WordPress The Events Calendar Plugin <= 6.6.4 is vulnerable to SQL Injection

Software The Events Calendar Type Plugin Vulnerable versions = 6.6.4 Fixed in 6.6.4.1 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-8275 Patch priority High CVSS severity High 9.3 Developer Liquid Web / StellarWP PSID fcc27b88891b Credits Foxyyy Required privilege...

WordPress Backup Scheduler plugin <= 1.5.13 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Lana Codes in WordPress Backup Scheduler plugin versions = 1.5.13. Solution Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress <= 6.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by John Blackbourn in WordPress versions = 6.0.1 Solution Update the WordPress to the latest available version at least 6.0.2 or another patched version...

WordPress All In One Video Gallery Plugin 2.5.8 to 2.6.0 - Unauthenticated Arbitrary File Download & SSRF vulnerability

Unauthenticated Arbitrary File Download & SSRF vulnerability discovered by Gabriele Zuddas in All-in-One Video Gallery Plugin versions 2.5.8 to 2.6.0 Solution Update the WordPress All-in-One Video Gallery plugin to the latest available version at least 2.6.1...

WordPress WP Visitor Statistics plugin <= 5.7 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities

Multiple Unauthenticated SQL Injection SQLi vulnerabilities were discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in the WordPress WP Visitor Statistics plugin versions = 5.7. Solution Update the WordPress WP Visitor Statistics plugin to the latest available version at least 5.8...

WordPress Admin Management Xtended plugin <= 2.4.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Nguy Minh Tuan Patchstack Alliance in the WordPress Admin Management Xtended plugin versions = 2.4.4. Solution Update the WordPress Admin Management Xtended plugin to the latest available version at least 2.4.5...

WordPress Genki Pre-Publish Reminder plugin <= 1.4.1 - Stored XSS and RCE via CSRF vulnerability

Stored XSS and RCE via CSRF vulnerability discovered by Daniel Ruf in WordPress Genki Pre-Publish Reminder plugin versions = 1.4.1. Solution Deactivate and delete. This plugin has been closed as of May 17, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Opal Hotel Room Booking plugin <= 1.2.7 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress Opal Hotel Room Booking plugin versions = 1.2.7. Solution Deactivate and delete. No reply from the vendor...

WordPress Metform Elementor Contact Form Builder plugin <= 2.1.3 - Unauthenticated API keys and Secrets Disclosure vulnerability

Unauthenticated API keys and Secrets Disclosure vulnerability discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress Metform Elementor Contact Form Builder plugin versions = 2.1.3. Solution Update the WordPress Metform Elementor Contact Form Builder plugin to the latest available version at least...

WordPress Page Restriction WordPress (WP) plugin <= 1.2.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress Page Restriction WordPress WP plugin versions = 1.2.6. Solution Update the WordPress Page Restriction WordPress WP plugin to the latest available version at least 1.2.7...

WordPress WP YouTube Live plugin <= 1.7.21 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress WP YouTube Live plugin versions = 1.7.21. Solution Update the WordPress WP YouTube Live plugin to the latest available version at least 1.7.22...

WordPress Optimole plugin <= 3.3.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Mika in WordPress Optimole plugin versions = 3.3.1. Solution Update the WordPress Optimole plugin to the latest available version at least 3.3.2...

WordPress Super Socializer plugin <= 7.13.29 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Super Socializer plugin versions = 7.13.29. Solution Update the WordPress Super Socializer plugin to the latest available version at least 7.13.30...

WordPress Slide Anything plugin <= 2.3.40 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered in WordPress Slide Anything plugin versions = 2.3.40. Solution Update the WordPress Slide Anything plugin to the latest available version at least 2.3.41...

WordPress Tarot Card Oracle plugin <= 1.0.5 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Tarot Card Oracle plugin versions = 1.0.5. Solution Update the WordPress Tarot Card Oracle plugin to the latest available version at least 1.0.6...

WordPress Tranzly: Automatic Translation plugin <= 1.0.2 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Tranzly: Automatic Translation plugin versions = 1.0.2. Solution Update the WordPress Tranzly: Automatic Translation plugin to the latest available version at least 1.1.0...

WordPress Simple Ajax Chat plugin <= 20220115 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Philippe Dourassov Patchstack Alliance in WordPress Simple Ajax Chat plugin versions = 20220115. Solution Update the WordPress Simple Ajax Chat plugin to the latest available version at least 20220216...

WordPress Spider Event Calendar plugin <= 1.5.65 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered in WordPress Spider Event Calendar plugin versions = 1.5.65 by Krzysztof Zając. Solution This plugin has been closed as of January 13, 2022 and is not available for download. This closure is permanent. Deactivate the plugin and delete it...

WordPress Float menu plugin <= 4.3 - Arbitrary Menu Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Menu Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress Float menu plugin versions = 4.3. Solution Update the WordPress Float menu plugin to the latest available version at least 4.3.1...

WordPress Catch Themes Demo Import plugin <= 1.7 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Thinkland Security Team in WordPress Catch Themes Demo Import plugin versions = 1.7. Solution Update the WordPress Catch Themes Demo Import plugin to the latest available version at least 1.8...

WordPress Advanced Access Manager plugin <= 6.7.9 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Huy Nguyen in WordPress Advanced Access Manager plugin versions = 6.7.9. Solution Update the WordPress Advanced Access Manager plugin to the latest available version at least 6.8.0...

WordPress JobBoardWP – Job Board Listings and Submissions plugin <= 1.0.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress JobBoardWP – Job Board Listings and Submissions plugin versions = 1.0.7. Solution Update the WordPress JobBoardWP – Job Board Listings and Submissions plugin to the latest available...

WordPress Meta Data and Taxonomies Filter (MDTF) plugin <= 1.2.7.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Ryoma Nishioka in WordPress Meta Data and Taxonomies Filter MDTF plugin versions = 1.2.7.2. Solution Update the WordPress Meta Data and Taxonomies Filter MDTF plugin to the latest available version at least 1.2.8...

WordPress Jannah premium theme <= 5.4.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Truoc Phan in WordPress Jannah premium theme versions = 5.4.4. Solution Update the WordPress Jannah premium theme to the latest available version at least 5.4.5...

WordPress OneTone theme <= 3.0.6 - Unauthenticated options change vulnerability

Unauthenticated options change vulnerability discovered by NinTechNet in WordPress OneTone theme versions = 3.0.6. Solution No patched version is available...

WordPress Popup Builder plugin <= 2.6.7.6 - SQL injection (SQLi) vulnerability

SQL injection SQLi vulnerability discovered by ZeroAuth in WordPress Popup Builder plugin versions = 2.6.7.6. Solution Update the WordPress Popup Builder plugin to the latest available version at least 3.0.2...

WordPress <= 4.2.3 - XSS #1

This vulnerability exists in the "refreshAdvancedAccessibilityOfItem" function. It allows an attacker to inject arbitrary web script or HTML via an accessibility-helper title. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-2-3-xss-2 Solution Update WordPress...

WordPress <= 4.1.1 - Multiple XSS

Because of using MySQL without strict mode, the attackers can inject arbitrary web script or HTML via a four-byte UTF-8 character or invalid character that reaches the database layer. Solution Update WordPress...

WordPress <= 3.9.1 - Denial Of Service Attacks #2

The Incutio XML-RPC IXR Library permits entity declarations without considering recursion during entity expansion. In that way the attackers can cause a denial of service attacks via a crafted XML document containing a large number of nested entity references. Related records:...

WordPress Polylang Plugin <= 1.5.1 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via vectors related to a user description. Solution Update the plugin...

WordPress - Privileges Unchecked in admin.php and Multiple Information

This WordPress vulnerability was found in the way that WordPress handles some URL requests. It results the content of plugins configuration pages in some plugins modifying plugin options, unprivileged users viewing and injecting JavaScript code. The code is abitrary and it may be run by a malicio...

WordPress Booking calendar, Appointment Booking System Plugin <= 3.2.15 is vulnerable to Cross Site Scripting (XSS)

Software Booking calendar, Appointment Booking System Type Plugin Vulnerable versions = 3.2.15 Fixed in 3.2.16 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9504 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID...

WordPress Really Simple Security Pro Plugin 9.0.0-9.1.1.1 is vulnerable to Broken Authentication

Software Really Simple Security Pro Type Plugin Vulnerable versions 9.0.0-9.1.1.1 Fixed in 9.1.2 OWASP Top 10 A1: Broken Access Control Classification Broken Authentication CVE CVE-2024-10924 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID dc394c4ae392 Credits István...

WordPress Contact Form 7 Plugin < 5.9.5 is vulnerable to Open Redirection

Software Contact Form 7 Type Plugin Vulnerable versions 5.9.5 Fixed in 5.9.5 OWASP Top 10 A1: Injection Classification Open Redirection CVE CVE-2024-4704 Patch priority Low CVSS severity Low 4.7 Developer Claim ownership PSID 0480ce1a1ef4 Credits William Bastos - cHoR4o Required privilege...

WordPress Networker Theme <= 1.1.9 is vulnerable to Broken Access Control

Software Networker Type Theme Vulnerable versions = 1.1.9 Fixed in 1.1.10 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-2962 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID c70a9d136cac Credits Muhammad Zeeshan Xib3rR4dAr Required...

WordPress Blog2Social plugin <= 6.9.11 - Missing Authorization to Auth. Settings Update vulnerability

Missing Authorization to Auth. Settings Update vulnerability discovered by Marco Wotschka in the WordPress Blog2Social plugin versions = 6.9.11. Solution Update the WordPress Blog2Social plugin to the latest available version at least 6.9.12...

WordPress ImageMagick Engine plugin <= 1.7.4 - Remote Code Execution (RCE) via Cross-Site Request Forgery (CSRF) vulnerability

Remote Code Execution RCE via Cross-Site Request Forgery CSRF vulnerability in WordPress ImageMagick Engine plugin versions = 1.7.4 Solution Update the WordPress ImageMagick Engine plugin to the latest available version at least 1.7.6...

WordPress core <= 6.0.2 - Open redirect vulnerability

Open redirect vulnerability in wpnonceays discovered by devrayn in WordPress core versions = 6.0.2 Solution Update the WordPress to the latest available version at least 6.0.3...

WordPress Page View Count plugin <= 2.5.5 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to plugin settings reset was discovered by Mika Patchstack Alliance in the WordPress Page View Count plugin versions = 2.5.5. Solution Update the WordPress Page View Count plugin to the latest available version at least 2.5.6...

WordPress miniOrange Discord Integration plugin <= 2.1.5 - Authenticated App Disabling vulnerability

Authenticated App Disabling vulnerability discovered by Lana Codes in WordPress miniOrange Discord Integration plugin versions = 2.1.5. Solution Update the WordPress miniOrange Discord Integration plugin to the latest available version at least 2.1.6...

WordPress All in One SEO plugin <= 4.2.3.1 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Rafie Muhammad aka Yeraisci Patchstack Alliance in The WordPress All in One SEO plugin versions = 4.2.3.1. Solution Update the WordPress All In One SEO Pack plugin to the latest available version at least 4.2.4...

WordPress About Me plugin <= 1.0.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by ptsfence Patchstack Alliance in WordPress About Me plugin versions = 1.0.12. Solution Deactivate and delete. This plugin has been closed as of August 24, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Request a Quote plugin <= 2.3.7 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Benachi in WordPress Request a Quote plugin versions = 2.3.7. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Form – Contact Form plugin <= 1.2.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Form – Contact Form plugin versions = 1.2.4. Solution Deactivate and delete. This plugin has been closed as of June 2, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Counter Box plugin <= 1.1.1 - Authenticated Local File Inclusion (LFI) vulnerability

Authenticated Local File Inclusion LFI vulnerability discovered by 0xB9 Patchstack Alliance in WordPress Counter Box plugin versions = 1.1.1. Solution Update the WordPress Counter Box plugin to the latest available version at least 1.2...

WordPress WPQA premium plugin <= 5.4 - Unauthenticated Private Message Disclosure vulnerability

Unauthenticated Private Message Disclosure vulnerability discovered by Veshraj Ghimire in WordPress WPQA premium plugin versions = 5.4. Solution Update the WordPress WPQA premium plugin to the latest available version at least 5.5...

WordPress Countdown & Clock plugin <= 2.4.7 - Pro Features Lock Bypass vulnerability

Pro Features Lock Bypass vulnerability discovered by Ex.Mi Patchstack in WordPress Countdown & Clock plugin versions = 2.4.7. Solution No patched version is available...

WordPress WP Video Gallery plugin <= 1.7.1 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress WP Video Gallery plugin versions = 1.7.1. Solution Deactivate and delete. This plugin has been closed as of March 29, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Adrotate plugin <= 5.8.22 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability discovered by Muhamad Hidayat in WordPress Adrotate plugin versions = 5.8.22. Solution Update the WordPress Adrotate plugin to the latest available version at least 5.8.23...

WordPress myCred plugin <= 2.4.3 - Import/Export to Email Address Disclosure vulnerability

Import/Export to Email Address Disclosure vulnerability discovered by David Hamann in WordPress myCred plugin versions = 2.4.3. Solution Update the WordPress myCred plugin to the latest available version at least 2.4.4...