WordPress Homepage Popup plugin <= 1.2.5 - Auth. Stored Cross-Site Scripting (XSS) vulnerability

Auth. Stored Cross-Site Scripting XSS vulnerability discovered by Mika in the WordPress Homepage Pop-up plugin versions = 1.2.5. Solution No patched version is available. No reply from the vendor...

WordPress Mantenimiento web plugin <= 0.13 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Rasi Afeef Patchstack Alliance in the WordPress Mantenimiento web plugin versions = 0.13. Solution Update the WordPress Mantenimiento web plugin to the latest available version at least 0.14...

WordPress Ultimate Member plugin <= 2.5.0 - Auth. Limited Remote Code Execution vulnerability

Auth. Limited Remote Code Execution vulnerability discovered by Ruijie Li in WordPress Ultimate Member plugin versions = 2.5.0. Solution Update the WordPress Ultimate Member plugin to the latest available version at least 2.5.1...

WordPress Creative Mail plugin <= 1.5.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities leading to enable/disable contact sync, plugin reset, account unlink, and email marketing settings change were discovered by Vlad Vector Patchstack in the WordPress Creative Mail plugin versions = 1.5.4. Solution Update the WordPress Creati...

WordPress SEO Redirection Plugin plugin <= 8.9 - Multiple Cross-Site Scripting (CSRF) vulnerabilities

Multiple Cross-Site Scripting CSRF vulnerabilities were discovered by Vlad Vector Patchstack in the WordPress SEO Redirection Plugin plugin versions = 8.9. Solution Update the WordPress SEO Redirection plugin to the latest available version at least 9.1...

WordPress core <= 6.0.2 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability in the Search block discovered by Alex Concha WP Security team in WordPress core versions = 6.0.2. Solution Update the WordPress to the latest available version at least 6.0.3...

WordPress Easy Digital Downloads plugin <= 2.11.7 - Arbitrary Post Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Post Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress Easy Digital Downloads plugin versions = 2.11.7. Solution Update the WordPress Easy Digital Downloads plugin to the latest available version at least 3.0...

WordPress Account Manager for WooCommerce plugin <= 2.0.19 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to the export of sensitive information user id, first name, last name by the subscriber or higher role user discovered by WordPress Account Manager for WooCommerce plugin versions = 2.0.19. Solution No patched version is available. No reply from the...

WordPress PublishPress Capabilities plugin <= 2.5.1 - Auth. PHP Objection Injection vulnerability

Auth. PHP Objection Injection vulnerability discovered by Nguyen Pham Viet Nam in WordPress PublishPress Capabilities plugin versions = 2.5.1. Solution Update the WordPress PublishPress Capabilities plugin to the latest available version at least 2.5.2...

WordPress Post Slider plugin <= 1.6.7 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to plugin settings change by the subscriber or higher role users discovered by ptsfence Patchstack Alliance in WordPress Post Slider plugin versions = 1.6.7. Solution No patched version is available. No reply from the vendor...

WordPress Retain Live Chat plugin <= 0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Rahul Selvakumar in WordPress Retain Live Chat plugin versions = 0.1. Solution Deactivate and delete. This plugin has been closed as of October 3, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Media Library Folders plugin <= 7.1.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Deletion Of Plugin Tables From Database discovered by Rasi Afeef Patchstack Alliance in WordPress Media Library Folders plugin versions = 7.1.1. Solution Update the WordPress Media Library Folders plugin to the latest available version at...

WordPress Booking Ultra Pro plugin <= 1.1.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Ngo Van Thien Patchstack Alliance in the WordPress Booking Ultra Pro plugin versions = 1.1.4 Solution No patched version is available...

WordPress TH Advance Product Search plugin <= 1.1.4 - Unauthenticated Plugin Settings Change vulnerability

Unauthenticated Plugin Settings Change vulnerability discovered by Rasi Affef in WordPress TH Advance Product Search plugin versions = 1.1.4. Solution Update the WordPress TH Advance Product Search plugin to the latest available version at least 1.1.5...

WordPress Passster plugin <= 3.5.5.5.1 - Insecure Storage of Password vulnerability

Insecure Storage of Password vulnerability discovered by Raad Haddad Cloudyrion GmbH in WordPress Passster plugin versions = 3.5.5.5.1. Solution Update the WordPress Passster – Password Protection plugin to the latest available version at least 3.5.5.5.2...

WordPress NOTICE BOARD plugin <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance in WordPress NOTICE BOARD plugin versions = 1.1. Solution No patched version is available...

WordPress Wordfence Security – Firewall & Malware Scan plugin <= 7.6.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ori Gabriel in WordPress Wordfence Security – Firewall & Malware Scan plugin versions = 7.6.0. Solution Update the WordPress Wordfence plugin to the latest available version at least 7.6.1...

WordPress Ketchup Restaurant Reservations plugin <= 1.0.0 - Unauthenticated Blind SQL Injection (SQLi) vulnerability

Unauthenticated Blind SQL Injection SQLi vulnerability discovered by Bastijn Ouwendijk in WordPress Ketchup Restaurant Reservations plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of August 29, 2022 and is not available for download. This closure is...

WordPress Scripts Organizer premium plugin < 3.0 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Ovidiu Maghetiu in WordPress Scripts Organizer premium plugin versions 3.0 Solution Update the WordPress Scripts Organizer plugin to the latest available version at least 3.0...

WordPress Captcha Code plugin <= 2.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Plugin Settings Update

Cross-Site Request Forgery CSRF vulnerability leading to Plugin Settings Update discovered by Rasi Afeef Patchstack Alliance in WordPress Captcha Code plugin versions = 2.7. Solution Update the WordPress Captcha Code plugin to the latest available version at least 2.8...

WordPress add2fav plugin <= 1.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by ptsfence Patchstack Alliance in WordPress add2fav plugin versions = 1.0. Solution No patched version available...

WordPress WP-PostRatings plugin <= 1.89 - Rating Increase/Decrease via Race Condition vulnerability

Rating Increase/Decrease via Race Condition vulnerability discovered by Nguy Minh Tuan Patchstack Alliance in the WordPress WP-PostRatings plugin versions = 1.89. Solution Update the WordPress WP-PostRatings plugin to the latest available version at least 1.90...

WordPress Beaver Builder plugin <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability via Image URL

Authenticated Stored Cross-Site Scripting XSS vulnerability via Image URL discovered by Zhouyuan Yang in WordPress Beaver Builder plugin versions = 2.5.5.2. Solution Update the WordPress Beaver Builder plugin to the latest available version at least 2.5.5.3...

WordPress Event Calendar – Calendar plugin <= 1.4.6 - Unauthenticated Event Deletion vulnerability

Unauthenticated Event Deletion vulnerability discovered by Nguy Minh Tuan Patchstack Alliance in WordPress Event Calendar – Calendar plugin versions = 1.4.6. Solution Update the WordPress Event Calendar – Calendar plugin to the latest available version at least 1.4.7...

WordPress Fast Flow Plugin <= 1.2.11 - Reflected Stored Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by p7e4 in Fast Flow plugin versions = 1.2.11 Solution Update the WordPress Fast Flow plugin to the latest available version at least 1.2.12...

WordPress WP-DBManager plugin <= 2.80.7 - Authenticated Remote Command Execution vulnerability

Authenticated Remote Command Execution vulnerability discovered by Raad Haddad in WordPress WP-DBManager plugin versions = 2.80.7. Solution Update the WordPress WP-DBManager plugin to the latest available version at least 2.80.8...

WordPress Featured Image from URL plugin <= 3.9.9 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Raad Haddad in WordPress Featured Image from URL plugin versions = 3.9.9. Solution Update the WordPress Featured Image from URL plugin to the latest available version at least 4.0.0...

WordPress Event Timeline plugin <= 1.1.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Event Timeline plugin versions = 1.1.6. Solution No patched version available...

WordPress Very Simple Breadcrumb plugin <= 1.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Rahul Selvakumar in WordPress Very Simple Breadcrumb plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary, pendi...

WordPress WP Paginate plugin <= 2.1.8 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by iohex in WordPress WP Paginate plugin versions = 2.1.8. Solution Update the WordPress WP Paginate plugin to the latest available version at least 2.1.9...

WordPress miniOrange's Google Authenticator plugin <= 5.5.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress miniOrange's Google Authenticator plugin versions = 5.5.5. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at least 5.5.6...

WordPress Germanized for WooCommerce plugin <= 3.9.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Germanized for WooCommerce plugin versions = 3.9.4. Solution Update the WordPress Germanized for WooCommerce plugin to the latest available version at least 3.9.5...

WordPress CaPa Protect plugin <= 0.5.8.2 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress CaPa Protect plugin versions = 0.5.8.2. Solution Deactivate and delete. This plugin has been closed as of May 23, 2022 and is not available for download. This closure is temporary,...

WordPress Plausible Analytics plugin <= 1.2.3 - Authenticated Arbitrary Settings Update vulnerability

Authenticated Arbitrary Settings Update vulnerability discovered by Ankur Modi in WordPress Plausible Analytics plugin versions = 1.2.3. Solution Update the WordPress Plausible Analytics plugin to the latest available version at least 1.2.4...

WordPress Private Messages For WordPress plugin <= 2.1.10 - Sending Messages via Cross-Site Request Forgery (CSRF) vulnerability

Sending Messages via Cross-Site Request Forgery CSRF vulnerability discovered by BEE-K Patchstack in WordPress Private Messages For WordPress plugin versions = 2.1.10. Solution Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This closure is...

WordPress postTabs plugin <= 2.10.6 - Arbitrary Settings Update via CSRF vulnerability leading to XSS

Arbitrary Settings Update via CSRF vulnerability leading to XSS discovered by Daniel Ruf in WordPress postTabs plugin versions = 2.10.6. Solution Deactivate and delete. This plugin has been closed as of May 18, 2022 and is not available for download. This closure is temporary, pending a full revi...

WordPress KiviCare plugin <= 2.3.8 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress KiviCare plugin versions = 2.3.8. Solution Update the WordPress KiviCare plugin to the latest available version at least 2.3.9...

WordPress JupiterX Core premium plugin <= 2.0.6 - Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification

Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification discovered by Ramuel Gall Wordfence in WordPress JupiterX Core premium plugin versions = 2.0.6. Solution Update the WordPress JupiterX Core premium plugin to the latest available version a...

WordPress Useful Banner Manager plugin <= 1.6.1 - Modify banners via Cross-Site Request Forgery (CSRF) vulnerability

Modify banners via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress Useful Banner Manager plugin versions = 1.6.1. Solution Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pendin...

WordPress Video Slider – Slider Carousel plugin <= 1.4.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Video Slider – Slider Carousel plugin versions = 1.4.6. Solution Update the WordPress Video Slider – Slider Carousel plugin to the latest available version at least 1.4.8...

WordPress Quick Restaurant Reservations plugin <= 1.4.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by BEE-K Patchstack in WordPress Quick Restaurant Reservations plugin versions = 1.4.1. Solution Update the WordPress Quick Restaurant Reservations plugin to the latest available version at least 1.4.2...

WordPress Birthdays Widget plugin <= 1.7.18 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Rutuja Chaudhari in WordPress Birthdays Widget plugin versions = 1.7.18. Solution Deactivate and delete. This plugin has been closed as of April 8, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Logo Slider plugin <= 1.4.8 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Daniel Krohmer and Shi Chen in WordPress Logo Slider plugin versions = 1.4.8. Solution Deactivate and delete. This plugin has been closed as of May 12, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Turn off all comments plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Turn off all comments plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of April 19, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Maintenance plugin <= 6.0.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas Patchstack Alliance in WordPress WP Maintenance plugin versions = 6.0.7. Solution Update the WordPress WP Maintenance plugin to the latest available version at least 6.0.8...

WordPress Cryptocurrency Widgets For Elementor plugin <=1.2.1 - Arbitrary Plugin Installation vulnerability

Arbitrary Plugin Installation vulnerability discovered by Jerome Bruandet NinTechNet in WordPress Cryptocurrency Widgets For Elementor plugin versions =1.2.1. Solution Update the WordPress Cryptocurrency Widgets For Elementor plugin to the latest available version at least 1.3.1...

WordPress SiteSuperCharger plugin <= 5.1.10 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress SiteSuperCharger plugin versions = 5.1.10. Solution Update the WordPress SiteSuperCharger plugin to the latest available version at least 5.2.0...

WordPress Adrotate plugin <= 5.8.22 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability discovered by Muhamad Hidayat in WordPress Adrotate plugin versions = 5.8.22. Solution Update the WordPress Adrotate plugin to the latest available version at least 5.8.23...

WordPress Web To Print Shop : uDraw plugin <= 3.3.32 - Unauthenticated Arbitrary File Access vulnerability

Unauthenticated Arbitrary File Access vulnerability discovered by cydave in WordPress Web To Print Shop : uDraw plugin versions = 3.3.32. Solution Update the WordPress Web To Print Shop : uDraw plugin to the latest available version at least 3.3.33...

WordPress Quick Adsense plugin <= 2.8.1 - Post Stats Reset vulnerability

Post Stats Reset vulnerability discovered by Jan w Oleju in WordPress Quick Adsense plugin versions = 2.8.1. Solution Update the WordPress Quick Adsense plugin to the latest available version at least 2.8.2...