WordPress UsersWP plugin <= 1.2.47 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin UsersWP versions = 1.2.47...

WordPress Wishlist for WooCommerce plugin <= 1.1.3 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Powpy in WordPress Plugin Wishlist for WooCommerce versions = 1.1.3...

WordPress ProjectList plugin <= 0.3.0 - Authenticated (Editor+) Arbitrary File Upload vulnerability

Authenticated Editor+ Arbitrary File Upload vulnerability discovered by Ivan Cese in WordPress Plugin ProjectList versions = 0.3.0...

WordPress Job Board by BestWebSoft plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via $_GET Array Storage vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting via $GET Array Storage vulnerability discovered by Jamshed Yergashvoyev CVE Guy - Turan Security in WordPress Plugin Job Board by BestWebSoft versions = 1.2.1...

WordPress AI Engine for WordPress: ChatGPT, GPT Content Generator plugin <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read vulnerability

Authenticated Contributor+ Arbitrary File Read vulnerability discovered by Ryan Kozak in WordPress Plugin AI Engine for WordPress: ChatGPT, GPT Content Generator versions = 1.0.1...

WordPress Telegram Bot & Channel plugin <= 4.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username vulnerability

Unauthenticated Stored Cross-Site Scripting via Telegram Username vulnerability discovered by venom5iix in WordPress Plugin Telegram Bot & Channel versions = 4.1...

WordPress WavePlayer plugin <= 3.7.0 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by @zdenys in WordPress Plugin WavePlayer versions = 3.7.0...

WordPress EduKart Pro plugin <= 1.0.3 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Alyudin Nafiie in WordPress Plugin EduKart Pro versions = 1.0.3...

WordPress Attention Bar plugin <= 0.7.2.1 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by WPScan in WordPress Plugin Attention Bar versions = 0.7.2.1...

WordPress Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin <= 14 - Missing Authorization to Unauthenticated Information Disclosure vulnerability

Missing Authorization to Unauthenticated Information Disclosure vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin OrderConvo versions = 14...

WordPress Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages vulnerability

Missing Authorization to Unauthenticated User Impersonation in Order Messages vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin OrderConvo versions = 14...

WordPress Chamber Dashboard Business Directory plugin <= 3.3.11 - Missing Authorization to Unauthenticated Business Information Export vulnerability

Missing Authorization to Unauthenticated Business Information Export vulnerability discovered by Legion Hunter in WordPress Plugin Chamber Dashboard Business Directory versions = 3.3.11...

WordPress Refund Request for WooCommerce plugin <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Refund Status Update vulnerability

Missing Authorization to Authenticated Subscriber+ Refund Status Update vulnerability discovered by Powpy in WordPress Plugin Refund Request for WooCommerce versions = 1.0...

WordPress Locker Content plugin <= 1.0.0 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Locker Content versions = 1.0.0...

WordPress Frontend File Manager plugin plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary File Renaming vulnerability discovered by t.t.brothers in WordPress Plugin Frontend File Manager versions = 23.4...

WordPress Social Images Widget plugin <= 2.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Social Images Widget versions = 2.1...

WordPress Autochat Automatic Conversation plugin <= 1.1.9 - Missing Authorization to Unauthenticated Settings Update vulnerability

Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Autochat Automatic Conversation versions = 1.1.9...

WordPress YouTube Subscribe plugin <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Title and Channel ID vulnerability

Authenticated Admin+ Stored Cross-Site Scripting via Title and Channel ID vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin YouTube Subscribe versions = 3.0.0...

WordPress Conditional Maintenance Mode for WordPress plugin <= 1.0.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Conditionnal Maintenance Mode for WordPress versions = 1.0.0...

WordPress ProjectList plugin <= 0.3.0 - Authenticated (Editor+) SQL Injection via 'id' Parameter vulnerability

Authenticated Editor+ SQL Injection via 'id' Parameter vulnerability discovered by Ivan Cese in WordPress Plugin ProjectList versions = 0.3.0...

WordPress Just Highlight plugin <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Highlight Color' Setting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'Highlight Color' Setting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Just Highlight versions = 1.0.3...

WordPress Inline frame – Iframe plugin <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Inline frame – Iframe versions = 0.1...

WordPress Ace Post Type Builder plugin <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter vulnerability discovered by Legion Hunter in WordPress Plugin Ace Post Type Builder versions = 1.9...

WordPress ZWeb - Social Mobile plugin <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

WordPress ZWeb - Social Mobile plugin = 1.0.0 - Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Zweb Social Mobile versions = 1.0.0...

WordPress Bookme plugin <= 4.2 - Authenticated (Admin+) SQL Injection via 'filter[status]' Parameter vulnerability

Authenticated Admin+ SQL Injection via 'filterstatus' Parameter vulnerability discovered by Sopon Tangpathum SoNaJaa - freelance in WordPress Plugin Bookme – Free Online Appointment Booking and Scheduling Plugin versions = 4.2...

WordPress Peer Publish plugin <= 1.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Peer Publish versions = 1.0...

WordPress atec Duplicate Page & Post plugin <= 1.2.20 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication and Data Exposure vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Post Duplication and Data Exposure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin atec Duplicate Page & Post versions = 1.2.20...

WordPress Blog2Social plugin <= 8.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Post Trashing vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Blog2Social versions = 8.7.0...

WordPress Show Variations as Single Products Woocommerce plugin <= 2.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Show Variations as Single Products Woocommerce versions = 2.0...

WordPress Simple User Registration plugin <= 6.6 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Simple User Registration versions = 6.6...

WordPress PropertyHive plugin <= 2.1.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin PropertyHive versions = 2.1.12...

WordPress EchBay Admin Security plugin <= 1.3.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin EchBay Admin Security versions = 1.3.0...

WordPress PropertyHive plugin <= 2.1.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin PropertyHive versions = 2.1.12...

WordPress ANAC XML Bandi di Gara plugin <= 7.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin ANAC XML Bandi di Gara versions = 7.7...

WordPress Flo Forms plugin <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload vulnerability

Unauthenticated Stored Cross-Site Scripting via SVG Upload vulnerability discovered by Moose Love - Nagasaki Prefectural University in WordPress Plugin Flo Forms versions = 1.0.43...

WordPress Tainacan plugin <= 1.0.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Peb - NA in WordPress Plugin Tainacan versions = 1.0.0...

WordPress WPBookit plugin <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Ryan Kozak in WordPress Plugin WPBookit versions = 1.0.6...

WordPress S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin <= 1.7.8 - Authenticated (Editor+) Arbitrary File Upload vulnerability

Authenticated Editor+ Arbitrary File Upload vulnerability discovered by Ryan Kozak in WordPress Plugin S2B AI Assistant versions = 1.7.8...

WordPress UiPress lite plugin <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by abrahack in WordPress Plugin UiPress lite versions = 3.5.08...

WordPress UiPress lite plugin <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by abrahack in WordPress Plugin UiPress lite versions = 3.5.08...

WordPress OneClick Chat to Order plugin <= 1.0.8 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure vulnerability discovered by Md Shofiur Rahman - Pentest Testing Corp in WordPress Plugin OneClick Chat to Order versions = 1.0.8...

WordPress CP Contact Form with PayPal plugin <= 1.3.56 - Missing Authorization to Unauthenticated Arbitrary Payment Confirmation vulnerability

Missing Authorization to Unauthenticated Arbitrary Payment Confirmation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin CP Contact Form with Paypal versions = 1.3.56...

WordPress Realty Portal plugin <= 0.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Options Update vulnerability discovered by kr0d in WordPress Plugin Realty Portal versions = 0.4.1...

WordPress Vitepos plugin <= 3.3.0 - Authenticated (Subscriber+) Arbitrary File Upload to Remote Code Execution vulnerability

Authenticated Subscriber+ Arbitrary File Upload to Remote Code Execution vulnerability discovered by Moose Love - Nagasaki Prefectural University in WordPress Plugin Vitepos versions = 3.3.0...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.1 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by ifoundbug in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.1...

WordPress Mstore Mobile Multivendor plugin <= 9.0.1 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Mstore Mobile App versions = 9.0.1...

WordPress Mstore Mobile App plugin <= 2.08 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Mstore Mobile App versions = 2.08...

WordPress WP AUDIO GALLERY plugin <= 2.0 - Authenticated (Subscriber+) Arbitrary File Deletion via 'audio_upload' Parameter vulnerability

Authenticated Subscriber+ Arbitrary File Deletion via 'audioupload' Parameter vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP AUDIO GALLERY versions = 2.0...

WordPress Groundhogg plugin <= 4.2.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim in WordPress Plugin Groundhogg versions = 4.2.6...

WordPress Extensions for Leaflet Map plugin <= 4.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim in WordPress Plugin Extensions for Leaflet Map versions = 4.8...