WordPress WP Product Review Lite plugin <= 3.7.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Sucuri in WordPress WP Product Review Lite plugin versions = 3.7.5. Solution Update the WordPress WP Product Review Lite plugin to the latest available version at least 3.7.6...

WordPress Elementor Pro premium plugin <= 2.9.3 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by WordFence in WordPress Elementor Pro premium plugin versions = 2.9.3. Solution Update the WordPress Elementor Pro premium plugin to the latest available version at least 2.9.4...

WordPress Calculated Fields Form plugin <= 1.0.353 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found by Ben Armstrong Spider Sec Ltd in WordPress Calculated Fields Form plugin versions = 1.0.353. Solution Update the WordPress Calculated Fields Form plugin to the latest available version at least 1.0.354...

WordPress Social LikeBox & Feed plugin <= 2.8.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found in WordPress Social LikeBox & Feed plugin versions = 2.8.4. Solution Update the WordPress Social LikeBox & Feed plugin to the latest available version at least 2.8.5...

WordPress Zoho SalesIQ plugin <= 1.0.8 - Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities

Cross-Site Request Forgery CSRF and Cross-Site Scripting XSS vulnerabilities found by Cryptography Laboratory in WordPress Zoho SalesIQ plugin versions = 1.0.8. Solution Update the WordPress Zoho SalesIQ plugin to the latest available version at least 1.0.9...

WordPress NextScripts plugin <= 4.2.7 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Tim Coen in WordPress NextScripts plugin versions = 4.2.7. Solution Update the WordPress NextScripts plugin to the latest available version at least 4.2.8...

WordPress RSVPMaker plugin <= 5.6.3 - SQL Injection (SQLi) vulnerabilities

SQL Injection SQLi vulnerabilities found in WordPress RSVPMaker plugin versions = 5.6.3. Solution Update the WordPress RSVPMaker plugin to the latest available version at least 5.6.4...

WordPress UserPro premium plugin <= 4.9.23 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found by Yonatan Correa in WordPress UserPro premium plugin versions = 4.9.23. Solution Update the WordPress UserPro premium plugin to the latest available version at least 4.9.24...

WordPress Geo Mashup plugin <= 1.10.3 - Unspecified Cross-Site Scripting (XSS) vulnerability

Unspecified Cross-Site Scripting XSS vulnerability found in WordPress Geo Mashup plugin versions = 1.10.3. Solution Update the WordPress Geo Mashup plugin to the latest available version at least 1.10.4...

WordPress All In One Favicon plugin <= 4.6 - Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Authenticated Cross-Site Scripting XSS vulnerabilities found by Javier Olmedo in WordPress All In One Favicon plugin versions = 4.6. Solution This plugin was closed on July 13, 2018 and is no longer available for download. Deactivate and delete asap...

WordPress WooCommerce Category Banner Management plugin <= 1.1.0 - Unauthenticated Settings Change Vulnerability

Unauthenticated Settings Change Vulnerability found by ThreatPress Research Team in WordPress WooCommerce Category Banner Management plugin versions = 1.1.0. Solution Update the WordPress WooCommerce Category Banner Management plugin to the latest available version at least 1.1.1...

WordPress Advance Search for WooCommerce plugin <= 1.0.9 - Stored Cross-site scripting (XSS) vulnerability

Stored Cross-site scripting XSS vulnerability found by ThreatPress Research Team in WordPress Advance Search for WooCommerce plugin versions = 1.0.9. Solution 3 June 2018 - plugin still closed by WordPress Security team, no patched version available...

WordPress WP Live Chat Support plugin <=8.0.07 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability found by Riccardo ten Cate in WordPress WP Live Chat Support plugin versions =8.0.07. Solution Update the WordPress WP Live Chat Support plugin to the latest available version at least 8.0.08...

WordPress Relevanssi plugin <=4.0.4 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability found in WordPress Relevanssi plugin versions =4.0.4. Attackers can inject arbitrary JavaScript or HTML via the GET parameter. Solution 09.04.2018 - Several sources claim that you need to update to the version 4.1, but we were unable to find this version on...

WordPress File Manager plugin <=5.0.0 - Information Disclosure vulnerability

Information Disclosure vulnerability found in WordPress File Manager plugin versions =5.0.0. Solution Update the WordPress File Manager plugin to the latest available version at least 5.0.2...

WordPress Enfold theme <=4.2 - Rewrite Portfolio Permalink Structure & Information Disclosure

Rewrite Portfolio Permalink Structure & Information Disclosure in WordPress Enfold theme versions =4.2. Solution Update the WordPress Enfold theme to the latest available version at least 4.2.1...

WordPress Share This Image plugin <=1.03 - Cross-Site Scripting (XSS) vulnerability

A Cross-Site Scripting XSS vulnerability found by Neorichi in WordPress Share This Image plugin versions =1.03. Solution Update the WordPress Share This Image plugin to the latest available version at least 1.04...

WordPress Gravity Forms – Clockwork SMS plugin <=2.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability found by Elias Dimopoulos in WordPress Gravity Forms – Clockwork SMS plugin versions =2.2. Solution Update the WordPress Gravity Forms – Clockwork SMS plugin to the latest available version at least 2.4.0...

WordPress Apocalypse Meow plugin <=21.2.7 - BCrypt Authentication Bypass vulnerability

BCrypt Authentication Bypass vulnerability found by Steve Sc00bzT in WordPress Apocalypse Meow plugin versions =21.2.7. Solution Update the WordPress Apocalypse Meow plugin to the latest available version at least 21.2.8...

WordPress amtyThumb posts plugin 8.1.3 - Unauthenticated Cross-Site Scripting (XSS) vulnerability

Unauthenticated Cross-Site Scripting XSS vulnerability found in WordPress amtyThumb posts plugin version 8.1.3. Solution 02.12.2017 - no information about the patched version. The last version released one year ago. Looks like abandoned plugin, use with caution, or uninstall...

WordPress WP Support Plus Responsive Ticket System plugin <=8.0.7 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability found in WordPress WP Support Plus Responsive Ticket System plugin versions =8.0.7. Solution Update the WordPress WP Support Plus Responsive Ticket System plugin to the latest available version at least version 8.0.8...

WordPress Media from FTP Plugin <= 9.79 - Authenticated PHP Object Injection Vulnerability

WordPress Media from FTP Plugin Authenticated PHP Object Injection Vulnerability was found in 9.79 version. WordPress Media from FTP Plugin makes the function mediafromftpmedialibraryimportupdatecallback accessible through WordPress’ AJAX functionality to those logged in to WordPress in the file...

WordPress Loginizer plugin <=1.3.5 - Blind SQL Injection vulnerability

Blind SQL Injection vulnerability found by Jonas Lejon WPScans in WordPress Loginizer plugin version 1.3.5 and earlier versions. Vulnerable due to http-header forwarding without any sanitization to lzselectquery and then $wpdb-getresults. Solution Update the WordPress Loginizer plugin to the late...

WordPress Simple Custom CSS and JS plugin <=3.3 - Authenticated Cross-Site Scripting (XSS) vulnerability

Authenticated Cross-Site Scripting XSS vulnerability found by Chris Liu in WordPress Simple Custom CSS and JS plugin version 3.3 and earlier versions. Solution Update WordPress Simple Custom CSS and JS plugin to the latest available version at least 3.4...

WordPress plugin WP Mail <=1.1 - Reflected Cross Site Scripting (XSS) vulnerability

WordPress plugin WP Mail version 1.1 has Reflected Cross Site Scripting XSS vulnerability and allows an attacker to execute JavaScript in the context of the user receiving the mail. Solution Update plugin to the latest version at least 1.2...

WordPress WP Editor plugin <= 1.2.6.2 - Multiple Cross-Site Scripting (XSS) vulnerabilities

Multiple Cross-Site Scripting XSS vulnerabilities found in WordPress WP Editor plugin versions = 1.2.6.2. Solution Update the WordPress WP Editor plugin to the latest available version at least 1.2.6.3...

WordPress Maintenance Mode Plugin <= 2.0.6 - Missing Settings Authorization

This plugin is prone to a missing settings authorization vulnerability. Solution Upgrade the plugin...

WordPress Collne Welcart e-Commerce Plugin <= 1.8.2 - SQL Injection

This vulnerability allows an attacker to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data. Solution Update the plugin...

WordPress Nofollow Links Plugin <= 1.0.10 - Cross Site Scripting

This plugin is prone to a cross site scripting vulnerability. It allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Solution Update the plugin...

WordPress Pondol Carousel Plugin <= 1.0 - Cross Site Scripting (XSS)

Because of this vulnerability, the variable "itemid" appears to send unsanitized data back to the users browser. Vulnerable file is /pondol-carousel/pages/admincreate.php. Solution Update the plugin...

WordPress Tera Charts Plugin - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

WordPress Tidio Gallery Plugin <= 1.1 - Cross Site Scripting (XSS)

This vulnerability is in the php code /tidio-gallery/popup-insert-help.php. Solution Update the plugin...

WordPress Easy Photo Album Plugin <= 1.1.5 - Information Disclosure

This plugin is prone to an information disclosure vulnerability. Solution Update the plugin...

WordPress Bulk Delete Plugin 5.5.3 - Privilege Escalation

Because of this vulnerability, an attacker can perform all administrative tasks, such as delete all pages by status, delete all posts by type or delete all users. Solution Update the plugin...

WordPress Elegant Themes <= 2.6.3 - Privilege Escalation

WordPress Elegant Themes' products, such as Divi Builder, Divi, Extra and Divi 2.3, are prone to a privilege escalation vulnerability. Solution Update the theme...

WordPress Erident Custom Login and Dashboard Plugin <= 3.4.1 - Stored XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress WP Smiley Plugin <= 1.4.1 - XSS

This vulnerability allows an authenticated user to inject arbitrary web script or HTML via the "s4w-more" parameter to wp-admin/options-general.php. Solution Update the plugin...

WordPress Video Conference Integration Plugin <= 4.91.8 - Remote File Upload

./videowhisper-video-conference-integration/vc/vwupload.php allows various remote unauthenticated file uploads. Anyone can upload the following files to an unsuspecting wordpress site. Solution Upgrade plugin...

WordPress Mail Subscribe List Plugin <= 2.0 - XSS

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update plugin...

WordPress Modern Theme <= 1.4.1 - Cross Site Scripting

This WordPress theme is prone to a cross-site scripting XSS vulnerability. It allows remote attackers to inject arbitrary script or HTML. Solution Update the theme...

WordPress SEO by Yoast Plugin <= 1.7.3 - Multiple Vulnerabilities

Multiple cross-site request forgery vulnerabilities exist in admin/class-bulk-editor-list-table.php. Because of these vulnerabilities, the attackers can hijack the authentication of certain users for requests that conduct SQL injection attacks. Solution Update the plugin...

WordPress Audio Player Plugin <= 2.0 - Multiple SQL Injection

Because of these vulnerabilities, the administrators can execute arbitrary SQL commands via the "itemid" parameter in the wonderpluginaudioshowitem. Also, an authenticated user can execute arbitrary SQL commands via the "itemid" parameter in a wonderpluginaudiosaveitem action to...

WordPress Redirection Page Plugin <= 1.2 - Multiple CSRF and XSS

This plugin is prone to multiple cross site request forgery and cross site scripting vulnerabilities. In that way an attacker can change plugin settings via the "source" or "redir" parameters. Solution Update the plugin...

WordPress WP EasyCart Plugin - Unrestricted File Upload

WP EasyCart plugin is prone to an unrestricted file upload vulnerability that exists because the /inc/amfphp/administration/banneruploaderscript.php does not properly clean up user-uploaded files. An attacker can do the script with the privileges of the web server by making a direct request to th...

WordPress JS Multi Hotel Plugin <= 2.2.1 - Multiple Vulnerabilities

Because of these vulnerabilities, the attackers can obtain the installation path via a request to widget.php, functions.php, myCalendar.php, showimage.php, refreshDate.php, phpthumb/thumbplugins/gdreflection.inc.php or phpthumb/GdThumb.inc.php in includes/. Solution Update the plugin...

WordPress Photocrati Theme - Cross Site Scripting

Because of this vulnerability in photocrati-gallery/ecomm-sizes.php, the attackers can inject arbitrary web script or HTML via the "prodid" parameter. Solution Update the theme...

WordPress Another WordPress Classifieds Plugin - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the query string to the default URI. Solution Update the plugin...

WordPress JS Multi Hotel Plugin <= 2.2.1 - XSS

Because of this cross site scripting vulnerability in includes/deleteimg.php, the attackers can inject arbitrary web script or HTML via the "path" parameter. Solution Update the plugin...

WordPress JS Multi Hotel Plugin <= 2.2.1 - XSS

Because of this vulnerability in includes/refreshDate.php, the attackers can inject arbitrary web script or HTML via the "roomid" parameter. Solution Update the plugin...

WordPress Sodahead Polls Plugin <= 2.0.3 - Multiple XSS

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...