WordPress ArtPlacer Widget plugin <= 2.22.9.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin ArtPlacer Widget versions = 2.22.9.2...

WordPress External Media plugin <= 1.0.36 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by mcdruid in WordPress Plugin External Media versions = 1.0.36...

WordPress Accordion Slider plugin <= 1.9.13 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Accordion Slider versions = 1.9.13...

WordPress Timetics plugin <= 1.0.44 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by MD ISMAIL in WordPress Plugin Timetics versions = 1.0.44...

WordPress Modula Image Gallery plugin <= 2.13.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Que Thanh Tuan in WordPress Plugin Modula Image Gallery versions = 2.13.6...

WordPress Better Search plugin <= 4.2.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Peter Thaleikis in WordPress Plugin Better Search versions = 4.2.1...

WordPress Custom Order Numbers for WooCommerce plugin <= 1.11.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Custom Order Numbers for WooCommerce versions = 1.11.0...

WordPress Booking Calendar Contact Form plugin <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter vulnerability

Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dexbccfipn' Parameter vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Booking Calendar Contact Form versions = 1.2.60...

WordPress GSheetConnector For Ninja Forms plugin <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) System Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ System Information Exposure vulnerability discovered by Bhayanak Atma in WordPress Plugin Ninja Forms Google Sheet Connector versions = 2.0.1...

WordPress Appointment Booking Calendar plugin <= 1.3.96 - Missing Authorization to Arbitrary Booking Confirmation via 'cpabc_ipncheck' Parameter vulnerability

Missing Authorization to Arbitrary Booking Confirmation via 'cpabcipncheck' Parameter vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Appointment Booking Calendar versions = 1.3.96...

WordPress BigBuy Dropshipping Connector for WooCommerce plugin <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure vulnerability

Unauthenticated IP Spoofing to phpinfo Exposure vulnerability discovered by Jarno Vos jarnovos in WordPress Plugin BigBuy Dropshipping Connector for WooCommerce versions = 2.0.5...

WordPress Giveaways and Contests by RafflePress plugin <= 1.12.20 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Giveaways and Contests by RafflePress versions = 1.12.20...

WordPress Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin <= 2.4.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Cryptocurrency Token, Launchpad Presale, ICO & IDO, Airdrop by TokenICO versions = 2.4.7...

WordPress AudioTube plugin <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin AudioTube versions = 0.0.3...

WordPress Stock Tools plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Stock Tools versions = 1.1...

WordPress Padlet Shortcode plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Padlet Shortcode versions = 1.3...

WordPress Tips Shortcode plugin <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Tips Shortcode versions = 0.2.1...

WordPress UiPress lite plugin <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Settings Update vulnerability discovered by Rafshanzani Suhada in WordPress Plugin UiPress lite versions = 3.5.08...

WordPress Islamic Phrases plugin <= 2.12.2015 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Islamic Phrases versions = 2.12.2015...

WordPress Return Refund and Exchange For WooCommerce plugin <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Order Message Read vulnerability discovered by Powpy in WordPress Plugin Return Refund and Exchange For WooCommerce versions = 4.5.5...

WordPress Import WP plugin <= 2.14.17 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by type5afe in WordPress Plugin Import WP versions = 2.14.17...

WordPress Checkbox plugin <= 2.8.10 - Missing Authorization to Unauthenticated Log Clearing vulnerability

Missing Authorization to Unauthenticated Log Clearing vulnerability discovered by Legion Hunter in WordPress Plugin Checkbox versions = 2.8.10...

WordPress WP Directory Kit plugin <= 1.4.3 - Unauthenticated SQL Injection via select_2_ajax() Function vulnerability

Unauthenticated SQL Injection via select2ajax Function vulnerability discovered by tmrswrr in WordPress Plugin WP Directory Kit versions = 1.4.3...

WordPress PopupKit plugin <= 2.1.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by 0xd4rk5id3 in WordPress Plugin PopupKit versions = 2.1.5...

WordPress SupportCandy plugin <= 3.4.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by daroo in WordPress Plugin SupportCandy versions = 3.4.1...

WordPress GoDAM plugin <= 1.4.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by 0xd4rk5id3 in WordPress Plugin GoDAM versions = 1.4.6...

WordPress Zegen Core plugin <= 2.0.1 - Cross-Site Request Forgery to Arbitrary File Upload vulnerability

Cross-Site Request Forgery to Arbitrary File Upload vulnerability discovered by István Márton - Wordfence in WordPress Plugin Zegen Core versions = 2.0.1...

WordPress LearnPress plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure vulnerability

Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure vulnerability discovered by Lucas Montes Nirox in WordPress Plugin LearnPress versions = 4.2.9.4...

WordPress FluentCRM plugin <= 2.9.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluentcrm_content' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'fluentcrmcontent' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Fluent CRM versions = 2.9.84...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.2.9 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client' vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'ehcrmticketsingleviewclient' vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.2.9...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Role Removal vulnerability

Missing Authorization to Authenticated Subscriber+ Role Removal vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.1...

WordPress Legal Pages plugin <= 1.4.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Legal Pages versions = 1.4.6...

WordPress ForumWP plugin <= 2.1.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin ForumWP versions = 2.1.4...

WordPress TI WooCommerce Wishlist plugin <= 2.10.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bao - BlueRock in WordPress Plugin TI WooCommerce Wishlist versions = 2.10.0...

WordPress Magical Products Display plugin <= 1.1.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via MPD Pricing Table Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via MPD Pricing Table Widget vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Magical Products Display versions = 1.1.29...

WordPress Tainacan plugin <= 1.0.0 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by Peb - NA in WordPress Plugin Tainacan versions = 1.0.0...

WordPress WP Delete Post Copies plugin <= 6.0.2 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Teuniz - Teuniz.nl in WordPress Plugin WP Delete Post Copies versions = 6.0.2...

WordPress Groundhogg plugin <= 4.2.6.1 - Authenticated (Admin+) SQL Injection vulnerability

Authenticated Admin+ SQL Injection vulnerability discovered by NAKLEH ZEIDAN in WordPress Plugin Groundhogg versions = 4.2.6.1...

WordPress HT Mega – Absolute Addons For Elementor plugin <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tag Attribute Injection vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Tag Attribute Injection vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin HT Mega versions = 3.0.0...

WordPress Post Expirator plugin <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification vulnerability

Authenticated Author+ Missing Authorization to Post/Page Status Modification vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Post Expirator versions = 4.9.1...

WordPress Shortcode for Google Street View plugin <= 0.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Shortcode for Google Street View versions = 0.5.7...

WordPress WP Company Info plugin <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin WP Company Info versions = 1.9.0...

WordPress 简数采集器 plugin <= 2.6.3 - Authenticated (Admin+) Arbitrary File Read vulnerability

Authenticated Admin+ Arbitrary File Read vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Keydatas versions = 2.6.3...

WordPress WPSite Shortcode plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin WPSite Shortcode versions = 1.2...

WordPress Display Pages Shortcode plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Display Pages Shortcode versions = 1.1...

WordPress HotelRunner Booking Widget plugin <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Mohamed amine Ouamar in WordPress Plugin HotelRunner Booking Widget versions = 5.2.4...

WordPress Custom Post Type plugin <= 1.0 - Cross-Site Request Forgery to Custom Post Type Deletion vulnerability

Cross-Site Request Forgery to Custom Post Type Deletion vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Custom Post Type versions = 1.0...

WordPress BrightTALK WordPress Shortcode plugin <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin BrightTALK WordPress Shortcode versions = 2.4.0...

WordPress Surbma | MiniCRM Shortcode plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Surbma | MiniCRM Shortcode versions = 2.0...

WordPress Bulma Shortcodes plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Bulma Shortcodes versions = 1.0...