPress WP Social Feed Gallery plugin versions = 2.4.7. Solution Update the WordPress WP Social Feed Gallery plugin to the latest available version at least 2.4.8...

WordPress UserPro plugin <= 4.9.33 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability

Unauthenticated Reflected Cross-Site Scripting XSS vulnerability found in WordPress UserPro plugin versions = 4.9.33. Solution 27 August 2019 - no patched version available...

WordPress WP Fastest Cache plugin <= 0.8.9.5 - Directory Traversal vulnerability

Directory Traversal vulnerability found by Imre Rad in WordPress WP Fastest Cache plugin versions = 0.8.9.5. Solution Update the WordPress WP Fastest Cache plugin to the latest available version at least 0.8.9.6...

WordPress AdRotate Banner Manager plugin <= 5.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability found by Tin Duong in WordPress AdRotate Banner Manager plugin versions = 5.2. Solution Update the WordPress AdRotate Banner Manager plugin to the latest available version at least 5.3...