WordPress Admin and Site Enhancements (ASE) plugin <= 8.0.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Admin and Site Enhancements ASE versions = 8.0.8...

WordPress Sailing theme < 4.4.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Sailing versions 4.4.6...

WordPress WCFM – Frontend Manager for WooCommerce plugin <= 6.7.24 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by benzdeus in WordPress Plugin WCFM – Frontend Manager for WooCommerce versions = 6.7.24...

WordPress UseStrict's Calendly Embedder plugin <= 1.1.7.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin UseStricts Calendly Embedder versions = 1.1.7.2...

WordPress Fashion theme < 5.3.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Fashion versions 5.3.0...

WordPress My Calendar plugin <= 3.6.16 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Doan Dinh Van in WordPress Plugin My Calendar versions = 3.6.16...

WordPress ThirstyAffiliates plugin <= 3.11.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin ThirstyAffiliates versions = 3.11.8...

WordPress Simple Link Directory plugin <= 8.8.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Simple Link Directory versions = 8.8.3...

WordPress Ninja Tables plugin <= 5.2.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by w41bu1 in WordPress Plugin Ninja Tables versions = 5.2.3...

WordPress Simple Folio plugin <= 1.1.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Skalucy in WordPress Plugin Simple Folio versions = 1.1.0...

WordPress Directorist plugin <= 8.5.10 - Open Redirection vulnerability

Open Redirection vulnerability discovered by daroo in WordPress Plugin Directorist versions = 8.5.10...

WordPress Business Directory plugin <= 6.4.19 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Business Directory versions = 6.4.19...

WordPress Health Check & Troubleshooting plugin <= 1.7.1 - Path Traversal vulnerability

Path Traversal vulnerability discovered by PPzzAArr in WordPress Plugin Health Check & Troubleshooting versions = 1.7.1...

WordPress LA-Studio Element Kit for Elementor plugin < 1.5.6.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin LA-Studio Element Kit for Elementor versions 1.5.6.3...

WordPress Store Locator WordPress plugin <= 1.6.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Store Locator WordPress versions = 1.6.2...

WordPress Accessibility by AudioEye plugin <= 1.0.49 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Accessibility by AudioEye versions = 1.0.49...

WordPress WP Views Counter plugin <= 2.1.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin WP Views Counter versions = 2.1.2...

WordPress PenNews theme < 6.7.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme PenNews versions 6.7.4...

WordPress Import external attachments plugin <= 1.5.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Import external attachments versions = 1.5.12...

WordPress Pochipp plugin <= 1.18.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin Pochipp versions = 1.18.0...

WordPress CMSMasters Content Composer plugin <= 2.5.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO in WordPress Plugin CMSMasters Content Composer versions = 2.5.8...

WordPress Sendinblue for WooCommerce plugin <= 4.0.49 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by ohmymex in WordPress Plugin Sendinblue for WooCommerce versions = 4.0.49...

WordPress xPromoter plugin <= 1.3.4 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin xPromoter versions = 1.3.4...

WordPress CountDown With Image or Video Background plugin <= 1.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin CountDown With Image or Video Background versions = 1.5...

WordPress Head Meta Data plugin <= 20250327 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jitlada in WordPress Plugin Head Meta Data versions = 20250327...

WordPress Accordion Slider PRO plugin <= 1.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Accordion Slider PRO versions = 1.2...

WordPress Essential Real Estate plugin <= 5.2.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Essential Real Estate versions = 5.2.6...

WordPress Essential Real Estate plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by daroo in WordPress Plugin Essential Real Estate versions = 5.2.6...

WordPress EduMall theme <= 4.4.7 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme EduMall versions = 4.4.7...

WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme MinimogWP versions = 3.9.6...

WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability

Software : MinimogWP Type : Theme Vulnerable versions : = 3.9.6 OWASP Top 10 : A3: Injection Classification : Local File Inclusion CVE ID : CVE-2025-68062 Patchstack priority : Low CVSS severity : 7.5 Required privilege : Contributor Developer : Claim ownership PSID : 3cb901ab07d8 Credits : João...

WordPress Prime Slider – Addons For Elementor plugin <= 4.0.10 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by NumeX in WordPress Plugin Prime Slider – Addons For Elementor versions = 4.0.10...

WordPress Restrict Elementor Widgets, Columns and Sections plugin <= 1.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by MD ISMAIL in WordPress Plugin Restrict Elementor Widgets, Columns and Sections versions = 1.12...

WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.34 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Ultimate Addons for Contact Form 7 versions = 3.5.34...

WordPress Turitor theme < 1.5.3 - Local File Inclusion vulnerability

Software : Turitor Type : Theme Vulnerable versions : 1.5.3 Fixed in : 1.5.3 OWASP Top 10 : A3: Injection Classification : Local File Inclusion CVE ID : CVE-2025-67531 Patchstack priority : Low CVSS severity : 7.5 Required privilege : Contributor Developer : Claim ownership PSID : e31d6b389c14...

WordPress Turitor theme < 1.5.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Turitor versions 1.5.3...

WordPress Digiqole theme < 2.2.7 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Digiqole versions 2.2.7...

WordPress Digiqole theme < 2.2.7 - Local File Inclusion vulnerability

Software : Digiqole Type : Theme Vulnerable versions : 2.2.7 Fixed in : 2.2.7 OWASP Top 10 : A3: Injection Classification : Local File Inclusion CVE ID : CVE-2025-67527 Patchstack priority : Low CVSS severity : 7.5 Required privilege : Contributor Developer : Claim ownership PSID : 33e33ea74358...

WordPress Brizy – Page Builder plugin <= 2.7.16 - Authenticated (Contributor+) Sensitive Information Exposure via get_users Function vulnerability

Authenticated Contributor+ Sensitive Information Exposure via getusers Function vulnerability discovered by stealthcopter in WordPress Plugin Brizy versions = 2.7.16...

WordPress MarqueeAddons plugin <= 2.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Marquee Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Testimonial Marquee Widget vulnerability discovered by zer0gh0st in WordPress Plugin Marquee Addons for Elementor versions = 2.4.3...

WordPress King Addons for Elementor plugin <= 51.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by zer0gh0st in WordPress Plugin King Addons for Elementor versions = 51.1.39...

WordPress Enter Addons plugin <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Countdown and Image Comparison Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Enter Addons versions = 2.2.7...

WordPress Livemesh SiteOrigin Widgets plugin <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Livemesh SiteOrigin Widgets versions = 3.9.1...

WordPress Popup Builder – Create highly converting, mobile friendly marketing popups. plugin <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Popup Builder versions = 4.4.1...

WordPress TI WooCommerce Wishlist plugin <= 2.10.0 - Unauthenticated HTML Injection vulnerability

Unauthenticated HTML Injection vulnerability discovered by pimschaaf - Open Roads in WordPress Plugin TI WooCommerce Wishlist versions = 2.10.0...

WordPress All-in-One Addons for Elementor – WidgetKit plugin <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team and Countdown Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Team and Countdown Widgets vulnerability discovered by zer0gh0st in WordPress Plugin WidgetKit versions = 2.5.6...

WordPress myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin <= 2.9.7 - Missing Authorization to Unauthenticated Withdrawal Request Approval vulnerability

Missing Authorization to Unauthenticated Withdrawal Request Approval vulnerability discovered by Rafshanzani Suhada in WordPress Plugin myCred versions = 2.9.7...

WordPress MediaCommander plugin <= 2.3.1 - Missing Authorization to Authenticated (Author+) Media Folder Deletion vulnerability

Missing Authorization to Authenticated Author+ Media Folder Deletion vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin MediaCommander versions = 2.3.1...

WordPress Lucky Draw Contests plugin <= 4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Lucky Draw Contests versions = 4.2...

WordPress Popover Windows plugin <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions vulnerability

Missing Authorization to Authenticated Subscriber+ Popover Configuration Update via AJAX Actions vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Popover Windows versions = 1.2...