WordPress Browser Screenshots plugin <= 1.7.5 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Browser Screenshots plugin versions = 1.7.5. Solution Update the WordPress Browser Screenshots plugin to the latest available version at least 1.7.6...

WordPress Sign-up Sheets plugin <= 1.0.13 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ajay Sandipan Thorbole in WordPress Sign-up Sheets plugin versions = 1.0.13. Solution Update the WordPress Sign-up Sheets plugin to the latest available version at least 1.0.14...

WordPress Leaflet Map plugin <= 2.23.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Leaflet Map plugin versions = 2.23.3. Solution Update the WordPress Leaflet Map plugin to the latest available version at least 3.0.0...

WordPress Motor premium theme <= 3.0 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Harald Eilertsen JetPack in WordPress Motor premium theme versions = 3.0. Solution Update the WordPress Motor theme to the latest available version at least 3.1...

WordPress JoomSport plugin <= 5.1.5 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by Bugbang in WordPress JoomSport plugin versions = 5.1.5. Solution Update the WordPress JoomSport plugin to the latest available version at least 5.1.8...

WordPress Comments Like Dislike plugin <= 1.1.3 - Repeated Voting Restriction Bypass vulnerability

Repeated Voting Restriction Bypass vulnerability discovered by Phu Tran in WordPress Comments Like Dislike plugin versions = 1.1.3. Solution Update the WordPress Comments Like Dislike plugin to the latest available version at least 1.1.4...

WordPress FooGallery plugin <= 2.0.30 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by avolume in WordPress FooGallery plugin versions = 2.0.30. Solution Update the WordPress FooGallery plugin to the latest available version at least 2.0.35...

WordPress Easy Preloader plugin <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Kishore Hariram in WordPress Easy Preloader plugin versions = 1.0.0. Solution This plugin has been closed as of May 4, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress Xllentech English Islamic Calendar plugin <= 2.6.7 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Syed Sheeraz Ali in WordPress Xllentech English Islamic Calendar plugin versions = 2.6.7. Solution Update the WordPress Xllentech English Islamic Calendar plugin to the latest available version at least 2.6.8...

WordPress Side Menu plugin <= 3.1.3 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar in WordPress Side Menu plugin versions = 3.1.3. Solution Update the WordPress Side Menu plugin to the latest available version at least 3.1.5...

WordPress External Media plugin <= 1.0.33 - Authenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Authenticated Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by Chloe Chamberland WordFence in WordPress External Media plugin versions = 1.0.33. Solution Update the WordPress External Media plugin to the latest available version at least 1.0.34...

WordPress <= 5.7.1 - Object injection in PHPMailer vulnerability

Object injection in PHPMailer vulnerability discovered in WordPress one security issue affecting WordPress versions between 3.7 and 5.7. Solution Update the WordPress to the latest available version at least 5.7.2. All WordPress versions since 3.7 have also been updated to fix the following...

WordPress Autoptimize plugin <= 2.8.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by m0ze in WordPress Autoptimize plugin versions = 2.8.3. Solution Update the WordPress Autoptimize plugin to the latest available version at least 2.8.4...

WordPress Pods plugin <= 2.7.26 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by WhiteSource in WordPress Pods plugin versions = 2.7.26. Solution Update the WordPress Pods plugin to the latest available version at least 2.7.27...

WordPress Store Locator Plus plugin <= 5.5.14 - Authenticated Privilege Escalation vulnerability

Authenticated Privilege Escalation vulnerability discovered by WordFence in WordPress Store Locator Plus plugin versions = 5.5.14. Solution Update the WordPress Store Locator Plus plugin to the latest available version at least 5.5.15...

WordPress Classyfrieds plugin <= 3.8 - Authenticated Arbitrary File Upload vulnerability leading to Remote Code Execution (RCE)

Authenticated Arbitrary File Upload vulnerability leading to Remote Code Execution RCE discovered by Jin Huang in WordPress Classyfrieds plugin versions = 3.8. Solution This plugin has been closed as of December 24, 2018 and is not available for download. Reason: Guideline Violation...

WordPress WP Page Builder plugin <= 1.2.3 - Insecure Default Configuration vulnerability

Insecure Default Configuration vulnerability discovered by WordFence in WordPress WP Page Builder plugin versions = 1.2.3. Solution Update the WordPress WP Page Builder plugin to the latest available version at least 1.2.4...

WordPress WP Super Cache plugin <= 1.7.1 - Authenticated Remote Code Execution (RCE) vulnerability

Authenticated Remote Code Execution RCE vulnerability settings page discovered by m0ze Patchstack Red Team in WordPress WP Super Cache plugin versions = 1.7.1. Solution Update the WordPress WP Super Cache plugin to the latest available version at least 1.7.2...

WordPress JH 404 Logger plugin <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ganesh Bagaria in WordPress JH 404 Logger plugin versions = 1.1. Solution Deactivate and delete. This plugin has been closed as of February 11, 2021 and is not available for download. Reason: Security Issue...

WordPress Defender Security plugin <= 2.4.6 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by NintechNet in WordPress Defender Security plugin versions = 2.4.6. Solution Update the WordPress Defender Security plugin to the latest available version at least 2.4.6.1...

WordPress YITH WooCommerce Gift Cards plugin <= 3.3.0 - Arbitrary File Upload to Remote Code Execution (RCE) vulnerability

Arbitrary File Upload to Remote Code Execution RCE vulnerability found by Guy Liu in WordPress YITH WooCommerce Gift Cards plugin versions = 3.3.0. Solution Update the WordPress YITH WooCommerce Gift Cards plugin to the latest available version at least 3.3.1...

WordPress FV Flowplayer Video Player plugin <= 7.4.37.727 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found by Arcangelo Saracino in WordPress FV Flowplayer Video Player plugin versions = 7.4.37.727. Solution Update the WordPress FV Flowplayer Video Player plugin to the latest available version at least 7.4.38.727...

WordPress Media Library Assistant plugin <= 2.84 - Authenticated Blind SQL Injection (SQLi) vulnerability

Authenticated Blind SQL Injection SQLi vulnerability found by Lenon Leite in WordPress Media Library Assistant plugin versions = 2.84. Solution Update the WordPress Media Library Assistant plugin to the latest available version at least 2.9.0...

WordPress Augmented Reality plugin <= 1.2.0 - Unauthenticated PHP File Upload leading to Remote Code Execution (RCE) vulnerability

Unauthenticated PHP File Upload leading to Remote Code Execution RCE vulnerability found by Robert Wiggins in WordPress Augmented Reality plugin versions = 1.2.0. Solution Note from wordpress.org plugin repository: This plugin has been closed as of September 3, 2020 and is not available for...

WordPress NewsMag theme <= 2.4.1 - Unauthenticated Function Injection vulnerability

Unauthenticated Function Injection vulnerability found by Jerome Bruandet NinTechNet WordPress NewsMag theme versions = 2.4.1. Solution Update the WordPress NewsMag theme to the latest available version at least 2.4.2...

WordPress WooCommerce - NAB Transact plugin <= 2.1.1 - Payment Bypass vulnerability

Payment Bypass vulnerability found by Jack Misiura in WordPress WooCommerce - NAB Transact plugin versions = 2.1.1. Solution Update the WordPress WooCommerce - NAB Transact plugin to the latest available version at least = 2.1.2...

WordPress Email Subscribers & Newsletters plugin <= 4.5.0.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Tenable in WordPress Email Subscribers & Newsletters plugin versions = 4.5.0.1. Solution Update the WordPress Email Subscribers & Newsletters plugin to the latest available version at least 4.5.1...

WordPress Email Subscribers & Newsletters <= 4.5.0.1 - Authenticated SQL injection (SQLi) vulnerability

Authenticated SQL injection SQLi vulnerability found by Tenable in WordPress Email Subscribers & Newsletters versions = 4.5.0.1. Solution Update the WordPress Email Subscribers & Newsletters to the latest available version at least 4.5.1...

WordPress All In One SEO Pack plugin <= 3.6.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by WordFence in WordPress All In One SEO Pack plugin versions = 3.6.1. Solution Update the WordPress All In One SEO Pack plugin to the latest available version at least 3.6.2...

WordPress Testimonial Rotator plugin <= 3.0.2 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Vu Dong in WordPress Testimonial Rotator plugin versions = 3.0.2. Solution Update the WordPress Testimonial Rotator plugin to the latest available version at least 3.0.3...

WordPress ThirstyAffiliates plugin <= 3.9.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by minhtuanact in WordPress ThirstyAffiliates plugin versions = 3.9.2. Solution Update the WordPress ThirstyAffiliates plugin to the latest available version at least 3.9.3...

WordPress WP Product Review Lite plugin <= 3.7.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Sucuri in WordPress WP Product Review Lite plugin versions = 3.7.5. Solution Update the WordPress WP Product Review Lite plugin to the latest available version at least 3.7.6...

WordPress Elementor Pro premium plugin <= 2.9.3 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Elementor Pro premium plugin versions = 2.9.3. Solution Update the WordPress Elementor Pro premium plugin to the latest available version at least 2.9.4...

WordPress Import Export WordPress Users plugin <= 1.3.8 - Arbitrary User Creation vulnerability

Arbitrary User Creation vulnerability discovered by WordFence in WordPress Import Export WordPress Users plugin versions = 1.3.8. Solution Update the WordPress Import Export WordPress Users plugin to the latest available version at least 1.3.9...

WordPress Calculated Fields Form plugin <= 1.0.353 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found by Ben Armstrong Spider Sec Ltd in WordPress Calculated Fields Form plugin versions = 1.0.353. Solution Update the WordPress Calculated Fields Form plugin to the latest available version at least 1.0.354...

WordPress Social LikeBox & Feed plugin <= 2.8.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found in WordPress Social LikeBox & Feed plugin versions = 2.8.4. Solution Update the WordPress Social LikeBox & Feed plugin to the latest available version at least 2.8.5...

WordPress Zoho SalesIQ plugin <= 1.0.8 - Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities

Cross-Site Request Forgery CSRF and Cross-Site Scripting XSS vulnerabilities found by Cryptography Laboratory in WordPress Zoho SalesIQ plugin versions = 1.0.8. Solution Update the WordPress Zoho SalesIQ plugin to the latest available version at least 1.0.9...

WordPress JobCareer theme - 2.5 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability found by QUIXSS in WordPress JobCareer theme version 2.5. Solution Update the WordPress JobCareer theme to the latest available version at least 2.5.1...

WordPress WP Database Backup plugin <= 5.1.2 - Unauthenticated OS Command Injection vulnerability

Unauthenticated OS Command Injection vulnerability found by WordFence in WordPress WP Database Backup plugin versions = 5.1.2. Solution Update the WordPress WP Database Backup plugin to the latest available version at least 5.2...

WordPress NextScripts plugin <= 4.2.7 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Tim Coen in WordPress NextScripts plugin versions = 4.2.7. Solution Update the WordPress NextScripts plugin to the latest available version at least 4.2.8...

WordPress RSVPMaker plugin <= 5.6.3 - SQL Injection (SQLi) vulnerabilities

SQL Injection SQLi vulnerabilities found in WordPress RSVPMaker plugin versions = 5.6.3. Solution Update the WordPress RSVPMaker plugin to the latest available version at least 5.6.4...

WordPress UserPro premium plugin <= 4.9.23 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Yonatan Correa in WordPress UserPro premium plugin versions = 4.9.23. Solution Update the WordPress UserPro premium plugin to the latest available version at least 4.9.24...

WordPress Geo Mashup plugin <= 1.10.3 - Unspecified Cross-Site Scripting (XSS) vulnerability

Unspecified Cross-Site Scripting XSS vulnerability found in WordPress Geo Mashup plugin versions = 1.10.3. Solution Update the WordPress Geo Mashup plugin to the latest available version at least 1.10.4...

WordPress All In One Favicon plugin <= 4.6 - Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Authenticated Cross-Site Scripting XSS vulnerabilities found by Javier Olmedo in WordPress All In One Favicon plugin versions = 4.6. Solution This plugin was closed on July 13, 2018 and is no longer available for download. Deactivate and delete asap...

WordPress Advanced Order Export For WooCommerce plugin <= 1.5.4 - CSV Injection vulnerability

CSV Injection vulnerability found by Bhushan Patil in WordPress Advanced Order Export For WooCommerce plugin versions = 1.5.4. Solution Update the WordPress Advanced Order Export For WooCommerce plugin to the latest available version at least 1.5.5...

WordPress WooCommerce Category Banner Management plugin <= 1.1.0 - Unauthenticated Settings Change Vulnerability

Unauthenticated Settings Change Vulnerability found by ThreatPress Research Team in WordPress WooCommerce Category Banner Management plugin versions = 1.1.0. Solution Update the WordPress WooCommerce Category Banner Management plugin to the latest available version at least 1.1.1...

WordPress Advance Search for WooCommerce plugin <= 1.0.9 - Stored Cross-site scripting (XSS) vulnerability

Stored Cross-site scripting XSS vulnerability found by ThreatPress Research Team in WordPress Advance Search for WooCommerce plugin versions = 1.0.9. Solution 3 June 2018 - plugin still closed by WordPress Security team, no patched version available...

WordPress WP Live Chat Support plugin <=8.0.07 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability found by Riccardo ten Cate in WordPress WP Live Chat Support plugin versions =8.0.07. Solution Update the WordPress WP Live Chat Support plugin to the latest available version at least 8.0.08...

Google Drive for WordPress plugin <=2.2 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability found by Lenon Leite in Google Drive for WordPress plugin versions =2.2. Solution Attention! This plugin was closed on 2018 January 26 by WordPress security team and is no longer available for download. Deactivate and uninstall!...

WordPress Relevanssi plugin <=4.0.4 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found in WordPress Relevanssi plugin versions =4.0.4. Attackers can inject arbitrary JavaScript or HTML via the GET parameter. Solution 09.04.2018 - Several sources claim that you need to update to the version 4.1, but we were unable to find this version on...