WordPress Shortcodes Bootstrap plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Shortcodes Bootstrap versions = 1.1...

WordPress Pollcaster Shortcode Plugin plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Pollcaster Shortcode Plugin versions = 1.0...

WordPress AuthorSure plugin <= 2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin AuthorSure versions = 2.3...

WordPress Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin <= 2.4.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Cryptocurrency Token, Launchpad Presale, ICO & IDO, Airdrop by TokenICO versions = 2.4.7...

WordPress Affiliate AI Lite plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Affiliate AI Lite versions = 1.0.1...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.0 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion vulnerability

Missing Authorization to Authenitcated Subscriber+ to Scheduled Trigger Deletion vulnerability discovered by Legion Hunter in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.0...

WordPress W3 Total Cache plugin < 2.8.13 - Unauthenticated Command Injection vulnerability

Unauthenticated Command Injection vulnerability discovered by wcraft in WordPress Plugin W3 Total Cache versions 2.8.13...

WordPress Payment Gateway bKash for WC plugin <= 3.1.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Payment Gateway bKash for WC versions = 3.1.0...

WordPress Better Chat Support for Messenger plugin <= 1.2.18 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Better Chat Support for Messenger versions = 1.2.18...

WordPress TP WooCommerce Product Gallery plugin <= 1.1.9 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin TP WooCommerce Product Gallery versions = 1.1.9...

WordPress Royal Elementor Addons plugin <= 1.7.1031 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Royal Elementor Addons versions = 1.7.1031...

WordPress Grid KIT Portfolio plugin <= 2.2.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Grid KIT Portfolio versions = 2.2.1...

WordPress OnePress theme <= 2.3.15 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Theme OnePress versions = 2.3.15...

WordPress LightGallery WP plugin <= 1.0.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin LightGallery WP versions = 1.0.5...

WordPress Image Hover Effects Ultimate plugin <= 9.10.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Image Hover Effects Ultimate versions = 9.10.5...

WordPress Ibtana plugin <= 1.2.5.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Ibtana versions = 1.2.5.1...

WordPress Offload, AI & Optimize with Cloudflare Images plugin <= 1.9.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Offload, AI & Optimize with Cloudflare Images versions = 1.9.5...

WordPress Gallery with thumbnail slider plugin <= 7.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Gallery with thumbnail slider versions = 7.8...

WordPress Basel theme <= 5.9.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Basel versions = 5.9.1...

WordPress Walker Core plugin <= 1.3.17 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Peter Thaleikis in WordPress Plugin Walker Core versions = 1.3.17...

WordPress Giveaways and Contests by RafflePress plugin <= 1.12.19 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Giveaways and Contests by RafflePress versions = 1.12.19...

WordPress GiveWP - Donation plugin and Fundraising Platform plugin <= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via 'name' vulnerability

WordPress GiveWP - Donation plugin and Fundraising Platform plugin = 4.13.0 - Unauthenticated Stored Cross-Site Scripting via 'name' vulnerability discovered by shark3y in WordPress Plugin GiveWP versions = 4.13.0...

WordPress Code Snippets plugin <= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains vulnerability

Authenticated Contributor+ PHP Code Injection via extract and PHP Filter Chains vulnerability discovered by mikemyers in WordPress Plugin Code Snippets versions = 3.9.1...

WordPress Amelia plugin - 1.2.18-1.2.36 - Unauthenticated Sensitive Information Exposure vulnerability

WordPress Amelia plugin - 1.2.18-1.2.36 - Unauthenticated Sensitive Information Exposure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Amelia versions 1.2.18-1.2.36...

WordPress SiteSEO – SEO Simplified plugin <= 1.3.2 - Insecure Direct Object Reference to Sensitive Post Meta Disclosure vulnerability

Insecure Direct Object Reference to Sensitive Post Meta Disclosure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin SiteSEO versions = 1.3.2...

WordPress SureForms plugin <= 1.13.1 - Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution vulnerability

Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution vulnerability discovered by type5afe in WordPress Plugin SureForms versions = 1.13.1...

WordPress WP Import – Ultimate CSV XML Importer for WordPress plugin <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import vulnerability

Authenticated Administrator+ PHP Object Injection via CSV Import vulnerability discovered by WordFence in WordPress Plugin WP Ultimate CSV Importer versions = 7.33.1...

WordPress Directorist plugin <= 8.5.2 - Missing Authorization to Authenticated (Subscriber+) Data Export and Slug Update vulnerability

Missing Authorization to Authenticated Subscriber+ Data Export and Slug Update vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Directorist versions = 8.5.2...

WordPress Pet-Manager – Petfinder plugin <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via kwm-petfinder Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via kwm-petfinder Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Pet-Manager – Petfinder versions = 3.6.1...

WordPress SiteSEO – SEO Simplified plugin <= 1.3.2 - Improper Authorization to Authenticated Settings Reset vulnerability

Improper Authorization to Authenticated Settings Reset vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin SiteSEO versions = 1.3.2...

WordPress Community Events plugin <= 1.5.4 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Community Events versions = 1.5.4...

WordPress WSChat – WordPress Live Chat plugin <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Reset vulnerability discovered by Powpy in WordPress Plugin WSChat versions = 3.1.6...

WordPress Booking Plugin for WordPress Appointments – Time Slot plugin <= 1.4.7 - Unauthenticated Arbitrary Email Sending vulnerability

Unauthenticated Arbitrary Email Sending vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Time Slot versions = 1.4.7...

WordPress WP Login and Register using JWT plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ API Key Exposure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin WP Login and Register using JWT versions = 3.0.0...

WordPress Responsive Lightbox & Gallery plugin <= 2.5.3 - Authenticated (Author+) Server-Side Request Forgery vulnerability

Authenticated Author+ Server-Side Request Forgery vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Responsive Lightbox versions = 2.5.3...

WordPress User Profile Builder plugin <= 3.14.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Profile Builder versions = 3.14.8...

WordPress Email Subscribers & Newsletters plugin <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger vulnerability

Missing Authentication to Unauthenticated Mailing Queue Trigger vulnerability discovered by Adrian Lukita in WordPress Plugin Email Subscribers & Newsletters versions = 5.9.10...

WordPress Quiz Maker plugin <= 6.7.0.80 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Quiz Maker versions = 6.7.0.80...

WordPress New User Approve plugin <= 3.0.9 - Unauthenticated Sensitive Information Disclosure via Type Juggling vulnerability

Unauthenticated Sensitive Information Disclosure via Type Juggling vulnerability discovered by Powpy in WordPress Plugin New User Approve versions = 3.0.9...

WordPress Royal Elementor Addons and Templates plugin <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by stealthcopter in WordPress Plugin Royal Elementor Addons versions = 1.7.1036...

WordPress YITH WooCommerce Wishlist plugin <= 4.10.0 - Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion vulnerability

Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin YITH WooCommerce Wishlist versions = 4.10.0...

WordPress YITH WooCommerce Wishlist plugin <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename vulnerability

Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin YITH WooCommerce Wishlist versions = 4.10.0...

WordPress wModes plugin <= 1.2.2 - Missing Authorization to Sensitive Information Disclosure vulnerability

Missing Authorization to Sensitive Information Disclosure vulnerability discovered by NumeX NumeX in WordPress Plugin wModes versions = 1.2.2...

WordPress wpForo Forum plugin <= 2.4.10 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin wpForo Forum versions = 2.4.10...

WordPress FV Antispam plugin <= 2.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin FV Antispam versions = 2.7...

WordPress Eagle Booking plugin <= 1.3.4.3 - Settings Change vulnerability

Settings Change vulnerability discovered by Bonds in WordPress Plugin Eagle Booking versions = 1.3.4.3...

WordPress Eagle Booking plugin <= 1.3.4.3 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Bonds in WordPress Plugin Eagle Booking versions = 1.3.4.3...

WordPress WP Gravity Forms FreshDesk Plugin plugin <= 1.3.5 - Open Redirection vulnerability

Open Redirection vulnerability discovered by Bonds in WordPress Plugin WP Gravity Forms FreshDesk Plugin versions = 1.3.5...

WordPress Essential Addons for Elementor plugin <= 6.5.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bonds in WordPress Plugin Essential Addons for Elementor versions = 6.5.5...

WordPress CBX Bookmark & Favorite plugin <= 2.0.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin CBX Bookmark & Favorite versions = 2.0.1...