WordPress WP User Manager plugin <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter vulnerability

Authenticated Subscriber+ Arbitrary File Deletion via 'currentuseravatar' Parameter vulnerability discovered by YCInfosec in WordPress Plugin WP User Manager versions = 2.9.12...

WordPress Infility Global plugin <= 2.14.42 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin Infility Global versions = 2.14.42...

WordPress Multi Uploader for Gravity Forms plugin <= 1.1.7 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Multi Uploader for Gravity Forms versions = 1.1.7...

WordPress 评论小秘书 plugin <= 1.3.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin 评论小秘书 versions = 1.3.2...

WordPress Category Dropdown List plugin <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Category Dropdown List versions = 1.0...

WordPress WPLG Default Mail From plugin <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin WPLG Default Mail From versions = 1.0.0...

WordPress Complag plugin <= 1.0.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Complag versions = 1.0.2...

WordPress Accept Stripe Payments Using Contact Form 7 plugin <= 3.1 - Reflected Cross-Site Scripting via failure_message vulnerability

Reflected Cross-Site Scripting via failuremessage vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Accept Stripe Payments Using Contact Form 7 versions = 3.1...

WordPress Like DisLike Voting plugin <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Like DisLike Voting versions = 1.0.1...

WordPress Jobmonster Elementor Addon plugin <= 1.1.4 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Jobmonster Elementor Addon versions = 1.1.4...

WordPress Blaze Demo Importer plugin 1.0.0-1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Database Reset and File Deletion vulnerability discovered by kr0d in WordPress Plugin Blaze Demo Importer versions 1.0.0-1.0.13...

WordPress WPNakama plugin <= 0.6.3 - Unauthenticated SQL Injection via 'order_by' Parameter vulnerability

Unauthenticated SQL Injection via 'orderby' Parameter vulnerability discovered by WordFence in WordPress Plugin WPNakama versions = 0.6.3...

WordPress Visitor Logic Lite plugin <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie vulnerability

Unauthenticated PHP Object Injection via 'lpblocks' Cookie vulnerability discovered by Ivan Cese in WordPress Plugin Visitor Logic Lite versions = 1.0.3...

WordPress Jobmonster theme <= 4.8.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Jobmonster versions = 4.8.2...

WordPress Magical Posts Display plugin <= 1.2.54 - Authenticated (Author+) Stored Cross-Site Scripting via Magical Posts Accordion Widget vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Magical Posts Accordion Widget vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Magical Posts Display versions = 1.2.54...

WordPress Simple Bike Rental plugin <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Booking Data Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Booking Data Exposure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Simple Bike Rental versions = 1.0.6...

WordPress Events Manager – Calendar, Bookings, Tickets, and more! plugin <= 7.2.2.2 - Cross-Site Request Forgery to Location Deletion vulnerability

Cross-Site Request Forgery to Location Deletion vulnerability discovered by thinnawarth mathuros in WordPress Plugin Events Manager versions = 7.2.2.2...

WordPress Events Manager plugin <= 7.2.2.2 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by thinnawarth mathuros in WordPress Plugin Events Manager versions = 7.2.2.2...

WordPress AI Feeds plugin <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aife_post_meta' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'aifepostmeta' Shortcode vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin AI Feeds versions = 1.0.22...

WordPress Secure Copy Content Protection and Content Locking plugin <= 4.9.2 - Cross-Site Request Forgery to Data Export vulnerability

Cross-Site Request Forgery to Data Export vulnerability discovered by Deadbee - NA in WordPress Plugin Secure Copy Content Protection and Content Locking versions = 4.9.2...

WordPress Secure Copy Content Protection and Content Locking plugin <= 4.9.2 - Unauthenticated Sensitive Information Exposure via Exposed CSV Export File vulnerability

Unauthenticated Sensitive Information Exposure via Exposed CSV Export File vulnerability discovered by Deadbee - NA in WordPress Plugin Secure Copy Content Protection and Content Locking versions = 4.9.2...

WordPress Email Subscribers & Newsletters plugin <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution vulnerability

Missing Authentication to Unauthenticated Action Scheduler Task Execution vulnerability discovered by Adrian Lukita in WordPress Plugin Email Subscribers & Newsletters versions = 5.9.10...

WordPress PDF for Contact Form 7 + Drag and Drop Template Builder plugin <= 6.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Duplication vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Post Duplication vulnerability discovered by Legion Hunter in WordPress Plugin PDF for Contact Form 7 versions = 6.3.3...

WordPress MailerLite – Signup forms (official) plugin <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by NosleeP++ in WordPress Plugin MailerLite versions = 1.7.16...

WordPress WP Recipe Maker plugin <= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Sensitive Information Exposure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WP Recipe Maker versions = 10.2.2...

WordPress WP Fastest Cache Premium plugin <= 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Blind Server-Side Request Forgery vulnerability

Missing Authorization to Authenticated Subscriber+ Blind Server-Side Request Forgery vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WP Fastest Cache Premium versions = 1.7.4...

WordPress BSK PDF Manager plugin <= 3.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by rajanhoyr in WordPress Plugin BSK PDF Manager versions = 3.7.1...

WordPress Mailgun Subscriptions plugin <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Mailgun Subscriptions versions = 1.3.1...

WordPress Guest Support plugin <= 1.2.3 - Unauthenticated User Email Disclosure in guest_support_handler AJAX Endpoint vulnerability

Unauthenticated User Email Disclosure in guestsupporthandler AJAX Endpoint vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Guest Support versions = 1.2.3...

WordPress Hippoo Mobile App for WooCommerce plugin <= 1.7.1 - Missing Authorization to Unauthenticated Limited File Write vulnerability

Missing Authorization to Unauthenticated Limited File Write vulnerability discovered by NumeX in WordPress Plugin Hippoo Mobile App for WooCommerce versions = 1.7.1...

WordPress Ultra Addons for Contact Form 7 plugin <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF vulnerability

Missing Authorization to Authenticated Subscriber+ to Generate Form Submission PDF vulnerability discovered by shark3y in WordPress Plugin Ultimate Addons for Contact Form 7 versions = 3.5.33...

WordPress Donation plugin <= 1.0 - Authenticated (Admin+) SQL Injection vulnerability

Authenticated Admin+ SQL Injection vulnerability discovered by Yousof Nahya in WordPress Plugin Donation versions = 1.0...

WordPress Contact Form 7 with ChatWork plugin <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'api_token' and 'roomid' Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'apitoken' and 'roomid' Settings vulnerability discovered by Yahya Oumani cyb3rnoob in WordPress Plugin Contact Form 7 with ChatWork versions = 1.1.0...

WordPress Resource Library for Logged In Users plugin <= 1.4 - Cross-Site Request Forgery to Multiple Administrative Actions vulnerability

Cross-Site Request Forgery to Multiple Administrative Actions vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Resource Library for Logged In Users versions = 1.4...

WordPress WP Dropzone plugin <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'callback' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'callback' Shortcode Attribute vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin WP Dropzone versions = 1.1.1...

WordPress Wpik WordPress Basic Ajax Form plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Wpik WordPress Basic Ajax Form versions = 1.0...

WordPress Rabbit Hole plugin <= 1.1 - Cross-Site Request Forgery to Settings Reset vulnerability

Cross-Site Request Forgery to Settings Reset vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Rabbit Hole versions = 1.1...

WordPress Simple Theme Changer plugin <= 1.0. - Missing Authorization to Plugin Settings Update via AJAX Actions vulnerability

Missing Authorization to Plugin Settings Update via AJAX Actions vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Simple Theme Changer versions = 1.0...

WordPress Simple Theme Changer plugin <= 1.0 - Cross-Site Request Forgery to Arbitrary Theme Switcher Configuration Update vulnerability

Cross-Site Request Forgery to Arbitrary Theme Switcher Configuration Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Simple Theme Changer versions = 1.0...

WordPress IMAQ Core plugin <= 1.2.1 - Cross-Site Request Forgery to URL Structure Update vulnerability

Cross-Site Request Forgery to URL Structure Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin IMAQ CORE versions = 1.2.1...

WordPress WP Job Portal plugin <= 2.4.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Long Nguyen in WordPress Plugin WP Job Portal versions = 2.4.4...

WordPress LS Google Map Router plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Software : LS Google Map Router Type : Plugin Vulnerable versions : = 1.1.0 OWASP Top 10 : A3: Injection Classification : Cross Site Scripting XSS CVE ID : CVE-2025-13850 Patchstack priority : Low CVSS severity : 6.5 Required privilege : Contributor Developer : Claim ownership PSID : b2117d151506...

WordPress LS Google Map Router plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin LS Google Map Router versions = 1.1.0...

WordPress Product Filtering by Categories, Tags, Price Range for WooCommerce plugin <= 1.1.6 - Missing Authorization to Unauthenticated plugin Settings Modification vulnerability

Missing Authorization to Unauthenticated plugin Settings Modification vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Filter Plus versions = 1.1.6...

WordPress FX Currency Converter plugin <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin FX Currency Converter versions = 0.2.0...

WordPress Divelogs Widget plugin <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Divelogs Widget versions = 1.5...

WordPress GPXpress plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin GPXpress versions = 1.3...

WordPress Truefy Embed plugin <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update vulnerability

Cross-Site Request Forgery to 'truefyembedoptionsupdate' Settings Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Truefy Embed versions = 1.1.0...

WordPress NewStatPress plugin <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin NewStatPress versions = 1.4.3...

WordPress WPGancio plugin <= 1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin WPGancio versions = 1.12...