WordPress MM Forms Community Plugin 2.2.6 - Arbitrary File Upload

MM Forms Community plugin is prone to an arbitrary file upload vulnerability. Restricted access to this script is not properly realized. In that way an attacker can to upload files containing malicious PHP code and run it in the context of the web server process. Other attacks are also possible...

WordPress SABRE Plugin <= 2.0 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "activeoption" parameter to wp-admin/tools.php. Solution Update the plugin...

WordPress League Manager Plugin <= 3.7 - Multiple XSS

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the "group" parameter in the show-league page. Solution Update the plugin...

WordPress Login With Ajax Plugin <= 3.0.4.0 - XSS #2

Because of this vulnerability in login-with-ajax.php, the attackers can inject arbitrary web script or HTML via the "callback" parameter. Solution Update the plugin...

WordPress Integrator 1.32 - Cross Site Scripting

WordPress Integrator "redirectto" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...

WordPress Pay with Tweet Plugin <= 1.1 - Multiple Vulnerabilities

WordPress Pay with Tweet plugin is prone to a blind SQL injection and XSS vulnerabilities. Solution Update the plugin...

WordPress WP Live.php Plugin 1.2.1 - Cross Site Scripting

WordPress WP Live.php plugin's "s" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...

WordPress TheCartPress Plugin 1.6 - Cross Site Scripting

WordPress TheCartPress plugin's "OptionsPostsList.php" is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can ste...

WordPress The Welcomizer Plugin 1.3.9.4 - Cross Site Scripting

WordPress The Welcomizer plugin's "twiz-index.php" is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...

WordPress Grand FlAGallery Plugin 1.57 - Cross Site Scripting

WordPress Grand FlAGallery plugin's "flagshow.php" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker c...

WordPress Pretty Link Plugin 1.5.2 - Cross Site Scripting

WordPressPretty Link plugin's "pretty-bar.php" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can...

WordPress Users Plugin <= 1.3 - SQL Injection

Because of this vulnerability in wp-users.php, the attackers can execute arbitrary SQL commands via the "uid" parameter to index.php. Solution Update the plugin...

WordPress WP-PostRatings plugin <= 1.61 - SQL Injecion (SQLi) vulnerability

Because of this vulnerability in wp-postratings.php, the authenticated users can execute arbitrary SQL commands via the id attribute of the rating shortcode when creating a post. Solution Update the plugin to the latest available version at least 1.62...

WordPress Advanced Text Widget Plugin 2.0 - Cross Site Scripting

WordPress Advanced Text Widget plugin's "page" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can...

WordPress AdRotate Plugin <= 3.6.5 - SQL Injection

AdRotate plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, alter queries to the application SQL database, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...

WordPress F8 Lite Theme 4.2.1 - Cross Site Scripting

WordPress F8 Lite theme's "s" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based...

WordPress Symposium Plugin <= 0.64 - SQL Injection

This WordPress Symposium plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress IGIT Posts Slider Widget Plugin 1.0 - Cross-Site Scripting

IGIT Posts Slider Widget plugin's "src" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...

WordPress WP Survey And Quiz Tool Plugin 1.2.1 - Cross-Site Scripting Vulnerability

This WP Survey And Quiz Tool plugin is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based...

WordPress Copperleaf Photolog Plugin 0.16 - SQL injection Vulnerability

This Copperleaf Photolog plugin is prone to an SQL injection vulnerability. It allows the attackers to execute arbitrary SQL commands via the "postid" parameter. Solution Update the plugin...

WordPress fMoblog Plugin 2.1 - SQL Injection Vulnerability

SQL injection vulnerability found in fmoblog.php. An attacker can execute arbitrary SQL commands via the id parameter to index.php. Solution Upgrade plugin...

WordPress <= 1.3.1 - Remote Code Execution

Because of this vulnerability, the authenticated users with manageoptions and uploadfiles capabilities can execute arbitrary code by uploading a PHP script. Solution Update WordPress...

WordPress WP Comment Remix Plugin <= 1.4.3 - XSS

Because of this vulnerability in wpcommentremix.php, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress <= 2.5 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via unspecified vectors. Solution Update WordPress...

WordPress Sniplets Plugin <= 1.2.2 - Remote File Inclusion

Because of this vulnerability in modules/syntaxhighlight.php, the attackers can execute arbitrary PHP code via a URL in the "libpath" parameter. Solution Update the plugin...

WordPress DMSGuestbook Plugin <= 1.7.0 - Multiple XSS

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress DMSGuestbook Plugin <= 1.7.0 - SQL Injection

Because of this vulnerability in the administration panel, the authenticated administrators can execute arbitrary SQL commands via unspecified vectors. Solution Update the plugin...

WordPress Cryptographp Plugin <= 1.2 - Multiple XSS

Because of these vulnerabilities in cryptographp/admin.php, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress <= 2.0.11 - Multiple Vulnerabilities

Because of these vulnerabilities, the attackers can obtain sensitive information via an empty value of the "page" parameter to certain PHP scripts under wp-admin/. Solution Update WordPress...

WordPress Pool Theme <= 1.0.7 - XSS

Because of this vulnerability in index.php, the attackers can inject arbitrary web script or HTML via the PATHINFO. Solution Update the theme...

WordPress WP Table Plugin <= 1.43 - Remote File Inclusion

Because of this vulnerability, the attackers can execute arbitrary PHP code via a URL in the "wpPATH" parameter. Solution Update the WordPress WP Table plugin to the latest available version at least 1.44...

WordPress WP Table Plugin <= 1.43 - Directory Traversal

Because of this vulnerability, the attackers can include and execute arbitrary local files via the "wpPATH" parameter. Solution Update the WordPress WP Table plugin to the latest available version at least 1.44...

WordPress - Redirection Vulnerability

Because of this vulnerability, the attackers can redirect authenticated users to other websites and potentially obtain sensitive information. Solution Update the WordPress to the latest available version at least 1.1...

WordPress Enigma2 Plugin - Remote File Inclusion

Because of this vulnerability, the attackers can execute arbitrary PHP code via a URL in the "boarddir" parameter. Solution Update the plugin...

WordPress <= 2.0.4 - Denial of Service Attacks

The authenticated users can cause a denial of service attacks, because this WordPress version does not properly store a profile containing a string representation of a serialized object. Solution Update WordPress...

WordPress <= 2.0.0 - Cross Site Scripting

Because of this vulnerability, attackers can inject arbitrary web script or HTML via scriptable attributes such as onfocus and onblur in the "author's website" field. Solution Update the WordPress to the latest available version at least 2.0.1...

WordPress WordPress Simple PayPal Shopping Cart plugin <= 5.1.3 - Insecure Direct Object Reference via 'quantity' vulnerability

Insecure Direct Object Reference via 'quantity' vulnerability discovered by Jack Taylor in WordPress Plugin Simple Shopping Cart versions = 5.1.3...

WordPress Elated Membership plugin <= 1.2 - Authentication Bypass via Social Login vulnerability

Authentication Bypass via Social Login vulnerability discovered by Foxyyy in WordPress Plugin Elated Membership versions = 1.2...

WordPress File Manager Pro – Filester plugin <= 1.8.8 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by TANG Cheuk Hei siunam in WordPress Plugin File Manager Pro versions = 1.8.8...

WordPress Forminator plugin <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via id and data-size Parameters vulnerability discovered by Asaf Mozes in WordPress Plugin Forminator versions = 1.44.1...

WordPress WP Security Master plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin WP Security Master versions = 1.0.2...

WordPress Stock Locations for WooCommerce plugin <= 2.8.6 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by LVT-tholv2k in WordPress Plugin Stock Locations for WooCommerce versions = 2.8.6...

WordPress CSV Mass Importer plugin <= 1.2 - Admin+ Arbitrary File Upload vulnerability

Admin+ Arbitrary File Upload vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin CSV Mass Importer versions = 1.2...

WordPress Likes and Dislikes Plugin plugin <= 1.0.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Nxploited in WordPress Plugin Likes and Dislikes versions = 1.0.0...

WordPress All in One SEO Pack plugin <= 4.8.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Description and Canonical URL vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Meta Description and Canonical URL vulnerability discovered by Ivan Kuzymchak in WordPress Plugin All In One SEO Pack versions = 4.8.1.1...

WordPress Motors Theme <= 5.6.67 is vulnerable to Privilege Escalation

Software Motors Type Theme Vulnerable versions = 5.6.67 Fixed in 5.6.68 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2025-4322 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID f2c68f043bd9 Credits Foxyyy Required...

WordPress Royal Elementor Addons Plugin <= 1.7.1003 is vulnerable to Broken Access Control

Software Royal Elementor Addons Type Plugin Vulnerable versions = 1.7.1003 Fixed in 1.7.1004 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Access Control CVE CVE-2024-10798 Patch priority Low CVSS severity Low 4.3 Developer WProyal PSID d20124b7cf36 Credits...

WordPress Tumult Hype Animations Plugin <= 1.9.15 is vulnerable to Arbitrary File Upload

Software Tumult Hype Animations Type Plugin Vulnerable versions = 1.9.15 Fixed in 1.9.16 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-11082 Patch priority Medium CVSS severity Medium 9.1 Developer Claim ownership PSID 259828d3532b Credits vgo0 Required privilege...

WordPress Total Upkeep Plugin <= 1.16.6 is vulnerable to Remote Code Execution (RCE)

Software Total Upkeep Type Plugin Vulnerable versions = 1.16.6 Fixed in 1.16.7 OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2024-9461 Patch priority Low CVSS severity Low 9.1 Developer Claim ownership PSID 5d87f5849942 Credits Jonas Benjamin Friedli Required privile...

WordPress AppPresser Plugin <= 4.4.6 is vulnerable to Privilege Escalation

Software AppPresser Type Plugin Vulnerable versions = 4.4.6 Fixed in 4.4.7 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-11024 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 25ae1391ba68 Credits shaman0x01...