WordPress Opstore theme <= 1.4.3 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Opstore theme versions = 1.4.3. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress Ultra Seven theme <= 1.2.8 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Ultra Seven theme versions = 1.2.8. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress Mobile Events Manager plugin <= 1.4.3.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Varun thorat in WordPress Mobile Events Manager plugin versions = 1.4.3.1. Solution Update the WordPress Mobile Events Manager plugin to the latest available version at least 1.4.4...

WordPress Simple Download Monitor plugin <= 3.9.10 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Simple Download Monitor plugin versions = 3.9.10. Solution Update the WordPress Simple Download Monitor plugin to the latest available version at least 3.9.11...

WordPress All in One SEO plugin <= 4.1.5.2 - Authenticated Privilege Escalation vulnerability

Authenticated Privilege Escalation vulnerability discovered by Marc Montpas in WordPress All in One SEO plugin versions = 4.1.5.2. Solution Update the WordPress All in One SEO plugin to the latest available version at least 4.1.5.3...

WordPress link-list-manager plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress link-list-manager plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of December 3, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress WOOCS – Currency Switcher for WooCommerce plugin <= 1.3.7.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WOOCS – Currency Switcher for WooCommerce plugin versions = 1.3.7.2. Solution Update the WordPress WOOCS – Currency Switcher for WooCommerce plugin to the latest available version at least 1.3.7.3...

WordPress True Ranker plugin <= 2.2.2 - Directory Traversal/Arbitrary File Read vulnerability

Directory Traversal/Arbitrary File Read vulnerability discovered by p7e4 in WordPress True Ranker plugin versions = 2.2.2. Solution Update the WordPress True Ranker plugin to the latest available version at least 2.2.4...

WordPress Best WordPress FAQ plugin <= 1.4.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Best WordPress FAQ plugin versions = 1.4.8. Solution Deactivate and delete. This plugin has been closed as of December 3, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Fathom Analytics plugin <= 3.0.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by José Aguilera in WordPress Fathom Analytics plugin versions = 3.0.4. Solution Update the WordPress Fathom Analytics plugin to the latest available version at least 3.0.5...

WordPress Site Reviews plugin <= 5.17.2 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Site Reviews plugin versions = 5.17.2. Solution Update the WordPress Site Reviews plugin to the latest available version at least 5.17.3...

WordPress Booster for Woocommerce plugin <= 5.4.8 - Reflected Cross-Site Scripting (XSS) vulnerability in General Module

Reflected Cross-Site Scripting XSS vulnerability in PDF Invoicing Module discovered by Jeremie Amsellem in WordPress Booster for Woocommerce plugin versions = 5.4.8. Solution Update the WordPress Booster for Woocommerce plugin to the latest available version at least 5.4.9...

WordPress Stetic plugin <= 1.0.8 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Naoki Ogawa Cryptography Laboratory in Tokyo Denki University in WordPress Stetic plugin versions = 1.0.8. Solution Update the WordPress Stetic plugin to the latest available version at least...

WordPress Zigcy Baby theme <= 1.0.6 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Zigcy Baby theme versions = 1.0.6. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores...

WordPress WPFront User Role Editor plugin <= 3.1.0.10272 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress WPFront User Role Editor plugin versions = 3.1.0.10272. Solution Update the WordPress WPFront User Role Editor plugin to the latest available version at least 3.2.1.11184...

WordPress Child Theme Generator plugin <= 2.2.7 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Child Theme Generator plugin versions = 2.2.7. Solution Deactivate and delete. This plugin has been closed as of November 18, 2021 and is not available for download. Reason: Security Issue...

WordPress Temporary Login Without Password plugin <= 1.7.0 - Unauthorized Plugin's Settings Update vulnerability

Unauthorized Plugin's Settings Update vulnerability discovered by apple502j in WordPress Temporary Login Without Password plugin versions = 1.7.0. Solution Update the WordPress Temporary Login Without Password plugin to the latest available version at least 1.7.1...

WordPress Shiny Buttons plugin <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vishal Mohan in WordPress Shiny Buttons plugin versions = 1.1.0. Solution Deactivate and delete. This plugin has been closed as of September 27, 2021 and is not available for download. This closure is temporary, pending a...

WordPress Contact Form 7 Database Addon – CFDB7 plugin <= 1.2.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ex.Mi Patchstack in WordPress Contact Form 7 Database Addon – CFDB7 plugin versions = 1.2.6.1. Solution Update the WordPress Contact Form 7 Database Addon – CFDB7 plugin to the latest available version at least 1.2.6.2...

WordPress Microsoft Clarity plugin <= 0.3 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Cyber Security Works Pvt. Ltd. in WordPress Microsoft Clarity plugin versions = 0.3. Solution Update the WordPress Microsoft Clarity plugin to the latest available version at least 0.4...

WordPress Easy Digital Downloads plugin <= 2.11.2 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress Easy Digital Downloads plugin versions = 2.11.2. Solution Update the WordPress Easy Digital Downloads plugin to the latest available version at least 2.11.2.1...

WordPress Logo Showcase with Slick Slider plugin <= 1.2.3 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Logo Showcase with Slick Slider plugin versions = 1.2.3. Solution Update the WordPress Logo Showcase with Slick Slider plugin to the latest available version at least 1.2.4...

WordPress Support Board premium plugin <= 3.3.5 - Arbitrary File Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary File Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Brandon Roldan in WordPress Support Board premium plugin versions = 3.3.5. Solution Update the WordPress Support Board premium plugin to the latest available version at least 3.3.6...

WordPress MyBB Cross-Poster plugin <= 1.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress MyBB Cross-Poster plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of October 13, 2021 and is not available for download. This closure is temporary,...

WordPress Header Footer Code Manager plugin <= 1.1.13 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by bl4derunner in WordPress Header Footer Code Manager plugin versions = 1.1.13. Solution Update the WordPress Header Footer Code Manager plugin to the latest available version at least 1.1.14...

WordPress WP Header Images plugin <= 2.0.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress WP Header Images plugin versions = 2.0.0. Solution Update the WordPress WP Header Images plugin to the latest available version at least 2.0.1...

WordPress Wow Forms plugin <= 3.1.3 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress Wow Forms plugin versions = 3.1.3. Solution Deactivate and delete. This plugin has been closed as of June 18, 2021 and is not available for download. Reason: Security Issue...

WordPress Booking.com Banner Creator plugin <= 1.4.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Booking.com Banner Creator plugin versions = 1.4.2. Solution Update the WordPress Booking.com Banner Creator plugin to the latest available version at least 1.4.3...

WordPress WP Survey Plus plugin <= 1.0 - AJAX Calls to add/edit/delete surveys vulnerability

AJAX Calls to add/edit/delete surveys vulnerability discovered by Vishal Mohan in WordPress WP Survey Plus plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of September 30, 2021 and is not available for download. This closure is temporary, pending a full revie...

WordPress Simple Download Monitor plugin <= 3.9.5 - Unauthorized Log Reset vulnerability

Unauthorized Log Reset vulnerability discovered by WPScanTeam in WordPress Simple Download Monitor plugin versions = 3.9.5. Solution Update the WordPress Simple Download Monitor plugin to the latest available version at least 3.9.6...

WordPress Permalink Manager Lite plugin <= 2.2.12 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by bl4derunner in WordPress Permalink Manager Lite plugin versions = 2.2.12. Solution Update the WordPress Permalink Manager Lite plugin to the latest available version at least 2.2.13.1...

WordPress Special Text Boxes plugin <= 5.9.109 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Akash Rajendra Patil in WordPress Special Text Boxes plugin versions = 5.9.109. Solution Update the WordPress Special Text Boxes plugin to the latest available version at least 5.9.110...

WordPress Telefication vulnerability <= 1.8.0 - Open Relay and Server-Side Request Forgery vulnerability

Open Relay and Server-Side Request Forgery vulnerability discovered by Marco Wotschka & Charles Strader Sweethill in WordPress Telefication vulnerability versions = 1.8.0. Solution This plugin has been closed as of September 20, 2021 and is not available for download. This closure is temporary,...

WordPress Essential Content Types plugin <= 1.8.6 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Essential Content Types plugin versions = 1.8.6. Solution Update the WordPress Essential Content Types plugin to the latest available version at least 1.9...

WordPress XforWooCommerce plugin <=1.6.4 - Multiple vulnerabilities

Multiple vulnerabilities Authenticated Arbitrary WordPress Options Change, Read and Deletion / Authenticated User Enumeration / Authenticated Plugin Settings Change, Import and Export were discovered by Jerome Bruandet NinTechNet in the WordPress XforWooCommerce plugin versions =1.6.4. Solution...

WordPress Sociable plugin <= 4.3.4.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Genubhau Wayal in WordPress Sociable plugin versions = 4.3.4.1. Solution Deactivate and delete. This plugin has been closed as of August 9, 2021 and is not available for download. Reason: Security Issue...

WordPress Html5 Audio Player plugin <= 2.1.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Michał Lipiński WordPress Html5 Audio Player plugin versions = 2.1.2. Solution Update the WordPress Html5 Audio Player plugin to the latest available version at least 2.1.3...

WordPress PDF Light Viewer plugin <= 1.4.11 - Authenticated Command Injection vulnerability

Authenticated Command Injection vulnerability discovered by apple502j in WordPress PDF Light Viewer plugin versions = 1.4.11. Solution Update the WordPress PDF Light Viewer plugin to the latest available version at least 1.4.12...

WordPress Post Title Counter plugin <= 1.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Post Title Counter plugin versions = 1.1. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress WP-T-Wap plugin <= 1.13.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress WP-T-Wap plugin versions = 1.13.2. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Chained Quiz plugin <= 1.2.7.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Shivam Rai in WordPress Chained Quiz plugin versions = 1.2.7.1. Solution Update the WordPress Chained Quiz plugin to the latest available version at least 1.2.7.1...

WordPress Appointment Hour Booking plugin <= 1.3.15 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Appointment Hour Booking plugin versions = 1.3.15. Solution Update the WordPress Appointment Hour Booking plugin to the latest available version at least 1.3.16...

WordPress WooCommerce Dynamic Pricing & Discounts premium plugin <= 2.4.1 - Unauthenticated Settings Export vulnerability

Unauthenticated Settings Export vulnerability discovered by Jerome Bruandet NinTechNet in WordPress WooCommerce Dynamic Pricing & Discounts premium plugin versions = 2.4.1. Solution Update the WordPress WooCommerce Dynamic Pricing & Discounts premium plugin to the latest available version at leas...

WordPress Advanced Custom Fields plugin <= 5.9.9 - Arbitrary ACF Data/Field Groups View and Fields Move vulnerability

Arbitrary ACF Data/Field Groups View and Fields Move vulnerability discovered by Keitaro Yamazaki in WordPress Advanced Custom Fields plugin versions = 5.9.9. Solution Update the WordPress Advanced Custom Fields plugin to the latest available version at least 5.10...

WordPress Nested Pages plugin <= 3.1.15 - Open Redirect vulnerability

Open Redirect vulnerability discovered by Ram Gall WordFence in WordPress Nested Pages plugin versions = 3.1.15. Solution Update the WordPress Nested Pages plugin to the latest available version at least 3.1.16...

WordPress Recipe Card Blocks for Gutenberg & Elementor plugin <= 2.8.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Recipe Card Blocks for Gutenberg & Elementor plugin versions = 2.8.2. Solution Update the WordPress Recipe Card Blocks for Gutenberg & Elementor plugin to the latest available version at least 2.8.3...

WordPress Timetable and Event Schedule by MotoPress plugin <= 2.4.1 - Unauthorized Event TimeSlot Update vulnerability

Unauthorized Event TimeSlot Update vulnerability discovered by dc11 in WordPress Timetable and Event Schedule by MotoPress plugin versions = 2.4.1. Solution Update the WordPress Timetable and Event Schedule by MotoPress plugin to the latest available version at least 2.4.2...

WordPress Per page add to head plugin <= 1.4.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Prashant Karman Patel in WordPress Per page add to head plugin versions = 1.4.4. Solution This plugin has been closed as of June 7, 2021 and is not available for download. Reason: Security Issue...

WordPress Product Limited Time Availability Date for WooCommerce plugin <= 1.0.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex and WPScanTeam in WordPress Product Limited Time Availability Date for WooCommerce plugin versions = 1.0.1. Solution 2021-08-27 - no patched version available...

WordPress SpeakOut! Email Petitions plugin <= 2.13.1.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress SpeakOut! Email Petitions plugin versions = 2.13.1.1. Solution Update the WordPress SpeakOut! Email Petitions plugin to the latest available version at least 2.13.3...