WordPress Gravity Forms plugin <= 2.9.21.1 - Unauthenticated Arbitrary File Upload via Legacy Chunked Upload vulnerability

Unauthenticated Arbitrary File Upload via Legacy Chunked Upload vulnerability discovered by Talal Nasraddeen in WordPress Plugin Gravity Forms versions = 2.9.21.1...

WordPress Classified Listing plugin <= 5.0.3 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Listing Description vulnerability

Authenticated Subscriber+ Arbitrary Shortcode Execution via Listing Description vulnerability discovered by Kishan Vyas in WordPress Plugin Classified Listing versions = 5.0.3...

WordPress Booking for Appointments and Events Calendar – Amelia plugin <= 1.2.35 - Unauthenticated SQL Injection via search vulnerability

Unauthenticated SQL Injection via search vulnerability discovered by YCInfosec in WordPress Plugin Amelia versions = 1.2.35...

WordPress RestroPress plugin <= 3.2.3.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin RestroPress versions = 3.2.3.5...

WordPress PPOM for WooCommerce plugin <= 33.0.16 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin PPOM for WooCommerce versions = 33.0.16...

WordPress Wappointment plugin <= 2.6.9 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Wappointment versions = 2.6.9...

WordPress MasterStudy LMS plugin <= 3.6.27 - SQL Injection vulnerability

SQL Injection vulnerability discovered by YCInfosec in WordPress Plugin MasterStudy LMS versions = 3.6.27...

WordPress Contact Form Email plugin <= 1.3.58 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Contact Form Email versions = 1.3.58...

WordPress WPFunnels plugin <= 3.6.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jitlada in WordPress Plugin WPFunnels versions = 3.6.2...

WordPress Appointment Booking Calendar plugin <= 1.3.95 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Appointment Booking Calendar versions = 1.3.95...

WordPress Contest Gallery plugin <= 28.0.2 - Missing Authorization vulnerability

Missing Authorization vulnerability discovered by type5afe in WordPress Plugin Contest Gallery versions = 28.0.2...

WordPress All in One SEO plugin <= 4.8.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Deletion vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Media Deletion vulnerability discovered by shark3y in WordPress Plugin All In One SEO Pack versions = 4.8.9...

WordPress Image Gallery – Photo Grid & Video Gallery plugin <= 2.12.28 - Improper Authorization to Authenticated (Author+) Arbitrary Image File Move vulnerability

Improper Authorization to Authenticated Author+ Arbitrary Image File Move vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Modula Image Gallery versions = 2.12.28...

WordPress WP Project Manager plugin <= 2.6.26 - Authenticated (Subscriber+) SQL Injection via 'completed_at_operator' vulnerability

Authenticated Subscriber+ SQL Injection via 'completedatoperator' vulnerability discovered by mikemyers in WordPress Plugin WP Project Manager versions = 2.6.26...

WordPress Qi Blocks plugin <= 1.4.3 - Missing Authorization to Arbitrary Attachment Resize vulnerability

Missing Authorization to Arbitrary Attachment Resize vulnerability discovered by Adrian Lukita in WordPress Plugin Qi Blocks versions = 1.4.3...

WordPress WP Google Review Slider plugin <= 17.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WP Google Review Slider versions = 17.4...

WordPress WP YouTube Lyte plugin <= 1.7.28 - Open Redirection vulnerability

Open Redirection vulnerability discovered by Nabil Irawan in WordPress Plugin WP YouTube Lyte versions = 1.7.28...

WordPress WP Social Ninja plugin <= 3.20.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WP Social Ninja versions = 3.20.1...

WordPress Lobo theme <= 2.8.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Lobo versions = 2.8.6...

WordPress CoSchedule plugin <= 3.4.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin CoSchedule versions = 3.4.0...

WordPress Survey Maker plugin <= 5.1.9.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Survey Maker versions = 5.1.9.4...

WordPress Creta Testimonial Showcase plugin < 1.2.4 - Editor+ Local File Inclusion vulnerability

Editor+ Local File Inclusion vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Creta Testimonial Showcase versions 1.2.4...

WordPress Woffice Core plugin <= 5.4.30 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Woffice Core versions = 5.4.30...

WordPress WooCommerce PDF Invoice Builder plugin <= 1.2.150 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Tran Tuan Dung domiee13 in WordPress Plugin WooCommerce PDF Invoice Builder versions = 1.2.150...

WordPress Select Core plugin < 2.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Select Core versions 2.6...

WordPress Select Core plugin < 2.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Select Core versions 2.6...

WordPress Stylish Cost Calculator plugin <= 8.1.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Stylish Cost Calculator versions = 8.1.5...

WordPress SKT Skill Bar plugin <= 2.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin SKT Skill Bar versions = 2.5...

WordPress School Management System – WPSchoolPress plugin <= 2.2.23 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by dutafi in WordPress Plugin WPSchoolPress versions = 2.2.23...

WordPress SNORDIAN's H5PxAPIkatchu plugin <= 0.4.17 - Unauthenticated Stored Cross-Site Scripting via insert_data vulnerability

Unauthenticated Stored Cross-Site Scripting via insertdata vulnerability discovered by Moose Love - Nagasaki Prefectural University in WordPress Plugin SNORDIAN's H5PxAPIkatchu versions = 0.4.17...

WordPress Shopkeeper Extender plugin < 7.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Shopkeeper Extender versions 7.0...

WordPress LifterLMS plugin <= Various versions - Authenticated (Student+) Privilege Escalation vulnerability

Authenticated Student+ Privilege Escalation vulnerability discovered by shark3y in WordPress Plugin LifterLMS versions 9.1.0...

WordPress WP Plugin Manager plugin <= 1.4.7 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Mika in WordPress Plugin WP Plugin Manager versions = 1.4.7...

WordPress Theater for WordPress plugin <= 0.18.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Theater for WordPress versions = 0.18.8...

WordPress Booking Calendar plugin <= 10.14.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Peter Thaleikis in WordPress Plugin Booking Calendar versions = 10.14.7...

WordPress Gallery Plugin for WordPress – Envira Photo Gallery plugin <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions vulnerability

Missing Authorization to Authenticated Author+ Multiple Gallery Actions vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Envira Photo Gallery versions = 1.12.0...

WordPress Save as PDF Button plugin <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via restpackpdfbutton Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via restpackpdfbutton Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Save as PDF Button versions = 1.9.2...

WordPress Quicq plugin <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Afosto Disconnect vulnerability

Missing Authorization to Authenticated Subscriber+ Afosto Disconnect vulnerability discovered by Legion Hunter in WordPress Plugin Quicq versions = 2.0.0...

WordPress WordPress Content Flipper plugin <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WordPress Content Flipper versions = 0.1...

WordPress WP Headless CMS Framework plugin <= 1.15 - Unauthenticated Protection Mechanism Bypass vulnerability

Unauthenticated Protection Mechanism Bypass vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin WP Headless CMS Framework versions = 1.15...

WordPress Angel theme <= 3.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by WordFence in WordPress Theme Angel versions = 3.2.3...

WordPress Comment Edit Core – Simple Comment Editing plugin <= 3.1.0 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Powpy in WordPress Plugin Comment Edit Core – Simple Comment Editing versions = 3.1.0...

WordPress AI Engine plugin <= 3.1.8 - Authenticated (Subscriber+) PHP Object Injection via PHAR Deserialization vulnerability

Authenticated Subscriber+ PHP Object Injection via PHAR Deserialization vulnerability discovered by ISMAILSHADOW in WordPress Plugin AI Engine versions = 3.1.8...

WordPress Poll Maker plugin <= 6.0.7 - Authenticated (Administrator+) SQL Injection via `filterbyauthor` Parameter vulnerability

Authenticated Administrator+ SQL Injection via filterbyauthor Parameter vulnerability discovered by type5afe in WordPress Plugin Poll Maker versions = 6.0.7...

WordPress Survey Maker plugin <= 5.1.9.4 - Missing Authorization to Unauthenticated Information Exposure vulnerability

Missing Authorization to Unauthenticated Information Exposure vulnerability discovered by DityaRA in WordPress Plugin Survey Maker versions = 5.1.9.4...

WordPress Page Builder: Pagelayer – Drag and Drop website builder plugin <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference vulnerability

Authenticated Author+ Insecure Direct Object Reference vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin PageLayer versions = 2.0.5...

WordPress Import any XML, CSV or Excel File to WordPress (WP All Import) plugin <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic vulnerability

Authenticated Administrator+ Remote Code Execution via Conditional Logic vulnerability discovered by tmrswrr in WordPress Plugin WP All Import versions = 3.9.6...

WordPress Data Tables Generator by Supsystic plugin <= 1.10.45 - Authenticated (Admin+) Arbitrary File Deletion vulnerability

Authenticated Admin+ Arbitrary File Deletion vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Data Tables Generator by Supsystic versions = 1.10.45...

WordPress SureForms plugin <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by type5afe in WordPress Plugin SureForms versions = 1.13.1...

WordPress Welcart e-Commerce plugin <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure vulnerability

Missing Authorization to Unauthenticated Information Exposure vulnerability discovered by dudekmar - CERT.PL in WordPress Plugin Welcart e-Commerce versions = 2.11.24...