WordPress iQ Block Country plugin <= 1.2.12 - Arbitrary File Deletion vulnerability via Zip Slip

Arbitrary File Deletion vulnerability via Zip Slip discovered by Ceylan Bozogullarindan in WordPress iQ Block Country plugin versions = 1.2.12. Solution Update WordPress iQ Block Country plugin to the latest available version at least 1.2.13...

WordPress Amelia plugin <= 1.0.48 - Arbitrary Appointments Status Update vulnerability

Arbitrary Appointments Status Update vulnerability discovered by Huli from Cymetrics in WordPress Amelia plugin versions = 1.0.48. Solution Update the WordPress Amelia plugin to the latest available version at least 1.0.49...

WordPress AP Pricing Tables Lite plugin <= 1.1.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress AP Pricing Tables Lite plugin versions = 1.1.4. Solution Update the WordPress AP Pricing Tables Lite plugin to the latest available version at least 1.1.5...

WordPress Essential Addons for Elementor plugin <= 5.0.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Pham Van Khanh rskvp93 from VCSLab of Viettel Cyber Security & Nguyen Dinh Bien biennd4 from VCSLab of Viettel Cyber Security in WordPress Essential Addons for Elementor plugin versions = 5.0.8. Solution Update the WordPress Essential...

WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability via 'IP' discovered by Muhammad Zeeshan Xib3rR4dAr in WordPress WP Statistics plugin versions = 13.1.5. Solution Update the WordPress WP Statistics plugin to the latest available version at least 13.1.6...

WordPress File Upload Pro premium plugin <= 4.16.2 - Stored Cross-Site Scripting (XSS) via Malicious SVG vulnerability

Stored Cross-Site Scripting XSS via Malicious SVG vulnerability discovered by apple502j in WordPress File Upload Pro premium plugin versions = 4.16.2. Solution Update the WordPress File Upload Pro premium plugin to the latest available version at least 4.16.3...

WordPress NotificationX plugin <= 2.3.8 - Unauthenticated Blind SQL Injection (SQLi) vulnerability

Unauthenticated Blind SQL Injection SQLi vulnerability discovered by Krzysztof Zając in WordPress NotificationX plugin versions = 2.3.8. Solution Update the WordPress NotificationX plugin to the latest available version at least 2.3.9...

WordPress Classic Editor Addon plugin <= 2.6.3 - Arbitrary Plugin Installation from Dependency via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Plugin Installation from Dependency via Cross-Site Request Forgery CSRF vulnerability discovered by Jan w Oleju in WordPress Classic Editor Addon plugin versions = 2.6.3. Solution Update the WordPress Classic Editor Addon plugin to the latest available version at least 2.6.4...

WordPress SupportCandy plugin <= 2.2.6 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by apple502j in WordPress SupportCandy plugin versions = 2.2.6. Solution Update the WordPress SupportCandy plugin to the latest available version at least 2.2.7...

WordPress Custom Dashboard & Login Page – AGCA plugin <= 6.9.5 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by 0ppr2s in WordPress Custom Dashboard & Login Page – AGCA plugin versions = 6.9.5. Solution Update the WordPress Custom Dashboard & Login Page – AGCA plugin to the latest available version at least 7.0...

WordPress Modern Events Calendar Lite plugin <= 6.1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Modern Events Calendar Lite plugin versions = 6.1.0. Solution Update the WordPress Modern Events Calendar Lite plugin to the latest available version at least 6.1.5...

WordPress Hueman theme <= 3.6.3 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability found by Jerome Bruandet NinTechNet in WordPress Hueman theme versions = 3.6.3. Solution Update the WordPress Hueman theme to the latest available version at least 3.6.4...

WordPress wpDiscuz plugin <= 7.0.4 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability found by Chloe Chamberland in WordPress wpDiscuz plugin versions = 7.0.4. Solution Update the WordPress wpDiscuz plugin to the latest available version at least 7.0.5...

WordPress gboutique plugin <= 1.3 - Unauthenticated Local File Inclusion (LFI) vulnerability

Unauthenticated Local File Inclusion LFI vulnerability discovered by Random Robbie in WordPress gboutique plugin versions = 1.3. Solution Plugin closed. Deactivate and delete...

WordPress Legacy Theme <= 4.2.3 - XSS

This vulnerability exists in the Legacy theme preview implementation in wp-includes/theme.php. It allows an attacker to inject arbitrary HTML or web script via a crafted string. Solution Update the theme...

WordPress <= 4.2.3 - XSS #2

This vulnerability exists in the WPNavMenuWidget class in wp-includes/default-widgets.php in the "form" function. It allows remote attackers to inject arbitrary web script or HTML via a widget title. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-2-3-xss Solution...

WordPress Blubrry PowerPress Podcasting Plugin <= 6.0.0 - XSS

This vulnerability allows an attacker to inject arbitrary web script or HTML via the "cat" parameter in the powerpressadmincategoryfeeds.php page to wp-admin/admin.php. Solution Upgrade the plugin...

WordPress Simple Security Plugin <= 1.1.5 - Multiple XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the 1 "datefilter" parameter in the accesslog page to wp-admin/users.php. Solution Update the plugin...

WordPress Booking Calendar Plugin - SQL Injection

This WordPress Booking Calendar plugin's "bookingformid" parameter is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress NOSpamPTI Plugin - Blind SQL Injection

NOSpamPTI plugin is prone to a blind SQL injection vulnerability because of the wp-comments-post.php script not properly sanitizing the commentpostID in POST data. The issue allows to manipulate SQL queries in the back-end database. It results manipulation or disclosure of arbitrary data. Solutio...

WordPress <= 3.6.0 - Multiple vulnerabilities

The attackers can bypass intended redirection restrictions via a crafted string, because this WordPress version and lower versions too does not properly validate URLs before use in an HTTP redirect. Solution Update the plugin...

WordPress WPStoreCart Plugin 2.5.27 - 2.5.29 - Arbitrary File Upload

WPStoreCart plugin is prone to an arbitrary file upload vulnerability. Restricted access to this script is not properly realized. In that way an attacker can to upload files containing malicious PHP code and run it in the context of the web server process. Other attacks are also possible. Solutio...

WordPress <= 3.3.1 - Unspecified vulnerability

There is an unspecified vulnerability in wp-includes/js/swfobject.js, that has unknown impact and attack vectors. Solution Update WordPress...

WordPress Block Spam By Math Reloaded Plugin - Bypass

BYPASS vulnerability was discovered in WordPress Block Spam By Math Reloaded plugin. Solution Update the plugin...

WordPress Traffic Manager plugin <= 1.4.5 - Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS)

Broken Access Control vulnerability leading to Stored Cross-Site Scripting XSS discovered by Lana Codes Patchstack Alliance in the WordPress Traffic Manager plugin versions = 1.4.5. Solution Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for...

WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin <= 1.1.0 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Dave Jong Patchstack in WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin versions = 1.1.0. Solution Update the WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce plugin to the latest...

WordPress MailOptin plugin <= 1.2.49.0 - Unauthenticated Optin Campaign Cache Deletion vulnerability

An unauthenticated Optin Campaign Cache Deletion vulnerability was discovered by Muhammad Daffa Patchstack Alliance in the WordPress MailOptin plugin versions = 1.2.49.0. Solution Update the WordPress MailOptin plugin to the latest available version at least 1.2.50.0...

WordPress Visual Portfolio Plugin <= 2.17.1 - Unauthenticated CSS Injection vulnerability

Unauthenticated CSS Injection vulnerability discovered by Krzysztof Zając in Visual Portfolio plugin versions = 2.17.1 Solution Update the WordPress Visual Portfolio, Photo Gallery & Post Grid plugin to the latest available version at least 1.18.0...

WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability via malicious SVG file upload discovered by Universe Patchstack Alliance in WordPress Uploading SVG, WEBP and ICO files plugin versions = 1.0.1. Solution No patched version available...

WordPress User Meta plugin <= 2.4.3 - Local File Enumeration via Path Traversal vulnerability

Local File Enumeration via Path Traversal vulnerability discovered by Julien Ahrens in WordPress User Meta plugin versions = 2.4.3. Solution Update the WordPress User Meta plugin to the latest available version at least 2.4.4...

WordPress Andrea Pernici News Sitemap for Google plugin <= 1.0.16 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by John Castro aka mirphak Pagely in WordPress Andrea Pernici News Sitemap for Google plugin versions = 1.0.16. Solution No patched version is available...

WordPress Booking Calendar plugin <= 9.1 - Insecure Deserialization/PHP Object Injection vulnerability

Insecure Deserialization/PHP Object Injection vulnerability discovered by Ramuel Gall Wordfence in WordPress Booking Calendar plugin versions = 9.1. Solution Update the WordPress Booking Calendar plugin to the latest available version at least 9.1.1...

WordPress Responsive Tabs plugin <= 4.0.5 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability was discovered by Ngo Van Thien Patchstack Alliance in WordPress Responsive Tabs plugin versions = 4.0.5. Solution No patched version is available...

WordPress Mycred plugin <= 2.4.4 - User E-mail Addresses Disclosure vulnerability

User E-mail Addresses Disclosure vulnerability discovered by Krzysztof Zając in WordPress Mycred plugin versions = 2.4.4. Solution Update the WordPress Mycred plugin to the latest available version at least 2.4.4.1...

WordPress Advanced Custom Fields plugin <= 5.12 - Database Information Access vulnerability

Database Information Access vulnerability was discovered by Keitaro Yamazaki Ierae Security Inc in the WordPress Advanced Custom Fields plugin versions = 5.12. Solution Update the WordPress Advanced Custom Fields plugin to the latest available version at least 5.12.1...

WordPress Responsive Menu plugin <= 4.1.7 - Nonce token leak leading to arbitrary file upload, theme deletion, plugin settings change vulnerability

Nonce token leak leading to arbitrary file upload, theme deletion, plugin settings change vulnerability discovered by Dave Jong Patchstack in WordPress Responsive Menu plugin versions = 4.1.7. Solution Update the WordPress Responsive Menu plugin to the latest available version at least 4.1.8...

WordPress Grid Kit Portfolio plugin <= 2.0.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Grid Kit Portfolio plugin versions = 2.0.0. Solution Update the WordPress Grid Kit Portfolio plugin to the latest available version at least 2.1.0...

WordPress Profile Builder plugin <= 3.6.7 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Abhinav Porwal in WordPress Profile Builder plugin versions = 3.6.7. Solution Update the WordPress Profile Builder plugin to the latest available version at least 3.6.8...

WordPress SpeakOut! Email Petitions plugin <= 2.14.14 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress SpeakOut! Email Petitions plugin versions = 2.14.14. Solution Update the WordPress SpeakOut! Email Petitions plugin to the latest available version at least 2.14.15.1...

WordPress Popup Builder plugin <= 4.1.0 - SQL Injection (SQLi) vulnerability to Reflected Cross-Site Scripting (XSS)

SQL Injection SQLi vulnerability to Reflected Cross-Site Scripting XSS discovered by Krzysztof Zając in WordPress Popup Builder plugin versions = 4.1.0. Solution Update the WordPress Popup Builder plugin to the latest available version at least 4.1.1...

WordPress Mapping multiple URLs redirect same page plugin <= 5.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ran Crane in WordPress Mapping multiple URLs redirect same page plugin versions = 5.8. Solution Deactivate and delete. This plugin has been closed as of February 14, 2022 and is not available for download. This closure is temporary,...

WordPress UpdraftPlus plugin <= 1.22.1 - Arbitrary Backup Downloads vulnerability

Arbitrary Backup Downloads vulnerability discovered by Marc-Alexandre Montpas Automattic in WordPress UpdraftPlus plugin versions = 1.22.1. Solution Update the WordPress UpdraftPlus plugin to the latest available version at least 1.22.3...

WordPress MOLIE plugin <= 0.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Jeremie Amsellem in WordPress MOLIE plugin versions = 0.5. Solution Deactivate and delete. This plugin has been closed as of November 29, 2021 and is not available for download. Reason: Security Issue...

WordPress core <= 5.8.1 - Expired DST Root CA X3 Certificate issue

Expired DST Root CA X3 Certificate issue discovered by Bradley Taylor in WordPress core versions = 5.8.1. Solution 5.8.1 fixed in 5.8.2, 5.8 fixed in 5.8.2, 5.7.3 fixed in 5.7.4, 5.7.2 fixed in 5.7.4, 5.7.1 fixed in 5.7.4, 5.7 fixed in 5.7.4, 5.6.5 fixed in 5.6.6, 5.6.4 fixed in 5.6.6, 5.6.3 fixe...

WordPress WP Project Manager plugin <= 2.4.13 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Jörgson Patchstack Alliance in WordPress WP Project Manager plugin versions = 2.4.13. Solution Update the WordPress WP Subscribe plugin to the latest available version at least 2.4.14...

WordPress Newspaper premium theme <= 10.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Truoc Phan in WordPress Newspaper premium theme versions = 10.4. Solution Update the WordPress Newspaper premium theme to the latest available version at least 11,...

WordPress Custom css-js-php plugin <= 2.0.7 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by NinTechNet WordPress Custom css-js-php plugin versions = 2.0.7. Solution This plugin has been closed as of February 11, 2021 and is not available for download. Reason: Security Issue...

WordPress JNews premium theme <= 8.0.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Truoc Phan in WordPress JNews premium theme versions = 8.0.5. Solution Update the WordPress JNews premium theme to the latest available version at least 8.0.6...

WordPress Advanced Custom Fields PRO plugin <= 5.9.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Juan David Ordoñez Noriega in WordPress Advanced Custom Fields PRO plugin versions = 5.9.0. Solution Update the WordPress Advanced Custom Fields PRO plugin to the latest available version at least 5.9.1...

WordPress Mapplic premium plugin <= 6.1 - Stored Cross-Site Scripting (XSS) Injection via Server-Side Request Forgery (SSRF) vulnerability

Stored Cross-Site Scripting XSS Injection via Server-Side Request Forgery SSRF vulnerability discovered by Eagle Eye in WordPress Mapplic premium plugin versions = 6.1. Solution Update the WordPress Mapplic premium plugin to the latest available version at least 7.0...