WordPress Clik stats plugin <= 0.8 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Clikstats versions = 0.8...

WordPress WPForms Google Sheet Connector plugin <= 4.0.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin WPForms Google Sheet Connector versions = 4.0.0...

WordPress WooCommerce Payment Gateway – Paysera plugin <= 3.10.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin WooCommerce Payment Gateway - Paysera versions = 3.10.0...

WordPress WP AI CoPilot plugin <= 1.2.7 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by daroo in WordPress Plugin WP AI CoPilot versions = 1.2.7...

WordPress Xagio SEO plugin <= 7.1.0.34 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Xagio SEO versions = 7.1.0.34...

WordPress Timetable and Event Schedule plugin < 2.4.16 - Contributor+ Event Disclosure via IDOR vulnerability

Contributor+ Event Disclosure via IDOR vulnerability discovered by bRpsd in WordPress Plugin Timetable and Event Schedule versions 2.4.16...

WordPress Beaver Builder – WordPress Page Builder plugin <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering vulnerability

Missing Authorization to Authenticated Contributor+ Builder Status Tampering vulnerability discovered by WordFence in WordPress Plugin Beaver Builder versions = 2.9.4...

WordPress Custom Post Type UI plugin <= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification vulnerability

Missing Authorization to Unauthenticated Previously Administrator+ Custom Post Type Modification vulnerability discovered by mahdi salhi CaptinSharky01 - CaptinSharku in WordPress Plugin Custom Post Type UI versions = 1.18.0...

WordPress WebP Express plugin <= 0.25.9 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by Rafshanzani Suhada in WordPress Plugin WebP Express versions = 0.25.9...

WordPress Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin <= 3.6.1 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update vulnerability

Missing Authorization to Authenticated Subscriber+ OAuth Token Update vulnerability discovered by type5afe in WordPress Plugin Post SMTP versions = 3.6.1...

WordPress Order Delivery Date for WooCommerce plugin <= 4.3.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Order Delivery Date for WooCommerce versions = 4.3.1...

WordPress Post Grid and Gutenberg Blocks plugin <= 2.3.23 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Doan Dinh Van in WordPress Plugin Post Grid and Gutenberg Blocks versions = 2.3.23...

WordPress Modula plugin 2.13.1-2.13.2 - Authenticated (Author+) Arbitrary File Upload via Race Condition vulnerability

Authenticated Author+ Arbitrary File Upload via Race Condition vulnerability discovered by 0xQRx in WordPress Plugin Modula Image Gallery versions 2.13.1-2.13.2...

WordPress Modula plugin 2.13.1-2.13.2 - Authenticated (Author+) Arbitrary File Deletion vulnerability

Authenticated Author+ Arbitrary File Deletion vulnerability discovered by ISMAILSHADOW in WordPress Plugin Modula Image Gallery versions 2.13.1-2.13.2...

WordPress DB Access plugin <= 0.8.7 - Subscriber+ SQLi vulnerability

Subscriber+ SQLi vulnerability discovered by Yousof Nahya in WordPress Plugin DB Access versions = 0.8.7...

WordPress Business Directory plugin <= 6.4.19 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Legion Hunter in WordPress Plugin Business Directory versions = 6.4.19...

WordPress Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons plugin <= 3.0.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Denver Jackson in WordPress Plugin Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons versions = 3.0.2...

WordPress Chartify plugin <= 3.6.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Doan Dinh Van in WordPress Plugin Chartify versions = 3.6.3...

WordPress WP Directory Kit plugin <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover vulnerability

Authentication Bypass to Privilege Escalation via Account Takeover vulnerability discovered by Ryan Kozak in WordPress Plugin WP Directory Kit versions 1.4.0-1.4.4...

WordPress Frontend Admin by DynamiApps plugin <= 3.28.20 - Unauthenticated Arbitrary Options Update vulnerability

Unauthenticated Arbitrary Options Update vulnerability discovered by YCInfosec in WordPress Plugin Frontend Admin by DynamiApps versions = 3.28.20...

WordPress DesignThemes LMS plugin <= 1.0.4 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by シルAsuna in WordPress Plugin DesignThemes LMS versions = 1.0.4...

WordPress Advanced Custom Fields: Extended plugin 0.9.0.5-0.9.1.1 - Unauthenticated Remote Code Execution vulnerability

Unauthenticated Remote Code Execution vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin Advanced Custom Fields: Extended versions 0.9.0.5-0.9.1.1...

WordPress SureMail – SMTP and Email Logs plugin with Amazon SES, Postmark, and Other Providers plugin <= 1.9.0 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by type5afe in WordPress Plugin SureMail versions = 1.9.0...

WordPress FindAll Listing plugin <= 1.0.5 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by シルAsuna in WordPress Plugin FindAll Listing versions = 1.0.5...

WordPress Autoptimize plugin <= 3.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Autoptimize versions = 3.1.13...

WordPress TaxoPress plugin <= 3.40.1 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by type5afe in WordPress Plugin TaxoPress versions = 3.40.1...

WordPress TaxoPress plugin <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Taxonomy Term Manipulation vulnerability discovered by type5afe in WordPress Plugin TaxoPress versions = 3.40.1...

WordPress HUSKY plugin <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query' vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'woofaddquery/woofremovequery' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin HUSKY versions = 1.3.7.2...

WordPress ShopEngine plugin <= 4.8.5 - Cross-Site Request Forgery to Wishlist Manipulation vulnerability

Cross-Site Request Forgery to Wishlist Manipulation vulnerability discovered by Adrian Lukita in WordPress Plugin ShopEngine versions = 4.8.5...

WordPress Upload.am plugin < 1.0.1 - Contributor+ Arbitrary Option Disclosure vulnerability

Contributor+ Arbitrary Option Disclosure vulnerability discovered by Beatriz Fresno Naumova beafn28 in WordPress Plugin Upload.am versions 1.0.1...

WordPress FluentCart A New Era of eCommerce plugin <= 1.3.1 - Authenticated (Administrator+) SQL Injection via 'groupKey' Parameter vulnerability

Authenticated Administrator+ SQL Injection via 'groupKey' Parameter vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin FluentCart versions = 1.3.1...

WordPress CSSIgniter Shortcodes plugin <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'element' Shortcode Attribute vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin CSSIgniter Shortcodes versions = 2.4.1...

WordPress MxChat – AI Chatbot for WordPress plugin <= 2.5.5 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by Ryan Kozak in WordPress Plugin MxChat versions = 2.5.5...

WordPress Nexter Extension plugin <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Nexter Extension versions = 4.4.1...

WordPress Projectopia plugin <= 5.1.23 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by 0xVenus in WordPress Plugin Projectopia versions = 5.1.23...

WordPress Kadence WooCommerce Email Designer plugin <= 1.5.17 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by shark3y in WordPress Plugin Kadence WooCommerce Email Designer versions = 1.5.17...

WordPress WP 2FA plugin <= 2.9.3 - 2-Factor Authentication Bypass vulnerability

2-Factor Authentication Bypass vulnerability discovered by Benjamin Nadarević in WordPress Plugin WP 2FA versions = 2.9.3...

WordPress Broken Link Manager plugin <= 0.6.5 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Yousof Nahya in WordPress Plugin Broken Link Manager versions = 0.6.5...

WordPress WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin <= 3.20.3 - Unauthenticated Stored Cross-Site Scripting via External Content Import vulnerability

Unauthenticated Stored Cross-Site Scripting via External Content Import vulnerability discovered by Kishan Vyas in WordPress Plugin WP Social Ninja versions = 3.20.3...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.2 - Authenticated (Contributor+) Privilege Escalation via eh_crm_edit_agent AJAX Action vulnerability

Authenticated Contributor+ Privilege Escalation via ehcrmeditagent AJAX Action vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.2...

WordPress Studiocart plugin <= 2.9.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin WordPress eCommerce Plugin – Studiocart versions = 2.9.0...

WordPress Tax Service Electronic HDM plugin <= 1.2.0 - Unauthenticated Arbitrary SQL Injection vulnerability

Unauthenticated Arbitrary SQL Injection vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin TAX SERVICE Electronic HDM versions = 1.2.0...

WordPress Backup Migration plugin <= 1.4.9 - Information Exposure to Unauthenticated Back-up Download vulnerability

Information Exposure to Unauthenticated Back-up Download vulnerability discovered by ymmfty0 in WordPress Plugin Backup Migration versions = 1.4.9...

WordPress Cost Calculator Builder plugin <= 3.6.3 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability discovered by YCInfosec in WordPress Plugin Cost Calculator Builder versions = 3.6.3...

WordPress StreamTube Core plugin <= 4.78 - Unauthenticated Arbitrary User Password Change vulnerability

Unauthenticated Arbitrary User Password Change vulnerability discovered by Foxyyy in WordPress Plugin StreamTube Core versions = 4.78...

WordPress Tiktok Feed plugin <= 1.0.23 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Tiktok Feed versions = 1.0.23...

WordPress WPS Bidouille plugin <= 1.33.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin WPS Bidouille versions = 1.33.1...

WordPress Quiz Maker plugin <= 6.7.0.82 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Doan Dinh Van in WordPress Plugin Quiz Maker versions = 6.7.0.82...

WordPress WP Directory Kit plugin <= 1.4.6 - Authenticated (Admin+) SQL Injection vulnerability

Authenticated Admin+ SQL Injection vulnerability discovered by tmrswrr in WordPress Plugin WP Directory Kit versions = 1.4.6...

WordPress VikRentCar Car Rental Management System plugin <= 1.4.4 - Authenticated (Author+) SQL Injection via 'month' Parameter vulnerability

Authenticated Author+ SQL Injection via 'month' Parameter vulnerability discovered by zhenhua fan in WordPress Plugin VikRentCar versions = 1.4.4...