WordPress myCred plugin <= 2.9.7.1 - Missing Authorization to Sensitive Information Exposure vulnerability

Missing Authorization to Sensitive Information Exposure vulnerability discovered by Rafshanzani Suhada in WordPress Plugin myCred versions = 2.9.7.1...

WordPress Colibri Page Builder plugin <= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Colibri Page Builder versions = 1.0.345...

WordPress BA Book Everything plugin <= 1.8.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via babe-search-form Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via babe-search-form Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin BA Book Everything versions = 1.8.14...

WordPress Simply Schedule Appointments plugin <= 1.6.9.16 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.16...

WordPress Sweet Energy Efficiency plugin <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Graph Deletion vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin Sweet Energy Efficiency versions = 1.0.6...

WordPress Prime Slider – Addons for Elementor plugin <= 4.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Server-Side Request Forgery vulnerability discovered by Deadbee - NA in WordPress Plugin Prime Slider – Addons For Elementor versions = 4.0.9...

WordPress HUSKY – Products Filter Professional for WooCommerce plugin <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr' vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'woofaddsubscr' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin HUSKY versions = 1.3.7.3...

WordPress Evergreen Post Tweeter plugin <= 1.8.9 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability

Cross Site Request Forgery CSRF to Stored XSS vulnerability discovered by Skalucy in WordPress Plugin Evergreen Post Tweeter versions = 1.8.9...

WordPress DesignThemes LMS Addon plugin <= 2.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin DesignThemes LMS Addon versions = 2.6...

WordPress HomeFix Elementor Portfolio plugin <= 1.0.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin HomeFix Elementor Portfolio versions = 1.0.1...

WordPress WeDesignTech Portfolio plugin <= 1.0.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin WeDesignTech Portfolio versions = 1.0.2...

WordPress WP Adminify plugin <= 4.0.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin WP Adminify versions = 4.0.6.1...

WordPress WP Adminify plugin <= 4.0.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin WP Adminify versions = 4.0.6.1...

WordPress Google Calendar Events plugin <= 3.5.9 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Doan Dinh Van in WordPress Plugin Google Calendar Events versions = 3.5.9...

WordPress Ultimate Member plugin <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value' vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via 'value' vulnerability discovered by tiborisaak in WordPress Plugin Ultimate Member versions = 2.11.0...

WordPress DirectoryPress plugin <= 3.6.26 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin DirectoryPress versions = 3.6.26...

WordPress Demo Importer Plus plugin <= 2.0.8 - Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation vulnerability

Missing Authorization to Authenticated Subscriber+ Site Reset and Privilege Escalation vulnerability discovered by shark3y in WordPress Plugin Demo Importer Plus versions = 2.0.8...

WordPress DirectoryPress plugin <= 3.6.25 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin DirectoryPress versions = 3.6.25...

WordPress OpenID Connect Generic Client plugin <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin OpenID Connect Generic Client versions = 3.10.0...

WordPress NextGEN Gallery plugin <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template' vulnerability

Authenticated Contributor+ Local File Inclusion via 'template' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin NextGEN Gallery versions = 3.59.12...

WordPress Events Manager plugin <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'eventslistgrouped' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Events Manager versions = 7.2.2.1...

WordPress Embed Any Document plugin <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Embed Any Document versions = 2.7.10...

WordPress Live Composer – Free WordPress Website Builder plugin <= 2.0.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Page Builder: Live Composer versions = 2.0.2...

WordPress Ultimate Member plugin <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass vulnerability

Authenticated Subscriber+ Profile Privacy Setting Bypass vulnerability discovered by Boris Bogosavac in WordPress Plugin Ultimate Member versions = 2.11.0...

WordPress My auctions allegro plugin <= 3.6.33 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Muhammad Nur Ibnu Hubab in WordPress Plugin My auctions allegro versions = 3.6.33...

WordPress WPBakery Visual Composer WHMCS Elements plugin <= 1.0.4.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin WPBakery Visual Composer WHMCS Elements versions = 1.0.4.3...

WordPress Simple Keyword to Link plugin <= 1.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Simple Keyword to Link versions = 1.5...

WordPress My auctions allegro plugin <= 3.6.34 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Nur Ibnu Hubab in WordPress Plugin My auctions allegro versions = 3.6.34...

WordPress DesignThemes Core plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin DesignThemes Core versions = 1.6...

WordPress Claspo – Popups, Spin the Wheel & Email Capture plugin <= 1.0.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Claspo – Popups, Spin the Wheel & Email Capture versions = 1.0.7...

WordPress DesignThemes Portfolio Addon plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin DesignThemes Portfolio Addon versions = 1.5...

WordPress HTML Forms – Simple WordPress Forms Plugin plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin HTML Forms versions = 1.6.0...

WordPress ModelTheme Addons for WPBakery and Elementor plugin < 1.5.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin ModelTheme Addons for WPBakery and Elementor versions 1.5.6...

WordPress Zephyr Project Manager plugin <= 3.3.203 - Authenticated (Custom+) Arbitrary File Read And Server-Side Request Forgery vulnerability

Authenticated Custom+ Arbitrary File Read And Server-Side Request Forgery vulnerability discovered by type5afe in WordPress Plugin Zephyr Project Manager versions = 3.3.203...

WordPress Better Messages plugin <= 2.10.2 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin BP Better Messages versions = 2.10.2...

WordPress WP Social Ninja plugin <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification vulnerability

Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification vulnerability discovered by shark3y in WordPress Plugin WP Social Ninja versions = 4.0.1...

WordPress Ninja Forms plugin <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token vulnerability

Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token vulnerability discovered by WordFence in WordPress Plugin Ninja Forms versions = 3.13.2...

WordPress Watu Quiz plugin <= 3.4.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Watu Quiz versions = 3.4.5...

WordPress Download Plugins and Themes from Dashboard plugin <= 1.9.6 - Cross-Site Request Forgery to Bulk Plugin/Theme Archival vulnerability

Cross-Site Request Forgery to Bulk Plugin/Theme Archival vulnerability discovered by bosz in WordPress Plugin Download Plugins and Themes from Dashboard versions = 1.9.6...

WordPress Converter for Media plugin <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint vulnerability

Missing Authorization to Authenticated Subscriber+ Optimized Image Deletion via regenerate-attachment REST Endpoint vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin Converter for Media versions = 6.3.2...

WordPress WP Cookie Consent plugin <= 4.0.7 - Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability discovered by shark3y in WordPress Plugin WP Cookie Notice for GDPR, CCPA & ePrivacy Consent versions = 4.0.7...

WordPress WP Recipe Maker plugin <= 10.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Abhinav Jaswal wrathexe - Self employed in WordPress Plugin WP Recipe Maker versions = 10.2.3...

WordPress Essential Addons for Elementor plugin <= 6.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Essential Addons for Elementor versions = 6.5.3...

WordPress Essential Blocks plugin <= 5.7.2 - Missing Authorization To Authenticated (Author+) Information Disclosure vulnerability

Missing Authorization To Authenticated Author+ Information Disclosure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Essential Blocks for Gutenberg versions = 5.7.2...

WordPress WP to LinkedIn Auto Publish plugin <= 1.9.8 - Reflected Cross-Site Scripting via PostMessage vulnerability

Reflected Cross-Site Scripting via PostMessage vulnerability discovered by Nicolai Hellesnes nico in WordPress Plugin WP to LinkedIn Auto Publish versions = 1.9.8...

WordPress Social Media Auto Publish plugin <= 3.6.5 - Reflected Cross-Site Scripting via PostMessage vulnerability

Reflected Cross-Site Scripting via PostMessage vulnerability discovered by Nicolai Hellesnes nico in WordPress Plugin Social Media Auto Publish versions = 3.6.5...

WordPress WP3D Model Import Viewer plugin <= 1.0.7 - Authenticated (Contributor+) Arbitrary File Upload vulnerability

Authenticated Contributor+ Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin WP3D Model Import Viewer versions = 1.0.7...

WordPress Filter & Grids plugin <= 3.2.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by mikemyers in WordPress Plugin Filter & Grids versions = 3.2.0...

WordPress Export WP Page to Static HTML & PDF plugin <= 4.3.4 - Unauthenticated Cookie Exposure via Log File vulnerability

Unauthenticated Cookie Exposure via Log File vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Export WP Page to Static HTML/CSS versions = 4.3.4...

WordPress Postem Ipsum plugin <= 3.0.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation in postem_ipsum_generate_users vulnerability

Missing Authorization to Authenticated Subscriber+ Privilege Escalation in postemipsumgenerateusers vulnerability discovered by kr0d in WordPress Plugin Postem Ipsum versions = 3.0.1...