WordPress Projectopia – WordPress Project Management Plugin plugin < 5.0.7 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Projectopia – WordPress Project Management Plugin plugin versions 5.0.7. Solution Update the WordPress Projectopia – WordPress Project Management Plugin plugin to the latest available version at least...

WordPress Speculor theme <= 1.2.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Speculor theme versions = 1.2.0. Solution No patched version available...

WordPress Everse theme < 1.8.6 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Everse theme versions 1.8.6. Solution Update the WordPress Everse theme to the latest available version at least 1.8.6...

WordPress Campation PostOffice – Send Email Spam-free on HighSpeed without WP SMTP plugin – WordPress 6 ready! plugin < 1.1.7 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Campation PostOffice – Send Email Spam-free on HighSpeed without WP SMTP plugin – WordPress 6 ready! plugin versions 1.1.7. Solution Update the WordPress Campation PostOffice – Send Email Spam-free on HighSpeed without WP SMTP...

WordPress Child Support Calculator plugin < 1.0.2 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Child Support Calculator plugin versions 1.0.2. Solution Update the WordPress Child Support Calculator plugin to the latest available version at least 1.0.2...

WordPress WP Scrive by Webbstart plugin < 1.2.3 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress WP Scrive by Webbstart plugin versions 1.2.3. Solution Update the WordPress WP Scrive by Webbstart plugin to the latest available version at least 1.2.3...

WordPress WP Private Media plugin <= 1.0.1 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress WP Private Media plugin versions = 1.0.1. Solution No patched version available...

WordPress WooCommerce PayPlug plugin <= 3.5.3 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress WooCommerce PayPlug plugin versions = 3.5.3. Solution No patched version available...

WordPress Petfinder Listings plugin <= 1.0.19 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by fuzzyap1 in WordPress Petfinder Listings plugin versions = 1.0.19. Solution Update the WordPress Petfinder Listings plugin to the latest available version at least 1.1...

WordPress Login with phone number plugin <= 1.3.6 - Unauthenticated Remote Plugin Deletion vulnerability

Unauthenticated Remote Plugin Deletion vulnerability discovered by Michal Lipinski in WordPress Login with phone number plugin versions = 1.3.6. Solution Update the WordPress Login with phone number plugin to the latest available version at least 1.3.7...

WordPress Better WordPress Google XML Sitemaps plugin <= 1.4.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Better WordPress Google XML Sitemaps plugin versions = 1.4.1. Solution Deactivate and delete. This plugin has been closed as of February 14, 2022 and is not available for download. This closur...

WordPress Superforms premium plugin <= 6.0.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Koutrouss Naddara in WordPress Superforms premium plugin versions = 6.0.3. Solution Update the WordPress Superforms premium plugin to the latest available version at least 6.0.4...

WordPress WHMCS Bridge plugin <= 6.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WHMCS Bridge plugin versions = 6.3. Solution Update the WordPress WHMCS Bridge plugin to the latest available version at least 6.4b...

WordPress Editable Table plugin <= 0.1.4 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Vaibhav Koli in WordPress Editable Table plugin versions = 0.1.4. Solution Deactivate and delete. This plugin has been closed as of October 25, 2021 and is not available for download. Reason: Security Issue...

WordPress AdSanity premium plugin <= 1.8.1 - Broken Access Control vulnerability

Broken Access Control vulnerability leading to Arbitrary File Upload Contributor user role discovered by Jerome Bruandet in WordPress AdSanity premium plugin versions = 1.8.1. Solution Update the WordPress AdSanity premium plugin to the latest available version at least 1.8.2. Vulnerability autho...

WordPress AnyComment plugin <= 0.2.17 - Arbitrary HyperComments Import/Revert via CSRF vulnerability

Arbitrary HyperComments Import/Revert via CSRF vulnerability discovered by Brandon Roldan in WordPress AnyComment plugin versions = 0.2.17. Solution Update the WordPress AnyComment plugin to the latest available version at least 0.2.18...

WordPress Form Store to DB plugin <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Yoru Oni in WordPress Form Store to DB plugin versions = 1.1.0. Solution Update the WordPress Form Store to DB plugin to the latest available version at least 1.1.1...

WordPress WP Optin Wheel plugin <= 1.3.4 - Information Disclosure vulnerability (Mailchimp lists, logs)

Information Disclosure vulnerability Mailchimp lists, logs discovered in WordPress WP Optin Wheel plugin versions = 1.3.4. Solution Update the WordPress WP Optin Wheel plugin to the latest available version at least 1.3.5...

WordPress SEUR Oficial plugin <= 1.7.1 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by José Aguilera in WordPress SEUR Oficial plugin versions = 1.7.1. Solution Update the WordPress SEUR Oficial plugin to the latest available version at least 1.7.2...

WordPress All-in-one Floating Contact Form plugin <= 2.0.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress All-in-one Floating Contact Form plugin versions = 2.0.3. Solution Update the WordPress All-in-one Floating Contact Form plugin to the latest available version at least 2.0.4...

WordPress Ivory Search plugin <= 5.4 - Multiple Stored Cross-Site Scripting (XSS) vulnerability

Multiple Stored Cross-Site Scripting XSS vulnerabilities discovered by Yoru Oni in WordPress Ivory Search plugin versions = 5.4. Solution Update the WordPress Ivory Search plugin to the latest available version at least 5.4.1...

WordPress Ultimate Reviews plugin <= 3.0.15 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Ngo Van Thien Patchstack Red Team project in WordPress Ultimate Reviews plugin versions = 3.0.15. Solution Update the WordPress Ultimate Reviews plugin to the latest available version at least 3.0.16...

WordPress WPLegalPages plugin <= 2.7.0 - Arbitrary Settings Update to Stored Cross-Site Scripting (XSS) vulnerability

Arbitrary Settings Update to Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WPLegalPages plugin versions = 2.7.0. Solution Update the WordPress WPLegalPages plugin to the latest available version at least 2.7.1...

WordPress SupportCandy plugin <= 2.2.4 - Unauthenticated Arbitrary Ticket Deletion vulnerability

Unauthenticated Arbitrary Ticket Deletion vulnerability discovered by Brandon Roldan in WordPress SupportCandy plugin versions = 2.2.4. Solution Update the WordPress SupportCandy plugin to the latest available version at least 2.2.5...

WordPress LabTools plugin <= 1.0 - Arbitrary Publication Deletion vulnerability

Arbitrary Publication Deletion vulnerability discovered by Muhammad Adel in WordPress LabTools plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of December 28, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress NextScripts: Social Networks Auto-Poster plugin <= 4.3.23 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress NextScripts: Social Networks Auto-Poster plugin versions = 4.3.23. Solution Update the WordPress NextScripts: Social Networks Auto-Poster plugin to the latest available version at least 4.3.24...

WordPress Tutor LMS plugin <= 1.9.11 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Tutor LMS plugin versions = 1.9.11. Solution Update the WordPress Tutor LMS plugin to the latest available version at least 1.9.12...

WordPress WP Cookie User Info plugin <= 1.0.8 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress WP Cookie User Info plugin versions = 1.0.8. Solution Update the WordPress WP Cookie User Info plugin to the latest available version at least 1.0.9...

WordPress Eight Sec theme <= 1.1.4 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Eight Sec theme versions = 1.1.4. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores t...

WordPress EightLaw Lite theme <= 2.1.5 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress EightLaw Lite theme versions = 2.1.5. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignor...

WordPress Five Star Restaurant Reservations plugin <= 2.4.7 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Five Star Restaurant Reservations plugin versions = 2.4.7. Solution Update the WordPress Five Star Restaurant Reservations plugin to the latest available version at least 2.4.8...

WordPress SEUR Oficial plugin <= 1.6.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by José Aguilera in WordPress SEUR Oficial plugin versions = 1.6.0. Solution Update the WordPress SEUR Oficial plugin to the latest available version at least 1.7.0...

WordPress tarteaucitron.js – Cookies legislation & GDPR plugin <= 1.6 - Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Authenticated Cross-Site Scripting XSS vulnerabilities were discovered by Ex.Mi Patchstack Red Team in WordPress tarteaucitron.js – Cookies legislation & GDPR plugin versions = 1.6. Solution Update the WordPress tarteaucitron.js – Cookies legislation & GDPR plugin to the latest...

WordPress Image Hover Effects Ultimate plugin <= 9.6.1 - Unauthenticated Arbitrary Options Update leading to full website compromise

Unauthenticated Arbitrary Options Update leading to full website compromise discovered by mirphak aka John Castro Pagely in WordPress Image Hover Effects Ultimate plugin versions = 9.6.1. Solution Update the WordPress Image Hover Effects Ultimate plugin to the latest available version at least 9....

WordPress Use-your-Drive premium plugin <= 1.18.2 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Trainer Red in WordPress Use-your-Drive premium plugin versions = 1.18.2. Solution Update the WordPress Use-your-Drive premium plugin to the latest available version at least 1.18.3...

WordPress link-list-manager plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress link-list-manager plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of December 3, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress WP RSS Aggregator plugin <= 4.19.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress WP RSS Aggregator plugin versions = 4.19.2. Solution Update the WordPress WP RSS Aggregator plugin to the latest available version at least 4.19.3...

WordPress Contact Form With Captcha plugin <= 1.6.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Yuga Futatsuki Cryptography Laboratory in Tokyo Denki University in WordPress Contact Form With Captcha plugin versions = 1.6.7. Solution Update the WordPress Contact Form With Captcha plugin to...

WordPress Accesspress Lite theme <= 2.92 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite in WordPress Accesspress Lite theme versions = 2.92. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the vulnerability...

WordPress Bloger theme <= 1.2.6 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress Bloger theme versions = 1.2.6. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignores the...

WordPress ParallaxSome theme <= 1.3.6 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Lenon Leite Patchstack Red Team project in WordPress ParallaxSome theme versions = 1.3.6. This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317. Solution Deactivate and delete. The vendor ignore...

WordPress Paid Memberships Pro plugin <= 2.6.5 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Paid Memberships Pro plugin versions = 2.6.5. Solution Update the WordPress Paid Memberships Pro plugin to the latest available version at least 2.6.6...

WordPress Pixel Cat plugin <= 2.6.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Pixel Cat plugin versions = 2.6.2. Solution Update the WordPress Pixel Cat plugin to the latest available version at least 2.6.3...

WordPress User meta shortcodes plugin <= 0.5 - Unauthorized Arbitrary User Metadata Access vulnerability

Unauthorized Arbitrary User Metadata Access vulnerability discovered by Francesco Carlucci in WordPress User meta shortcodes plugin versions = 0.5. Solution Deactivate and delete. This plugin has been closed as of October 12, 2021 and is not available for download. This closure is temporary,...

WordPress Display Post Metadata plugin <= 1.4.0 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Francesco Carlucci in WordPress Display Post Metadata plugin versions = 1.4.0. Solution Update the WordPress Display Post Metadata plugin to the latest available version at least 1.5.0...

WordPress Contact Form Entries plugin <= 1.2.3 - Unauthenticated Persistent Cross-Site Scripting (XSS) vulnerability

Unauthenticated Persistent Cross-Site Scripting XSS vulnerability discovered by Ex.Mi in WordPress Contact Form Entries plugin versions = 1.2.3. Solution Update the WordPress Contact Form Entries plugin to the latest available version at least 1.2.4...

WordPress Starter Templates plugin <= 2.7.0 - Authenticated Block Import leading to Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Block Import leading to Stored Cross-Site Scripting XSS vulnerability discovered by Ramuel Gall in WordPress Starter Templates plugin versions = 2.7.0. Solution Update the WordPress Starter Templates plugin to the latest available version at least 2.7.1...

WordPress Like Button Rating plugin <= 2.6.37 - Unauthorized Vote Export to Email & IP Addresses Disclosure vulnerability

Unauthorized Vote Export to Email & IP Addresses Disclosure vulnerability discovered by Krzysztof Zając in WordPress Like Button Rating plugin versions = 2.6.37. Solution Update the WordPress Like Button Rating plugin to the latest available version at least 2.6.38...

WordPress HashThemes Demo Importer plugin <= 1.1.1 - Improper Access Control allowing content deletion vulnerability

Improper Access Control allowing content deletion vulnerability discovered by Ramuel Gall WordFence in WordPress HashThemes Demo Importer plugin versions = 1.1.1. Solution Update the WordPress HashThemes Demo Importer plugin to the latest available version at least 1.1.2...

WordPress Notification plugin <= 7.2.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress Notification plugin versions = 7.2.4. Solution Update the WordPress Notification plugin to the latest available version at least 8.0.0...