WordPress WPS Bidouille plugin <= 1.12.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Julio Potier in WordPress WPS Bidouille plugin versions = 1.12.2. Solution Update the WordPress WPS Bidouille plugin to the latest available version at least 1.12.4...

WordPress SEO by Rank Math plugin <= 1.0.26 - Cross-Site Scripting (XSS) vulnerabilities

Cross-Site Scripting XSS vulnerabilities found in WordPress SEO by Rank Math versions = 1.0.26. Solution Update the WordPress SEO by Rank Math to the latest available version at least 1.0.27...

WordPress JobCareer theme - 2.5 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability found by QUIXSS in WordPress JobCareer theme version 2.5. Solution Update the WordPress JobCareer theme to the latest available version at least 2.5.1...

WordPress WP Database Backup plugin <= 5.1.2 - Unauthenticated OS Command Injection vulnerability

Unauthenticated OS Command Injection vulnerability found by WordFence in WordPress WP Database Backup plugin versions = 5.1.2. Solution Update the WordPress WP Database Backup plugin to the latest available version at least 5.2...

WordPress WP Booking System <= 1.5.1.1 - CSRF vulnerability to Authenticated SQL Injection vulnerability

CSRF vulnerability to Authenticated SQL Injection vulnerability possible in WordPress WP Booking System versions = 1.5.1.1 found by Magnus K. Stubman. Solution Update the WordPress WP Booking System to the latest available version at least 1.5.2...

WordPress WP Job Manager plugin <= 1.31.2 - Phar Deserialization vulnerability

Phar Deserialization vulnerability found by Ripstech in WordPress WP Job Manager plugin versions = 1.31.2. Solution Update the WordPress WP Job Manager plugin to the latest available version at least 1.31.3...

WordPress Export Users to CSV plugin <= 1.1.1 - CSV Injection vulnerability

CSV Injection vulnerability found by Javier Olmedo in WordPress Export Users to CSV plugin versions = 1.1.1. Solution 2018.09.01 - we were unable to find a patched version of this plugin...

WordPress Advanced Order Export For WooCommerce plugin <= 1.5.4 - CSV Injection vulnerability

CSV Injection vulnerability found by Bhushan Patil in WordPress Advanced Order Export For WooCommerce plugin versions = 1.5.4. Solution Update the WordPress Advanced Order Export For WooCommerce plugin to the latest available version at least 1.5.5...

WordPress Add Social Share Messenger Buttons Whatsapp and Viber plugin <= 1.0.8 - Cross-site Request Forgery (CSRF) vulnerability

Cross-site Request Forgery CSRF vulnerability found by ThreatPress Research Team in WordPress Add Social Share Messenger Buttons Whatsapp and Viber plugin versions = 1.0.8. Solution 3 June 2018 - plugin still closed by WordPress Security team, no patched version available...

Google Drive for WordPress plugin <=2.2 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability found by Lenon Leite in Google Drive for WordPress plugin versions =2.2. Solution Attention! This plugin was closed on 2018 January 26 by WordPress security team and is no longer available for download. Deactivate and uninstall!...

WordPress Background Takeover plugin <=4.1.4 - Directory Traversal vulnerability

Directory Traversal vulnerability found in WordPress Background Takeover plugin versions =4.1.4. Unescaped URL allows access to other files. Solution Update the WordPress Background Takeover plugin to the latest available version at least 4.1.5...

WordPress File Upload plugin <=4.3.2 - Security Issue in plugin shortcodes

Security Issue in plugin shortcodes found in WordPress File Upload plugin versions =4.3.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.3.3...

WordPress Instagram Feed plugin <=1.5.1 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found Dumpcore in WordPress Instagram Feed plugin versions =1.5.1. Solution Update the WordPress Instagram Feed plugin to the latest available version at least 1.6...

WordPress PropertyHive plugin <=1.4.14 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found in WordPress PropertyHive plugin versions =1.4.14. Cross-Site Scripting possible via the body parameter "includes/admin/views/html-preview-applicant-matches-email.php". Solution Update the WordPress PropertyHive plugin to the latest available version a...

WordPress Social Media Widget by Acurax plugin <=3.2.5 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability found by Panagiotis Vagenas in WordPress Social Media Widget by Acurax plugin versions =3.2.5. Solution Update the WordPress Social Media Widget by Acurax plugin to the latest available version at least 3.2.6...

WordPress GD Rating System plugin 2.3 - Cross-Site Scripting (XSS) vulnerability (3)

A third Cross-Site Scripting XSS vulnerability found by d4wner in WordPress GD Rating System plugin version 2.3. XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-information page. Solution 1/9/2018 - we were unable to find a patched version of this plugin...

WordPress WP Support Plus Responsive Ticket System plugin <=8.0.7 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability found in WordPress WP Support Plus Responsive Ticket System plugin versions =8.0.7. Solution Update the WordPress WP Support Plus Responsive Ticket System plugin to the latest available version at least version 8.0.8...

WordPress WPHRM plugin <= 1.0 - Authenticated SQL Injection

WordPress WPHRM plugin Authenticated SQL Injection allows an attacker to inject SQL commands via the employeeid $GET param. Solution Update the plugin...

WordPress Student Result or Employee Database plugin <=1.6.3 - Authorization Bypass vulnerability

Authorization Bypass vulnerability found by Lim Benjamin found in WordPress Student Result or Employee Database plugin version 1.6.3 and earlier versions. Specific Google dork could find vulnerable websites. Some functions of the plugin do not check the authorization. Solution Update the WordPres...

WordPress Media from FTP Plugin <= 9.79 - Authenticated PHP Object Injection Vulnerability

WordPress Media from FTP Plugin Authenticated PHP Object Injection Vulnerability was found in 9.79 version. WordPress Media from FTP Plugin makes the function mediafromftpmedialibraryimportupdatecallback accessible through WordPress’ AJAX functionality to those logged in to WordPress in the file...

WordPress AddToAny Share Buttons plugin <=1.7.14 - Conditional Host Header Injection vulnerability

Conditional Host Header Injection vulnerability found by Paul Dannewitz in WordPress AddToAny Share Buttons plugin. Vulnerable plugin version used Host header instead of homeurl thus allows custom Hostheader injection by crafted link, web cache poisoning and it may end up with sharing malicious...

WordPress Loginizer plugin <=1.3.5 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Jonas Lejon WPScans in WordPress Loginizer plugin version 1.3.5 and earlier versions. The vulnerability exists in the init.php file of the "Blacklist and Whitelist IP Wizard." Solution Update the WordPress Loginizer plugin to the latest...

WordPress Loginizer plugin <=1.3.5 - Blind SQL Injection vulnerability

Blind SQL Injection vulnerability found by Jonas Lejon WPScans in WordPress Loginizer plugin version 1.3.5 and earlier versions. Vulnerable due to http-header forwarding without any sanitization to lzselectquery and then $wpdb-getresults. Solution Update the WordPress Loginizer plugin to the late...

WordPress YouTube Embed Plus plugin <=11.8.1 - Cross-Site Request Forgery (CSRF) vulnerability

WordPress YouTube Embed Plus plugin version 11.8.1 vulnerable to the Cross-Site Request Forgery CSRF vulnerability. This vulnerability allows an attacker to change plugin settings if he manages to trick admin user to follow the forged link. Solution Please update WordPress YouTube Embed plugin to...

WordPress Whois Domain Plugin - Cross Site Scripting

This plugin is prone to a cross site scripting vulnerability. Solution Update the plugin...

WordPress Page Layout Builder Plugin <= 1.9.3 - Reflected XSS

This plugin is prone to a cross site scripting vulnerability. Solution Update the plugin...

WordPress Maintenance Mode Plugin <= 2.0.6 - Missing Settings Authorization

This plugin is prone to a missing settings authorization vulnerability. Solution Upgrade the plugin...

WordPress <= 4.5.2 - XSS #1

WordPress version 4.5.2 is prone to a cross-site scripting XSS vulnerability in the wpgetattachmentlink function in wp-includes/post-template.php. It allows an attacker to inject arbitrary web script or HTML via a crafted attachment name. Related:...

WordPress Contus Video Comments Plugin - Remote File Upload

This plugin is prone to a remote file upload vulnerability, because any user can upload .jpg files to the WordPress installation. Solution Update the plugin...

WordPress Tevolution <= 2.2.7 - Unrestricted File Upload

Because of this vulnerability, the attackers can upload malicious files or scripts by using the front-end uploader. Solution Update the plugin...

WordPress S3 Video Plugin <= 0.983 - Reflected Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update plugin...

WordPress Robo Gallery Plugin <= 2.0.14 - Remote Code Execution

This plugin is prone to a remote code execution vulnerability. It allows the attackers to execute own malicious php commands to compromise the web-application or connected dbms. Solution Update the plugin...

WordPress Easy Photo Album Plugin <= 1.1.5 - Information Disclosure

This plugin is prone to an information disclosure vulnerability. Solution Update the plugin...

WordPress Advanced Video Plugin 1.0 - Local File Inclusion

Advanced Video plugin is prone to a local file inclusion vulnerability. Solution Upgrade the plugin...

WordPress Bulk Delete Plugin 5.5.3 - Privilege Escalation

Because of this vulnerability, an attacker can perform all administrative tasks, such as delete all pages by status, delete all posts by type or delete all users. Solution Update the plugin...

WordPress Elegant Themes <= 2.6.3 - Privilege Escalation

WordPress Elegant Themes' products, such as Divi Builder, Divi, Extra and Divi 2.3, are prone to a privilege escalation vulnerability. Solution Update the theme...

WordPress iQ Block Country Plugin <= 1.1.19 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Vulnerable parameter is "ipaddress". Solution Update this plugin...

WordPress Email Encoder Bundle Plugin <= 1.4.1 - Cross Site Scripting

Because of this vulnerability, unauthenticated users can inject HTML or JS code. Solution Update the plugin...

WordPress Floating Social Bar Plugin <= 1.1.5 - XSS

This vulnerability allows an attacker to inject arbitrary web script or HTML via the "items" parameter in an fsbsaveorder action to wp-admin/admin-ajax.php. Solution Update the plugin...

WordPress WP Feed Plugin 2015.0426 - SQL Injection

This WordPress WP Feed plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin to 2015.0514...

WordPress GRAND Flash Album Gallery Plugin <= 2.55 - SQL Injection

Because of this vulnerability, remote authenticated users can execute arbitrary SQL commands. Vulnerable parameter "gid". Solution Update the plugin...

WordPress Zingiri Web Shop Plugin <= 2.5.0 - Arbitrary Code Execution

This plugin is prone to ajaxfilemanager.php path parameter file upload arbitrary code execution. Solution Update the plugin...

WordPress Simple History Plugin <= 1.0.7 - Information Disclosure

This plugin is prone to RSS Feed "rsssecret" disclosure weakness vulnerability. Solution Update the plugin...

WordPress Video Conference Integration Plugin <= 4.91.8 - Remote File Upload

./videowhisper-video-conference-integration/vc/vwupload.php allows various remote unauthenticated file uploads. Anyone can upload the following files to an unsuspecting wordpress site. Solution Upgrade plugin...

WordPress Mail Subscribe List Plugin <= 2.0 - XSS

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update plugin...

WordPress Modern Theme <= 1.4.1 - Cross Site Scripting

This WordPress theme is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the theme...

WordPress Tune Library Plugin 1.5.4 - SQL Injection

This WordPress Tune Library plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress Welcart Plugin <= 1.4.17 - Multiple XSS

These vulnerabilities allow the attackers to inject arbitrary web script or HTML via the "uscesreferer" parameter to: includes/edit-form-advanced.php, includes/edit-form-advanced34.php, classes/usceshop.class.php, includes/membereditform.php, includes/orderlist.php, includes/ordereditform.php,...

WordPress QAEngine Theme - Privilege Escalation

Because of this vulnerability, the attackers can have an administrator account on the target's website. Solution Update the theme...

WordPress WPML Plugin <= 3.1.8 - SQL Injection #1

Because of the "menu sync" function, remote attackers can delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. Related records:...