WordPress WP Total Hacks plugin <= 4.7.2 - Auth. Arbitrary Options Update vulnerability leading to Stored Cross-Site Scripting (XSS)

Auth. Arbitrary Options Update vulnerability leading to Stored Cross-Site Scripting XSS discovered by Daniel Ruf in the WordPress WP Total Hacks plugin versions = 4.7.2. Solution Deactivate and delete. This plugin has been closed as of October 6, 2022 and is not available for download. This closu...

WordPress LBStopAttack plugin <= 1.1.2 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Settings Update discovered by Daniel Ruf in WordPress LBStopAttack plugin versions = 1.1.2. Solution Update the WordPress LBstopattack plugin to the latest available version at least 1.1.3...

WordPress AdminPad plugin <= 2.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Raad Haddad Cloudyrion GmbH in WordPress AdminPad plugin versions = 2.1. Solution Update the WordPress AdminPad plugin to the latest available version at least 2.2...

WordPress Store Locator plugin <= 1.4.5 - Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Scripting XSS via Cross-Site Request Forgery CSRF vulnerability was discovered by Nguy Minh Tuan Patchstack Alliance in the WordPress Store Locator plugin versions = 1.4.5. Solution Update the WordPress Store Locator WordPress plugin to the latest available version at least 1.4.6...

WordPress Booking Ultra Pro plugin <= 1.1.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Ngo Van Thien Patchstack Alliance in the WordPress Booking Ultra Pro plugin versions = 1.1.4 Solution No patched version is available...

WordPress Tutor LMS plugin <= 2.0.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by lucy in WordPress Tutor LMS plugin versions = 2.0.9. Solution Update the WordPress Tutor LMS plugin to the latest available version at least 2.0.10...

WordPress WP Custom Cursors plugin <= 3.0.1 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Lana Codes in WordPress WP Custom Cursors plugin versions = 3.0.1 Solution Deactivate and delete. This plugin has been closed as of September 19, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Social Rocket plugin <= 1.3.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Social Rocket plugin versions = 1.3.2. Solution Update the WordPress Social Rocket plugin to the latest available version at least 1.3.3...

WordPress WP 2FA plugin <= 2.2.1 - Time-Based Side-Channel Attack vulnerability

Time-Based Side-Channel Attack vulnerability discovered by Calvin Alkan in WordPress WP 2FA plugin versions = 2.2.1. Solution Update the WordPress WP 2FA plugin to the latest available version at least 2.3.0...

WordPress Integration for Szamlazz.hu & Gravity Forms plugin <= 1.2.6 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Lana Code in WordPress Integration for Szamlazz.hu & Gravity Forms plugin versions = 1.2.6. Solution Update the WordPress Integration for Szamlazz.hu & Gravity Forms plugin to the latest available version at least 1.2.7...

WordPress Wordfence Security – Firewall & Malware Scan plugin <= 7.6.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ori Gabriel in WordPress Wordfence Security – Firewall & Malware Scan plugin versions = 7.6.0. Solution Update the WordPress Wordfence plugin to the latest available version at least 7.6.1...

WordPress Donation Thermometer plugin <= 2.1.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Donation Thermometer plugin versions = 2.1.2. Solution Update the WordPress Donation Thermometer plugin to the latest available version at least 2.1.3...

WordPress Post SMTP Mailer/Email Log plugin <= 2.1.6 - Authenticated Blind Server-Side Request Forgery (SSRF) vulnerability

Authenticated Blind Server-Side Request Forgery SSRF vulnerability discovered by Raad Haddad Cloudyrion GmbH in WordPress Post SMTP Mailer/Email Log plugin versions = 2.1.6. Solution Update the WordPress Post SMTP Mailer/Email Log plugin to the latest available version at least 2.1.7...

WordPress Pop-up plugin <= 1.1.5 - Privilege Escalation vulnerability

Privilege Escalation vulnerability was discovered by Tien Nguyen Anh Patchstack Alliance in the WordPress Pop-up plugin versions = 1.0.9. Solution Update the WordPress Pop-up plugin to the latest available version at least 1.1.6...

WordPress WP-PostRatings plugin <= 1.89 - Rating Increase/Decrease via Race Condition vulnerability

Rating Increase/Decrease via Race Condition vulnerability discovered by Nguy Minh Tuan Patchstack Alliance in the WordPress WP-PostRatings plugin versions = 1.89. Solution Update the WordPress WP-PostRatings plugin to the latest available version at least 1.90...

WordPress Slickr Flickr plugin <= 2.8.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Kishore Hariram in WordPress Slickr Flickr plugin versions = 2.8.1. Solution Deactivate and delete. This plugin has been closed as of August 25, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Beaver Builder plugin <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability via Image URL

Authenticated Stored Cross-Site Scripting XSS vulnerability via Image URL discovered by Zhouyuan Yang in WordPress Beaver Builder plugin versions = 2.5.5.2. Solution Update the WordPress Beaver Builder plugin to the latest available version at least 2.5.5.3...

WordPress Access Code Feeder plugin <= 1.0.3 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by ptsfence Patchstack Alliance in WordPress Access Code Feeder plugin versions = 1.0.3. Solution Deactivate and delete. This plugin has been closed as of August 24, 2022 and is not available for download. This closure is temporary, pending...

WordPress Leaflet Maps Marker plugin <= 3.12.4 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Ihor Bliumental in WordPress Leaflet Maps Marker plugin versions = 3.12.4. Solution Update the WordPress Leaflet Maps Marker plugin to the latest available version at least 3.12.5...

WordPress Link Optimizer Lite plugin <= 1.4.5 - Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Cross-Site Scripting XSS discovered by Hayato Takizawa in WordPress Link Optimizer Lite plugin versions = 1.4.5. Solution Deactivate and delete. This plugin has been closed as of July 26, 2022 and is not available for download. This closure...

WordPress Lana Downloads Manager plugin <= 1.7.1 - Authenticated Arbitrary File Download vulnerability

Authenticated Arbitrary File Download vulnerability discovered by Raad Haddad in WordPress Lana Downloads Manager plugin versions = 1.7.1. Solution Update the WordPress Lana Downloads Manager plugin to the latest available version at least 1.8.0...

WordPress Ninja Job Board plugin <= 1.3.1 - Resume Disclosure via Directory Listing

Resume Disclosure via Directory Listing discovered by Daniel Ruf in WordPress Ninja Job Board plugin versions = 1.3.1. Solution Update the WordPress Ninja Job Board plugin to the latest available version at least 1.3.3...

WordPress WP Social Chat plugin <= 6.0.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Raad Haddad in WordPress WP Social Chat plugin versions = 6.0.4. Solution Update the WordPress WP Social Chat plugin to the latest available version at least 6.0.5...

WordPress Directorist plugin <= 7.2.2 - Authenticated Arbitrary File Upload vulnerability

Authenticated Arbitrary File Upload vulnerability discovered by Rafie Muhammad Yeraisci in WordPress Directorist plugin versions = 7.2.2. Solution Update the WordPress Directorist plugin to the latest available version at least 7.2.3...

WordPress WPDating plugin <= 7.1.9 - Multiple SQL Injection (SQLi) vulnerabilities

Multiple SQL Injection SQLi vulnerabilities discovered by WPScanTeam in WordPress WPDating plugin versions = 7.1.9. Solution No patched version available...

WordPress Event Timeline plugin <= 1.1.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Fayçal CHENA in WordPress Event Timeline plugin versions = 1.1.6. Solution No patched version available...

WordPress Featured Image from URL plugin <= 3.9.9 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Raad Haddad in WordPress Featured Image from URL plugin versions = 3.9.9. Solution Update the WordPress Featured Image from URL plugin to the latest available version at least 4.0.0...

WordPress Flexi Quote Rotator plugin <= 0.9.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Daniel Ruf in WordPress Flexi Quote Rotator plugin versions = 0.9.4. Solution Deactivate and delete. This plugin has been closed as of July 6, 2022 and is not available for download. This closure is temporary, pending a ful...

WordPress Copyright Proof plugin <= 4.16 - Reflected Cross-Site-Scripting (XSS) vulnerability

Reflected Cross-Site-Scripting XSS vulnerability discovered by cydave in WordPress Copyright Proof plugin versions = 4.16 Solution Deactivate and delete. This plugin has been closed as of June 14, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress DX Share Selection plugin <= 1.4 - Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability

Stored Cross-Site Scripting XSS via Cross-Site Request Forgery CSRF vulnerability discovered by Sho Sakata Cryptography Laboratory at Tokyo Denki University in WordPress DX Share Selection plugin versions = 1.4. Solution Update the WordPress DX Share Selection plugin to the latest available versi...

WordPress 404s plugin <= 3.4.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vivek Kumar Jaiswal in WordPress 404s plugin versions = 3.4.9. Solution Update the WordPress 404s plugin to the latest available version at least 3.5.1...

WordPress Very Simple Breadcrumb plugin <= 1.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Rahul Selvakumar in WordPress Very Simple Breadcrumb plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of June 21, 2022 and is not available for download. This closure is temporary, pendi...

WordPress GiveWP plugin <= 2.20.2 - Donor Information Disclosure vulnerability

Donor Information Disclosure vulnerability discovered by Kane Gamble Blackfoot UK in WordPress GiveWP plugin versions = 2.20.2. Solution Update the WordPress GiveWP plugin to the latest available version at least 2.21.0...

WordPress Woody Code Snippets plugin <= 2.4.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Woody Code Snippets plugin versions = 2.4.5. Solution Update the WordPress Woody Code Snippets plugin to the latest available version at least 2.4.6...

WordPress Grow Social plugin <= 1.18.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Grow Social plugin versions = 1.18.2. Solution Update the WordPress Grow Social plugin to the latest available version at least 1.19.0...

WordPress Export any WordPress data to XML/CSV plugin <= 1.3.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Export any WordPress data to XML/CSV plugin versions = 1.3.5. Solution Update the WordPress Export any WordPress data to XML/CSV plugin to the latest available version at least 1.3.6...

WordPress HTML2WP plugin <= 1.0.0 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress HTML2WP plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of May 4, 2022 and is not available for download. This closure is temporary, pending a...

WordPress Social Share Buttons by Supsystic plugin <= 2.2.3 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Multiple Cross-Site Request Forgery CSRF vulnerabilities were discovered by Daniel Ruf in the WordPress Social Share Buttons by Supsystic plugin versions = 2.2.3. Solution Update the WordPress Social Share Buttons by Supsystic plugin to the latest available version at least 2.2.4...

WordPress Icegram plugin <= 2.1.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Pritam Dash in WordPress Icegram plugin versions = 2.1.7. Solution Update the WordPress Icegram plugin to the latest available version at least 2.1.8...

WordPress Clean-Contact plugin <= 1.6 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress Clean-Contact plugin versions = 1.6. Solution Deactivate and delete. This plugin has been closed as of May 27, 2022 and is not available for download. This closure is temporary, pending a full...

WordPress Mobile Browser Color Select plugin <= 1.0.1 - Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability

Stored Cross-Site Scripting XSS via Cross-Site Request Forgery CSRF vulnerability was discovered by Tsubasa Imaizumi Cryptography Laboratory at Tokyo Denki University in the WordPress Mobile Browser Color Select plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed ...

WordPress Amazon Einzeltitellinks plugin <= 1.3.3 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress Amazon Einzeltitellinks plugin versions = 1.3.3. Solution Deactivate and delete...

WordPress Appointment Hour Booking plugin <= 1.3.55 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Bruno Halltari in WordPress Appointment Hour Booking plugin versions = 1.3.55. Solution Update the WordPress Appointment Hour Booking plugin to the latest available version at least 1.3.56...

WordPress Email Users plugin <= 4.8.8 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress Email Users plugin versions = 4.8.8. Solution Deactivate and delete. This plugin has been closed as of May 6, 2022 and is not available for download. This closure is temporary...

WordPress WP-CRM plugin <= 1.2.1 - CSV Injection vulnerability

CSV Injection vulnerability discovered by Ankur Bakre in WordPress WP-CRM plugin versions = 1.2.1. Solution Deactivate and delete. This plugin has been closed as of April 20, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress Bestbooks plugin <= 2.6.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Bestbooks plugin versions = 2.6.3. Solution Deactivate and delete. This plugin has been closed as of May 11, 2022 and is not available for download. This closure is temporary, pending a full review...

WordPress WordPress File Upload plugin <= 4.16.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered in WordPress WordPress File Upload plugin versions = 4.16.3. Solution Update the WordPress WordPress File Upload plugin to the latest available version at least 4.16.4...

WordPress Donations plugin <= 1.8 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Alliance WordPress Donations plugin versions = 1.8. Solution Deactivate and delete. This plugin has been closed as of February 28, 2022 and is not available for download. Reason: Security Issue...

WordPress Quick Restaurant Reservations plugin <= 1.4.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability

Authenticated Reflected Cross-Site Scripting XSS vulnerability discovered by BEE-K Patchstack in WordPress Quick Restaurant Reservations plugin versions = 1.4.1. Solution Update the WordPress Quick Restaurant Reservations plugin to the latest available version at least 1.4.2...

WordPress User Meta plugin <= 2.4.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress User Meta plugin versions = 2.4.2. Solution Update the WordPress User Meta plugin to the latest available version at least 2.4.3...