WordPress WP DB Booster plugin <= 1.0.1 - Cross-Site Request Forgery to Database Cleanup vulnerability

Cross-Site Request Forgery to Database Cleanup vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin WP DB Booster versions = 1.0.1...

WordPress Amazon affiliate lite Plugin plugin <= 1.0.0 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Amazon affiliate lite versions = 1.0.0...

WordPress Amazon affiliate lite Plugin plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Amazon affiliate lite versions = 1.0.0...

WordPress F70 Lead Document Download plugin <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary Media File Download vulnerability

Missing Authorization to Unauthenticated Arbitrary Media File Download vulnerability discovered by ChamlaVic in WordPress Plugin F70 Lead Document Download versions = 1.4.4...

WordPress Bit Assist plugin <= 1.5.11 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin Bit Assist versions = 1.5.11...

WordPress SlimStat Analytics plugin <= 5.3.2 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Slimstat Analytics versions = 5.3.2...

WordPress HTML5 Audio Player plugin 2.4.0-2.5.1 - Unauthenticated Server-Side Request Forgery vulnerability

Unauthenticated Server-Side Request Forgery vulnerability discovered by kr0d in WordPress Plugin Html5 Audio Player versions 2.4.0-2.5.1...

WordPress Hummingbird plugin <= 3.18.0 - Unauthenticated Sensitive Information Exposure via Log File vulnerability

Unauthenticated Sensitive Information Exposure via Log File vulnerability discovered by ISMAILSHADOW in WordPress Plugin Hummingbird versions = 3.18.0...

WordPress Twitch Player plugin <= 2.1.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Twitch Player versions = 2.1.3...

WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.7 - Missing Authorization to Authenticated (Contributor+) Gallery Management vulnerability

Missing Authorization to Authenticated Contributor+ Gallery Management vulnerability discovered by JongHwan Shin zzzsleep in WordPress Plugin Image Photo Gallery Final Tiles Grid versions = 3.6.7...

WordPress myCred plugin <= 2.9.7.1 - Missing Authorization to Sensitive Information Exposure vulnerability

Missing Authorization to Sensitive Information Exposure vulnerability discovered by Rafshanzani Suhada in WordPress Plugin myCred versions = 2.9.7.1...

WordPress Colibri Page Builder plugin <= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Colibri Page Builder versions = 1.0.345...

WordPress BA Book Everything plugin <= 1.8.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via babe-search-form Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via babe-search-form Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin BA Book Everything versions = 1.8.14...

WordPress Simply Schedule Appointments plugin <= 1.6.9.16 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.16...

WordPress Sweet Energy Efficiency plugin <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Graph Deletion vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin Sweet Energy Efficiency versions = 1.0.6...

WordPress Prime Slider – Addons for Elementor plugin <= 4.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Server-Side Request Forgery vulnerability discovered by Deadbee - NA in WordPress Plugin Prime Slider – Addons For Elementor versions = 4.0.9...

WordPress HUSKY – Products Filter Professional for WooCommerce plugin <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr' vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'woofaddsubscr' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin HUSKY versions = 1.3.7.3...

WordPress Evergreen Post Tweeter plugin <= 1.8.9 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability

Cross Site Request Forgery CSRF to Stored XSS vulnerability discovered by Skalucy in WordPress Plugin Evergreen Post Tweeter versions = 1.8.9...

WordPress DesignThemes LMS Addon plugin <= 2.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin DesignThemes LMS Addon versions = 2.6...

WordPress HomeFix Elementor Portfolio plugin <= 1.0.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin HomeFix Elementor Portfolio versions = 1.0.1...

WordPress WeDesignTech Portfolio plugin <= 1.0.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin WeDesignTech Portfolio versions = 1.0.2...

WordPress WP Adminify plugin <= 4.0.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin WP Adminify versions = 4.0.6.1...

WordPress WP Adminify plugin <= 4.0.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin WP Adminify versions = 4.0.6.1...

WordPress Google Calendar Events plugin <= 3.5.9 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Doan Dinh Van in WordPress Plugin Google Calendar Events versions = 3.5.9...

WordPress Ultimate Member plugin <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value' vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via 'value' vulnerability discovered by tiborisaak in WordPress Plugin Ultimate Member versions = 2.11.0...

WordPress DirectoryPress plugin <= 3.6.26 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin DirectoryPress versions = 3.6.26...

WordPress Demo Importer Plus plugin <= 2.0.8 - Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation vulnerability

Missing Authorization to Authenticated Subscriber+ Site Reset and Privilege Escalation vulnerability discovered by shark3y in WordPress Plugin Demo Importer Plus versions = 2.0.8...

WordPress DirectoryPress plugin <= 3.6.25 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin DirectoryPress versions = 3.6.25...

WordPress OpenID Connect Generic Client plugin <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin OpenID Connect Generic Client versions = 3.10.0...

WordPress NextGEN Gallery plugin <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template' vulnerability

Authenticated Contributor+ Local File Inclusion via 'template' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin NextGEN Gallery versions = 3.59.12...

WordPress Events Manager plugin <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'eventslistgrouped' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Events Manager versions = 7.2.2.1...

WordPress Embed Any Document plugin <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Embed Any Document versions = 2.7.10...

WordPress Live Composer – Free WordPress Website Builder plugin <= 2.0.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Page Builder: Live Composer versions = 2.0.2...

WordPress Ultimate Member plugin <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass vulnerability

Authenticated Subscriber+ Profile Privacy Setting Bypass vulnerability discovered by Boris Bogosavac in WordPress Plugin Ultimate Member versions = 2.11.0...

WordPress My auctions allegro plugin <= 3.6.33 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Muhammad Nur Ibnu Hubab in WordPress Plugin My auctions allegro versions = 3.6.33...

WordPress WPBakery Visual Composer WHMCS Elements plugin <= 1.0.4.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin WPBakery Visual Composer WHMCS Elements versions = 1.0.4.3...

WordPress Simple Keyword to Link plugin <= 1.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Simple Keyword to Link versions = 1.5...

WordPress My auctions allegro plugin <= 3.6.34 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Nur Ibnu Hubab in WordPress Plugin My auctions allegro versions = 3.6.34...

WordPress DesignThemes Core plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin DesignThemes Core versions = 1.6...

WordPress Claspo – Popups, Spin the Wheel & Email Capture plugin <= 1.0.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Claspo – Popups, Spin the Wheel & Email Capture versions = 1.0.7...

WordPress DesignThemes Portfolio Addon plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin DesignThemes Portfolio Addon versions = 1.5...

WordPress HTML Forms – Simple WordPress Forms Plugin plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin HTML Forms versions = 1.6.0...

WordPress ModelTheme Addons for WPBakery and Elementor plugin < 1.5.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin ModelTheme Addons for WPBakery and Elementor versions 1.5.6...

WordPress Zephyr Project Manager plugin <= 3.3.203 - Authenticated (Custom+) Arbitrary File Read And Server-Side Request Forgery vulnerability

Authenticated Custom+ Arbitrary File Read And Server-Side Request Forgery vulnerability discovered by type5afe in WordPress Plugin Zephyr Project Manager versions = 3.3.203...

WordPress Better Messages plugin <= 2.10.2 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin BP Better Messages versions = 2.10.2...

WordPress WP Social Ninja plugin <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification vulnerability

Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification vulnerability discovered by shark3y in WordPress Plugin WP Social Ninja versions = 4.0.1...

WordPress Ninja Forms plugin <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token vulnerability

Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token vulnerability discovered by WordFence in WordPress Plugin Ninja Forms versions = 3.13.2...

WordPress Watu Quiz plugin <= 3.4.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Watu Quiz versions = 3.4.5...

WordPress Download Plugins and Themes from Dashboard plugin <= 1.9.6 - Cross-Site Request Forgery to Bulk Plugin/Theme Archival vulnerability

Cross-Site Request Forgery to Bulk Plugin/Theme Archival vulnerability discovered by bosz in WordPress Plugin Download Plugins and Themes from Dashboard versions = 1.9.6...

WordPress Converter for Media plugin <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint vulnerability

Missing Authorization to Authenticated Subscriber+ Optimized Image Deletion via regenerate-attachment REST Endpoint vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin Converter for Media versions = 6.3.2...