WordPress Falang multilanguage plugin <= 1.3.17 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Falang multilanguage plugin versions = 1.3.17. Solution Update the WordPress Falang multilanguage plugin to the latest available version at least 1.3.18...

WordPress Images to WebP plugin <= 1.8 - Authenticated Local File Inclusion (LFI) vulnerability

Authenticated Local File Inclusion LFI vulnerability discovered by apple502j in WordPress Images to WebP plugin versions = 1.8. Solution Update the WordPress Images to WebP plugin to the latest available version at least 1.9...

WordPress Tutor LMS plugin <= 1.9.10 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Tutor LMS plugin versions = 1.9.10. Solution Update the WordPress Tutor LMS plugin to the latest available version at least 1.9.11...

WordPress Relevanssi plugin <= 4.14.2 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered in WordPress Relevanssi plugin versions = 4.14.2. Solution Update the WordPress Relevanssi plugin to the latest available version at least 4.14.3...

WordPress Email Log plugin <= 2.4.6 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by bl4derunner in WordPress Email Log plugin versions = 2.4.6. Solution Update the WordPress Email Log plugin to the latest available version at least 2.4.7...

WordPress My Tickets plugin <= 1.8.30 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Abhiyan Chhetri in WordPress My Tickets plugin versions = 1.8.30. Solution Update the WordPress My Tickets plugin to the latest available version at least 1.8.31...

WordPress QR Redirector plugin <= 1.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress QR Redirector plugin versions = 1.6. Solution Update the WordPress QR Redirector plugin to the latest available version at least 1.6.1...

WordPress Indeed Job Importer plugin <= 1.0.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress Indeed Job Importer plugin versions = 1.0.5. Solution Deactivate and delete. This plugin has been closed as of October 14, 2021 and is not available for download. This closure is...

WordPress WP Fastest Cache plugin <= 0.9.4 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by Marc Montpas Jetpack Scan team in WordPress WP Fastest Cache plugin versions = 0.9.4. Solution Update the WordPress WP Fastest Cache plugin to the latest available version at least 0.9.5...

WordPress WpGenius Job Listing plugin <= 1.0.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Thinkland Security Team in WordPress WpGenius Job Listing plugin versions = 1.0.3. Solution Update the WordPress WpGenius Job Listing plugin to the latest available version at least 1.0.4...

WordPress Loco Translate plugin <= 2.5.3 - Authenticated PHP Code Injection vulnerability

Authenticated PHP Code Injection vulnerability discovered by Tomi Ashari in WordPress Loco Translate plugin versions = 2.5.3. Solution Update the WordPress Loco Translate plugin to the latest available version at least 2.5.4...

WordPress Storefront Footer Text plugin <= 1.0.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Storefront Footer Text plugin versions = 1.0.1. Solution Deactivate and delete. This plugin has been closed as of October 6, 2021 and is not available for download. This closure is temporary, pending a full...

WordPress Wow Forms plugin <= 3.1.3 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress Wow Forms plugin versions = 3.1.3. Solution Deactivate and delete. This plugin has been closed as of June 18, 2021 and is not available for download. Reason: Security Issue...

WordPress Schreikasten plugin <= 0.14.18 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by Shreya Pohekar Codevigilant Project in WordPress Schreikasten plugin versions = 0.14.18. Solution Deactivate and delete. This plugin has been closed as of June 21, 2021 and is not available for download. Reason: Security Issue...

WordPress Simple Download Monitor plugin <= 3.9.5.1 - Unauthenticated Log Access vulnerability

Unauthenticated Log Access vulnerability discovered by apple502j in WordPress Simple Download Monitor plugin versions = 3.9.5.1. Solution Update the WordPress Simple Download Monitor plugin to the latest available version at least 3.9.6...

WordPress FV Flowplayer Video Player plugin 7.5.0.727 – 7.5.2.727 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Margaux Dabert Intrinsec in WordPress FV Flowplayer Video Player plugin versions 7.5.0.727 – 7.5.2.727. Solution Update the WordPress FV Flowplayer Video Player plugin to the latest available version at least 7.5.3.727...

WordPress Simple Download Monitor plugin <= 3.9.5.1 - Unauthenticated Log Access vulnerability

Unauthenticated Log Access vulnerability discovered by apple502j in WordPress Simple Download Monitor plugin versions = 3.9.5.1. Solution Update the WordPress Simple Download Monitor plugin to the latest available version at least 3.9.6...

WordPress Perfect Survey plugin <= 1.5.0 - Unauthorized AJAX Call to Stored XSS / Survey Settings Update vulnerability

Unauthorized AJAX Call to Stored XSS / Survey Settings Update vulnerability discovered by apple502j in WordPress Perfect Survey plugin versions = 1.5.0. Solution Vulnerability fixed in 1.5.2 version, but plugin closed due to other security issues. This plugin has been closed as of October 5, 2021...

WordPress BP Better Messages plugin <= 1.9.9.37 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Brandon Roldan in WordPress BP Better Messages plugin versions = 1.9.9.37. Solution Update the WordPress BP Better Messages plugin to the latest available version or at least to the version 1.9.9.41...

WordPress WooCommerce Admin plugin <= 2.6.3 - Analytics Report Leaks vulnerability

Analytics Report Leaks vulnerability discovered in WordPress WooCommerce Admin plugin versions = 2.6.3. Solution Update the WordPress WooCommerce Admin plugin to the latest available version at least 2.6.4. Other patched versions of WooCommerce Admin: 1.0.4, 1.1.4, 1.2.5, 1.3.3, 1.4.1, 1.5.1,...

WordPress Getwid – Gutenberg Blocks plugin <= 1.7.4 - Cross-Site Request Forgery (CSRF) / Settings Change vulnerability

Cross-Site Request Forgery CSRF / Settings Change vulnerability discovered in WordPress Getwid – Gutenberg Blocks plugin versions = 1.7.4. Solution Update the WordPress Getwid – Gutenberg Blocks plugin to the latest available version at least 1.7.7...

WordPress Live Product Editor for WooCommerce plugin <= 4.6.1 - Multiple vulnerabilities

Multiple vulnerabilities Authenticated Arbitrary WordPress Options Change, Read and Deletion / Authenticated User Enumeration / Authenticated Plugin Settings Change, Import and Export were discovered by Jerome Bruandet NinTechNet in WordPress Live Product Editor for WooCommerce plugin versions =...

WordPress Wp Cookie Choice plugin <= 1.1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by dc11 in WordPress Wp Cookie Choice plugin versions = 1.1.0. Solution Deactivate and delete. This plugin has been closed as of August 2, 2021 and is not available for download. Reason: Security...

WordPress One User Avatar plugin <= 2.3.6 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress One User Avatar plugin versions = 2.3.6. Solution Update the WordPress One User Avatar plugin to the latest available version at least 2.3.7...

WordPress BetterDocs plugin <= 1.9.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress BetterDocs plugin versions = 1.9.1. Solution Update the WordPress BetterDocs plugin to the latest available version at least 1.9.2...

WordPress Catch Import Export plugin <= 1.8 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Catch Import Export plugin versions = 1.8. Solution Update the WordPress Catch Import Export plugin to the latest available version at least 1.9...

WordPress Catch Infinite Scroll plugin <= 1.8.1 - Unauthorized Plugin Setting Change vulnerability

Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Catch Infinite Scroll plugin versions = 1.8.1. Solution Update the WordPress Catch Infinite Scroll plugin to the latest available version at least 1.9...

WordPress PlanSo Forms plugin <= 2.6.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Felipe Restrepo Rodriguez in WordPress PlanSo Forms plugin versions = 2.6.3. Solution Deactivate and delete. This plugin has been closed as of August 2, 2021 and is not available for download. Reason: Security Issue...

WordPress Software License Manager plugin <= 4.5.0 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Jetpack Scan Team in WordPress Software License Manager plugin versions = 4.5.0. Solution Update the WordPress Software License Manager plugin to the latest available version at least 4.5.1...

WordPress WP Publications plugin <= 0.0 - Local File Inclusion (LFI) vulnerability

Local File Inclusion LFI vulnerability discovered by p7e4 in WordPress WP Publications plugin versions = 0.0. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress YouTube Video Inserter plugin <= 1.2.1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress YouTube Video Inserter plugin versions = 1.2.1.0. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress SP Rental Manager plugin <= 1.5.3 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by p7e4 in WordPress SP Rental Manager plugin versions = 1.5.3. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress 3D Cover Carousel plugin <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress 3D Cover Carousel plugin versions = 1.0. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress CM Tooltip Glossary plugin <= 3.9.20 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress CM Tooltip Glossary plugin versions = 3.9.20. Solution Update the WordPress CM Tooltip Glossary plugin to the latest available version at least 3.9.21...

WordPress Better Find and Replace plugin <= 1.2.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by apple502j in WordPress Better Find and Replace plugin versions = 1.2.8. Solution Update the WordPress Better Find and Replace plugin to the latest available version at least 1.2.9...

WordPress Meow Gallery plugin <= 4.1.8 - SQL Injection (SQLi) vulnerability

SQL Injection SQLi vulnerability discovered by apple502j in WordPress Meow Gallery plugin versions = 4.1.8. Solution Update the WordPress Meow Gallery plugin to the latest available version at least 4.1.9...

WordPress Countdown Block plugin <= 1.1.1 - Missing Authorisation in AJAX action vulnerability

Missing Authorisation in AJAX action vulnerability discovered by apple502j in WordPress Countdown Block plugin versions = 1.1.1. Solution Update the WordPress Countdown Block plugin to the latest available version at least 1.1.2...

WordPress PostX – Gutenberg Blocks for Post Grid plugin <= 2.4.9 - Private Content Disclosure vulnerability

Private Content Disclosure vulnerability discovered by apple502j in WordPress PostX – Gutenberg Blocks for Post Grid plugin versions = 2.4.9. Solution Update the WordPress PostX – Gutenberg Blocks for Post Grid plugin to the latest available version at least 2.4.10...

WordPress Simple Ecommerce Shopping Cart plugin <= 2.2.5 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by h3v0x in WordPress Simple Ecommerce Shopping Cart plugin versions = 2.2.5. Solution This plugin has been closed as of June 21, 2021 and is not available for download. Reason: Security Issue...

WordPress Afterpay Gateway for WooCommerce plugin <= 3.2.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Afterpay Gateway for WooCommerce plugin versions = 3.2.0. Solution Update the WordPress Afterpay Gateway for WooCommerce plugin to the latest available version at least 3.2.1...

WordPress MWB Point of Sale (POS) for WooCommerce plugin <= 1.0.0 - Cross-Site Request Forgery (CSRF) Bypass / Unauthorised AJAX Call vulnerability

Cross-Site Request Forgery CSRF Bypass / Unauthorised AJAX Call vulnerability discovered by WPScanTeam in WordPress MWB Point of Sale POS for WooCommerce plugin versions = 1.0.0. Solution Update the WordPress MWB Point of Sale POS for WooCommerce plugin to the latest available version at least...

WordPress Daily Prayer Time plugin <= 2021.08.07 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Asif Nawaz Minhas in WordPress Daily Prayer Time plugin versions = 2021.08.07. Solution Update the WordPress Daily Prayer Time plugin to the latest available version at least 2021.08.10...

WordPress Download Manager plugin <= 3.2.12 - Email Template Setting Update via Cross-Site Request Forgery (CSRF) vulnerability

Email Template Setting Update via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Download Manager plugin versions = 3.2.12. Solution Update the WordPress Download Manager plugin to the latest available version at least 3.2.13...

WordPress SliceWP plugin <= 1.0.45 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress SliceWP plugin versions = 1.0.45. Solution Update the WordPress SliceWP plugin to the latest available version at least 1.0.46...

WordPress Venture Event Manager plugin <= 3.2.4 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex and WPScanTeam in WordPress Venture Event Manager plugin versions = 3.2.4. Solution Update the WordPress Venture Event Manager plugin to the latest available version at least 3.2.5...

WordPress Splash Header plugin <= 1.20.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by xiahao in WordPress Splash Header plugin versions = 1.20.7. Solution Update the WordPress Splash Header plugin to the latest available version at least 1.20.8...

WordPress Favicon plugin <= 1.3.20 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by renniepak in WordPress Favicon plugin versions = 1.3.20. Solution According to WPScanTeam, there were attempts to contact the vendor, but the vulnerability was disclosed due to the vendor's lack of response. Timeline WPScanTeam: June...

WordPress Broken Link Manager plugin <= 0.6.5 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection SQLi vulnerability discovered by Shreya Pohekar in WordPress Broken Link Manager plugin versions = 0.6.5. Solution This plugin has been closed as of June 1, 2021 and is not available for download. Reason: Security Issue...

WordPress Grid Gallery plugin <= 1.2.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Amal E Thamban in WordPress Grid Gallery plugin versions = 1.2.4. Solution Update the WordPress Grid Gallery plugin to the latest available version at least 1.2.5...

WordPress Charitable plugin <= 1.6.50 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Muhammad Daffa in WordPress Charitable plugin versions = 1.6.50. Solution Update the WordPress Charitable plugin to the latest available version at least 1.6.51...