WordPress Health Check & Troubleshooting plugin <= 1.7.1 - Path Traversal vulnerability

Path Traversal vulnerability discovered by PPzzAArr in WordPress Plugin Health Check & Troubleshooting versions = 1.7.1...

WordPress LA-Studio Element Kit for Elementor plugin < 1.5.6.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin LA-Studio Element Kit for Elementor versions 1.5.6.3...

WordPress Store Locator WordPress plugin <= 1.6.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Store Locator WordPress versions = 1.6.2...

WordPress Accessibility by AudioEye plugin <= 1.0.49 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Accessibility by AudioEye versions = 1.0.49...

WordPress WP Views Counter plugin <= 2.1.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin WP Views Counter versions = 2.1.2...

WordPress PenNews theme < 6.7.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme PenNews versions 6.7.4...

WordPress Import external attachments plugin <= 1.5.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Import external attachments versions = 1.5.12...

WordPress Pochipp plugin <= 1.18.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin Pochipp versions = 1.18.0...

WordPress CMSMasters Content Composer plugin <= 2.5.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO in WordPress Plugin CMSMasters Content Composer versions = 2.5.8...

WordPress Sendinblue for WooCommerce plugin <= 4.0.49 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by ohmymex in WordPress Plugin Sendinblue for WooCommerce versions = 4.0.49...

WordPress xPromoter plugin <= 1.3.4 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin xPromoter versions = 1.3.4...

WordPress CountDown With Image or Video Background plugin <= 1.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin CountDown With Image or Video Background versions = 1.5...

WordPress Head Meta Data plugin <= 20250327 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jitlada in WordPress Plugin Head Meta Data versions = 20250327...

WordPress Accordion Slider PRO plugin <= 1.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Accordion Slider PRO versions = 1.2...

WordPress Essential Real Estate plugin <= 5.2.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Essential Real Estate versions = 5.2.6...

WordPress Essential Real Estate plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by daroo in WordPress Plugin Essential Real Estate versions = 5.2.6...

WordPress EduMall theme <= 4.4.7 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme EduMall versions = 4.4.7...

WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme MinimogWP versions = 3.9.6...

WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability

Software : MinimogWP Type : Theme Vulnerable versions : = 3.9.6 OWASP Top 10 : A3: Injection Classification : Local File Inclusion CVE ID : CVE-2025-68062 Patchstack priority : Low CVSS severity : 7.5 Required privilege : Contributor Developer : Claim ownership PSID : 3cb901ab07d8 Credits : João...

WordPress Prime Slider – Addons For Elementor plugin <= 4.0.10 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by NumeX in WordPress Plugin Prime Slider – Addons For Elementor versions = 4.0.10...

WordPress Restrict Elementor Widgets, Columns and Sections plugin <= 1.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by MD ISMAIL in WordPress Plugin Restrict Elementor Widgets, Columns and Sections versions = 1.12...

WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.34 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Ultimate Addons for Contact Form 7 versions = 3.5.34...

WordPress Turitor theme < 1.5.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Turitor versions 1.5.3...

WordPress Turitor theme < 1.5.3 - Local File Inclusion vulnerability

Software : Turitor Type : Theme Vulnerable versions : 1.5.3 Fixed in : 1.5.3 OWASP Top 10 : A3: Injection Classification : Local File Inclusion CVE ID : CVE-2025-67531 Patchstack priority : Low CVSS severity : 7.5 Required privilege : Contributor Developer : Claim ownership PSID : e31d6b389c14...

WordPress Digiqole theme < 2.2.7 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Digiqole versions 2.2.7...

WordPress Digiqole theme < 2.2.7 - Local File Inclusion vulnerability

Software : Digiqole Type : Theme Vulnerable versions : 2.2.7 Fixed in : 2.2.7 OWASP Top 10 : A3: Injection Classification : Local File Inclusion CVE ID : CVE-2025-67527 Patchstack priority : Low CVSS severity : 7.5 Required privilege : Contributor Developer : Claim ownership PSID : 33e33ea74358...

WordPress Brizy – Page Builder plugin <= 2.7.16 - Authenticated (Contributor+) Sensitive Information Exposure via get_users Function vulnerability

Authenticated Contributor+ Sensitive Information Exposure via getusers Function vulnerability discovered by stealthcopter in WordPress Plugin Brizy versions = 2.7.16...

WordPress MarqueeAddons plugin <= 2.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Marquee Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Testimonial Marquee Widget vulnerability discovered by zer0gh0st in WordPress Plugin Marquee Addons for Elementor versions = 2.4.3...

WordPress King Addons for Elementor plugin <= 51.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by zer0gh0st in WordPress Plugin King Addons for Elementor versions = 51.1.39...

WordPress Enter Addons plugin <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Countdown and Image Comparison Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Enter Addons versions = 2.2.7...

WordPress Livemesh SiteOrigin Widgets plugin <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Livemesh SiteOrigin Widgets versions = 3.9.1...

WordPress Popup Builder – Create highly converting, mobile friendly marketing popups. plugin <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Popup Builder versions = 4.4.1...

WordPress TI WooCommerce Wishlist plugin <= 2.10.0 - Unauthenticated HTML Injection vulnerability

Unauthenticated HTML Injection vulnerability discovered by pimschaaf - Open Roads in WordPress Plugin TI WooCommerce Wishlist versions = 2.10.0...

WordPress All-in-One Addons for Elementor – WidgetKit plugin <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team and Countdown Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Team and Countdown Widgets vulnerability discovered by zer0gh0st in WordPress Plugin WidgetKit versions = 2.5.6...

WordPress myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin <= 2.9.7 - Missing Authorization to Unauthenticated Withdrawal Request Approval vulnerability

Missing Authorization to Unauthenticated Withdrawal Request Approval vulnerability discovered by Rafshanzani Suhada in WordPress Plugin myCred versions = 2.9.7...

WordPress MediaCommander plugin <= 2.3.1 - Missing Authorization to Authenticated (Author+) Media Folder Deletion vulnerability

Missing Authorization to Authenticated Author+ Media Folder Deletion vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin MediaCommander versions = 2.3.1...

WordPress Lucky Draw Contests plugin <= 4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Lucky Draw Contests versions = 4.2...

WordPress Popover Windows plugin <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions vulnerability

Missing Authorization to Authenticated Subscriber+ Popover Configuration Update via AJAX Actions vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Popover Windows versions = 1.2...

WordPress Custom Frames plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Parameter vulnerability discovered by theviper17y in WordPress Plugin Custom Frames versions = 1.0.1...

WordPress Exhibz theme <= 3.0.9 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Exhibz versions = 3.0.9...

WordPress Exhibz theme <= 3.0.9 - Local File Inclusion vulnerability

Software : Exhibz Type : Theme Vulnerable versions : = 3.0.9 Fixed in : 3.0.10 OWASP Top 10 : A3: Injection Classification : Local File Inclusion CVE ID : CVE-2025-67523 Patchstack priority : Low CVSS severity : 7.5 Required privilege : Contributor Developer : Claim ownership PSID : 211f5649fefe...

WordPress Shortcode Loader plugin <= 1.0 - Unauthenticated Arbitrary Shortcode Execution via 'code' Parameter vulnerability

Unauthenticated Arbitrary Shortcode Execution via 'code' Parameter vulnerability discovered by Ivan Cese in WordPress Plugin Shortcode Ajax versions = 1.0...

WordPress Popover Windows plugin <= 1.2 - Cross-Site Request Forgery to Arbitrary Popover Configuration Update vulnerability

Cross-Site Request Forgery to Arbitrary Popover Configuration Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Popover Windows versions = 1.2...

WordPress Quick Testimonials plugin <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Jochem Boender in WordPress Plugin Quick Testimonials versions = 2.1...

WordPress Solutions Ad Manager plugin <= 1.0.0 - Unauthenticated Open Redirect via 'sam-redirect-to' Parameter vulnerability

Unauthenticated Open Redirect via 'sam-redirect-to' Parameter vulnerability discovered by Ivan Cese in WordPress Plugin Solutions Ad Manager versions = 1.0.0...

WordPress AnnunciFunebri Impresa plugin <= 4.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Options Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Options Deletion vulnerability discovered by Legion Hunter in WordPress Plugin AnnunciFunebri Impresa versions = 4.7.0...

WordPress Devs CRM – Manage tasks, attendance and teams all together plugin <= 1.1.8 - Missing Authorization to Unauthenticated Lead Tag Update vulnerability

Missing Authorization to Unauthenticated Lead Tag Update vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Devs CRM versions = 1.1.8...

WordPress Popup Builder plugin <= 1.1.37 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Settings Reset vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Settings Reset vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Popup Builder versions = 1.1.37...

WordPress Devs CRM plugin <= 1.1.8 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Devs CRM versions = 1.1.8...

WordPress Userback plugin <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) plugin's Configuration Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ plugin's Configuration Exposure vulnerability discovered by jsonc in WordPress Plugin Userback versions = 1.0.15...