WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin <= 2.0.8 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 2.0.8...

NPM: Facebook React has a Denial of Service Vulnerability in React Server Components

NPM: Facebook React has a Denial of Service Vulnerability in React Server Components discovered by ? in WordPress Npm react-server-dom-webpack versions = 19.0.0, 19.0.6...

WordPress Slider Revolution Plugin <= 6.7.18 is vulnerable to Cross Site Scripting (XSS)

Software Slider Revolution Type Plugin Vulnerable versions = 6.7.18 Fixed in 6.7.19 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8107 Patch priority Low CVSS severity Low 5.9 Developer ThemePunch PSID 36b1d1650d8f Credits wesley wcraft Required...

WordPress W3 Total Cache Plugin <= 2.7.5 is vulnerable to Sensitive Data Exposure

Software W3 Total Cache Type Plugin Vulnerable versions = 2.7.5 Fixed in 2.7.6 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2023-5359 Patch priority Low CVSS severity Low 3.7 Developer Claim ownership PSID 553a33ae4238 Credits Ivan Kuzymchak Required...

WordPress Serial Numbers for WooCommerce – License Manager Plugin <= 1.6.3 is vulnerable to Cross Site Request Forgery (CSRF)

Software Serial Numbers for WooCommerce – License Manager Type Plugin Vulnerable versions = 1.6.3 Fixed in 1.6.4 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-46078 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID...

WordPress Activello theme <= 1.4.4 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability

Auth. Reflected Cross-Site Scripting XSS vulnerability in the ajax action 'activellodismissrecommendedplugins' discovered by Brandon Roldan Patchstack Alliance in the WordPress Activello theme versions = 1.4.4. Solution No patched version available...

WordPress Discy premium theme < 5.2 - Restore Default Settings via Cross-Site Request Forgery (CSRF) vulnerability

Restore Default Settings via Cross-Site Request Forgery CSRF vulnerability discovered by Bikram Kharal in WordPress Discy premium theme versions 5.2. Solution Update the WordPress Discy premium theme to the latest available version at least 5.2...

WordPress All in One WP Migration plugin <= 7.58 - Directory Traversal to File Deletion on Windows Hosts vulnerability

Directory Traversal to File Deletion on Windows Hosts vulnerability discovered by haidv35 Viettel Cyber Security in WordPress All-in-One WP Migration plugin versions = 7.58. Solution Update the WordPress All-in-One WP Migration plugin to the latest available version at least 7.59...

WordPress 3xSocializer plugin <= 0.98.22 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Lenon Leite Patchstack Alliance in WordPress 3xSocializer plugin versions = 0.98.22. Solution No patched version is available. Deactivate and delete. This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may n...

WordPress WPQA - Builder forms Addon plugin < 5.2 - Arbitrary Profile Picture Deletion via IDOR vulnerability

Arbitrary Profile Picture Deletion via IDOR vulnerability discovered by Binit Ghimire in WordPress WPQA - Builder forms Addon plugin versions 5.2. Solution Update the WordPress WPQA - Builder forms Addon plugin to the latest available version at least 5.2...

WordPress Visual Slide Box Builder plugin <= 3.2.9 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by p7e4 in WordPress Visual Slide Box Builder plugin versions = 3.2.9. Solution Deactivate and delete. This plugin has been closed as of March 30, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Video Gallery plugin <= 1.7.1 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress WP Video Gallery plugin versions = 1.7.1. Solution Deactivate and delete. This plugin has been closed as of March 29, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Page Restriction WordPress (WP) plugin <= 1.2.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress Page Restriction WordPress WP plugin versions = 1.2.6. Solution Update the WordPress Page Restriction WordPress WP plugin to the latest available version at least 1.2.7...

WordPress DW Question & Answer Pro premium plugin <= 1.3.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Brandon Roldan in WordPress DW Question & Answer Pro premium plugin versions = 1.3.4. Solution No patched version is available...

WordPress Grid Kit Portfolio plugin <= 2.0.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Grid Kit Portfolio plugin versions = 2.0.0. Solution Update the WordPress Grid Kit Portfolio plugin to the latest available version at least 2.1.0...

WordPress Widget Detector for Elementor plugin < 1.2.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Widget Detector for Elementor plugin versions 1.2.0. Solution Update the WordPress Widget Detector for Elementor plugin to the latest available version at least 1.2.0...

WordPress Essential Addons for Elementor plugin <= 5.0.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Pham Van Khanh rskvp93 from VCSLab of Viettel Cyber Security & Nguyen Dinh Bien biennd4 from VCSLab of Viettel Cyber Security in WordPress Essential Addons for Elementor plugin versions = 5.0.8. Solution Update the WordPress Essential...

WordPress Page View Count plugin <= 2.4.14 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress Page View Count plugin versions = 2.4.14. Solution Update the WordPress Page View Count plugin to the latest available version at least 2.4.15...

WordPress Logo Showcase with Slick Slider plugin <= 1.2.4 - Arbitrary Media Title/Description/Alt Text/URL Update vulnerability

Arbitrary Media Title/Description/Alt Text/URL Update vulnerability discovered by apple502j in WordPress Logo Showcase with Slick Slider plugin versions = 1.2.4. Solution Update the WordPress Logo Showcase with Slick Slider plugin to the latest available version at least 1.2.5...

WordPress SP Project & Document Manager plugin <= 4.21 - Authenticated Shell Upload vulnerability

Authenticated Shell Upload discovered by Viktor Markopoulos vict0ni in WordPress SP Project & Document Manager plugin versions = 4.21. Solution Update the WordPress SP Project & Document Manager plugin to the latest available version at least 4.22...

WordPress Master Slider plugin <= 3.7.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vulnerability-Lab in WordPress Master Slider plugin versions = 3.7.0. Solution Update the WordPress Master Slider plugin to the latest available version at least 3.7.1...

WordPress Backup Guard plugin <= 1.5.9 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh in WordPress Backup Guard plugin versions = 1.5.9. Solution Update the WordPress Backup Guard plugin to the latest available version at least 1.6.0...

WordPress Super Cache Plugin <= 1.3 - XSS

This plugin is prone to: trunk/plugins/wptouch.php URI XSS, trunk/plugins/searchengine.php URI XSS, trunk/plugins/domain-mapping.php URI XSS, trunk/plugins/badbehaviour.php URI XSS, trunk/plugins/awaitingmoderation.php URI XSS, trunk/wp-cache.php wpnonceurl Function URI XSS vulnerability. Solutio...

WordPress Repagent Plugin <= 2.2.2 - Cross Site Scripting

This plugin is prone to a cross site scripting vulnerability in dewplayer-vinyl.swf xml and dewplayer-vinyl-en.swf xml parameters. Solution Update the plugin...

WordPress Cart66 Plugin 1.5.1.14 - Multiple Vulnerabilities

There are multiple vulnerabilities in WordPress Cart66 plugin. These vulnerabilities are CSRF and stored XSS. Solution Update the plugin...

WordPress White Label CMS Plugin <= 1.5.0 - CSRF

Because of this vulnerability in wlcms-plugin.php, the attackers can hijack the authentication of administrators for requests that modify the developer name via the wlcmsodevelopername parameter in a save action to wp-admin/admin.php. Solution Update the plugin...

WordPress SWFUpload Plugin <= 2.2.0.1 - XSS #1

Because of this vulnerability in swfupload.swf, the attackers can inject arbitrary web script or HTML via the "movieName" parameter. Solution Update the plugin...

WordPress Elementor Website Builder Plugin 3.3.0-3.18.1 is vulnerable to Arbitrary File Upload

Software Elementor Website Builder Type Plugin Vulnerable versions 3.3.0-3.18.1 Fixed in 3.18.2 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2023-48777 Patch priority High CVSS severity High 9.9 Developer Elementor PSID 64baf5c2aab5 Credits Hồng Quân luk6785 at VNPT-VCI...

WordPress Gallery Images Ape plugin <= 2.2.8 - Auth. Broken Access Control vulnerability

Auth. Broken Access Control vulnerability leading to Gallery Duplication discovered by thiennv Patchstack Alliance in WordPress Gallery Images Ape plugin versions = 2.2.8. Solution No patched version is available. No reply from the vendor...

WordPress Blog2Social plugin <= 6.9.9 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Sakri Rafael Koskimies in WordPress Blog2Social plugin versions = 6.9.9. Solution Update the WordPress Blog2Social plugin to the latest available version at least 6.9.10...

WordPress MailOptin plugin <= 1.2.49.0 - Unauthenticated Optin Campaign Cache Deletion vulnerability

An unauthenticated Optin Campaign Cache Deletion vulnerability was discovered by Muhammad Daffa Patchstack Alliance in the WordPress MailOptin plugin versions = 1.2.49.0. Solution Update the WordPress MailOptin plugin to the latest available version at least 1.2.50.0...

WordPress TaskBuilder plugin <= 1.0.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability via SVG file upload discovered by Rizacan Tufan in WordPress TaskBuilder plugin versions = 1.0.7. Solution Update the WordPress Taskbuilder plugin to the latest available version at least 1.0.8...

WordPress All In One Video Gallery Plugin 2.5.8 to 2.6.0 - Unauthenticated Arbitrary File Download & SSRF vulnerability

Unauthenticated Arbitrary File Download & SSRF vulnerability discovered by Gabriele Zuddas in All-in-One Video Gallery Plugin versions 2.5.8 to 2.6.0 Solution Update the WordPress All-in-One Video Gallery plugin to the latest available version at least 2.6.1...

WordPress WSM Downloader plugin <= 1.4.0 - Unauthenticated Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download vulnerability discovered by Raad Haddad in WordPress WSM Downloader plugin versions = 1.4.0. Solution Deactivate and delete. This plugin has been closed as of July 8, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Visitor Statistics plugin <= 5.7 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities

Multiple Unauthenticated SQL Injection SQLi vulnerabilities were discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in the WordPress WP Visitor Statistics plugin versions = 5.7. Solution Update the WordPress WP Visitor Statistics plugin to the latest available version at least 5.8...

WordPress Allow SVG Files plugin <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Luan Pedersini in WordPress Allow SVG Files plugin versions = 1.1. Solution Deactivate and delete. This plugin has been closed as of July 1, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress WP Video Lightbox plugin <= 1.9.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by ZhongFu Su aka JrXnm WuHan University in WordPress WP Video Lightbox plugin versions = 1.9.4. Solution Update the WordPress WP Video Lightbox plugin to the latest available version at least 1.9.5...

WordPress Code Snippets Extended plugin <= 1.4.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Persistent Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Persistent Cross-Site Scripting XSS was discovered by BEE-K Patchstack in WordPress Code Snippets Extended plugin versions = 1.4.7. Solution Deactivate and delete. No patched version is available. No reply from the vendor...

WordPress Counter Box plugin <= 1.1.1 - Authenticated Local File Inclusion (LFI) vulnerability

Authenticated Local File Inclusion LFI vulnerability discovered by 0xB9 Patchstack Alliance in WordPress Counter Box plugin versions = 1.1.1. Solution Update the WordPress Counter Box plugin to the latest available version at least 1.2...

WordPress Change wp-admin login plugin <= 1.0.9 - Unauthenticated Arbitrary Settings Update vulnerability

Unauthenticated Arbitrary Settings Update vulnerability discovered by Daniel Ruf in WordPress Change wp-admin login plugin versions = 1.0.9. Solution Update the WordPress Change wp-admin login plugin to the latest available version at least 1.1.0...

WordPress Countdown & Clock plugin <= 2.4.7 - Pro Features Lock Bypass vulnerability

Pro Features Lock Bypass vulnerability discovered by Ex.Mi Patchstack in WordPress Countdown & Clock plugin versions = 2.4.7. Solution No patched version is available...

WordPress Menubar plugin <= 5.7.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Menubar plugin versions = 5.7.2. Solution Update the WordPress Menubar plugin to the latest available version at least 5.8...

WordPress myCred plugin <= 2.4.3 - Arbitrary Post Creation vulnerability

Arbitrary Post Creation vulnerability discovered by Krzysztof Zając in WordPress myCred plugin versions = 2.4.3. Solution Update the WordPress myCred plugin to the latest available version at least 2.4.4...

WordPress Popup Builder plugin <= 4.1.0 - SQL Injection (SQLi) vulnerability to Reflected Cross-Site Scripting (XSS)

SQL Injection SQLi vulnerability to Reflected Cross-Site Scripting XSS discovered by Krzysztof Zając in WordPress Popup Builder plugin versions = 4.1.0. Solution Update the WordPress Popup Builder plugin to the latest available version at least 4.1.1...

WordPress 5 Stars Rating Funnel plugin <= 1.2.49 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress 5 Stars Rating Funnel plugin versions = 1.2.49. Solution Update the WordPress 5 Stars Rating Funnel plugin to the latest available version at least 1.2.50...

WordPress NotificationX plugin <= 2.3.8 - Unauthenticated Blind SQL Injection (SQLi) vulnerability

Unauthenticated Blind SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress NotificationX plugin versions = 2.3.8. Solution Update the WordPress NotificationX plugin to the latest available version at least 2.3.9...

WordPress WP Import Export Lite plugin <= 3.9.15 - Unauthenticated Sensitive Data Disclosure vulnerability

Unauthenticated Sensitive Data Disclosure vulnerability discovered by Karan Saini in WordPress WP Import Export Lite plugin versions = 3.9.15. Solution Update the WordPress WP Import Export Lite plugin to the latest available version at least 3.9.16...

WordPress MOLIE plugin <= 0.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Jeremie Amsellem in WordPress MOLIE plugin versions = 0.5. Solution Deactivate and delete. This plugin has been closed as of November 29, 2021 and is not available for download. Reason: Security Issue...

WordPress AddToAny Share Buttons plugin <= 1.7.45 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress AddToAny Share Buttons plugin versions = 1.7.45. Solution Update the WordPress AddToAny Share Buttons plugin to the latest available version at least 1.7.46...

WordPress Autoptimize plugin <= 2.7.6 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh SunCSR in WordPress Autoptimize plugin versions = 2.7.6. Solution Update the WordPress Autoptimize plugin to the latest available version at least = 2.7.7...