WordPress Welcart e-Commerce plugin <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure vulnerability

Missing Authorization to Unauthenticated Information Exposure vulnerability discovered by dudekmar - CERT.PL in WordPress Plugin Welcart e-Commerce versions = 2.11.24...

WordPress 0 Day Analytics plugin <= 4.0.0 - SQL Injection vulnerability

SQL Injection vulnerability discovered by kwakbumjun in WordPress Plugin 0 Day Analytics versions = 4.0.0...

WordPress Passster plugin <= 4.2.19 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Que Thanh Tuan - Blue Rock in WordPress Plugin Passster versions = 4.2.19...

WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Mika in WordPress Plugin Online Booking & Scheduling Calendar for WordPress by vcita versions = 4.5.5...

WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mika in WordPress Plugin Online Booking & Scheduling Calendar for WordPress by vcita versions = 4.5.5...

WordPress Specific Content For Mobile plugin <= 0.5.5 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Specific Content For Mobile versions = 0.5.5...

WordPress Easy Email Subscription plugin <= 1.3 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Easy Email Subscription versions = 1.3...

WordPress Thumbnail Slider With Lightbox plugin <= 1.0.21 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Thumbnail Slider With Lightbox versions = 1.0.21...

WordPress Payment Plugins Braintree For WooCommerce plugin <= 3.2.78 - Missing Authorization to Payment Token Exposure and Transaction Fraud vulnerability

Missing Authorization to Payment Token Exposure and Transaction Fraud vulnerability discovered by M Indra Purnama type5afe in WordPress Plugin Payment Plugins Braintree For WooCommerce versions = 3.2.78...

WordPress WP Import plugin <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure vulnerability

Missing Authorization to Authenticated Author+ Sensitive Information Exposure vulnerability discovered by M Indra Purnama type5afe in WordPress Plugin WP Ultimate CSV Importer versions = 7.33...

WordPress BookIt plugin <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection vulnerability

Missing Authorization to Unauthenticated Stripe Connection vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin BookIt versions = 2.5.0...

WordPress MembershipWorks plugin <= 6.14 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin MembershipWorks versions = 6.14...

WordPress Alt Text Generator AI plugin <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ API Key Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Alt Text Generator AI versions = 1.8.3...

WordPress Wishlist and Save for later for Woocommerce plugin <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Wishlist Item Deletion vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Wishlist and Save for later for Woocommerce versions = 1.1.22...

WordPress GeoDirectory plugin <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment vulnerability

Missing Authorization to Authenticated Author+ Arbitrary Image Attachment vulnerability discovered by DityaRA in WordPress Plugin GeoDirectory versions = 2.8.139...

WordPress Asgaros Forum plugin <= 3.2.1 - Cross-Site Request Forgery to Subscription Settings Update vulnerability

Cross-Site Request Forgery to Subscription Settings Update vulnerability discovered by Brian Mungai in WordPress Plugin Asgaros Forum versions = 3.2.1...

Drupal core 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7 - Unauthenticated Denial of Service Attack vulnerability

Unauthenticated Denial of Service Attack vulnerability discovered by Dragos Dumitrescu dragos-dumi in WordPress Core Drupal versions 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7...

Drupal core 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7 - Authenticated Other Vulnerability Type vulnerability

Authenticated Other Vulnerability Type vulnerability discovered by anzuukino in WordPress Core Drupal versions 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7...

Drupal core 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7 - Unauthenticated Defacement vulnerability

Unauthenticated Defacement vulnerability discovered by Kevin Quillen kevinquillen in WordPress Core Drupal versions 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7...

Drupal core 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7 - Unauthenticated Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure vulnerability discovered by Damien McKenna damienmckenna in WordPress Core Drupal versions 8.0.0-10.4.8,10.5.0-10.5.5,11.0.0-11.1.8,11.2.0-11.2.7...

WordPress Angel Theme <= 3.2.3 is vulnerable to Cross Site Scripting (XSS)

Software Angel Type Theme Vulnerable versions = 3.2.3 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-10295 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 731931b06fd6 Credits WordFence Required privilege...

WordPress Photography theme <= 7.7.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Photography versions = 7.7.2...

WordPress Chat Help plugin <= 3.1.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Kim YunJi in WordPress Plugin Chat Help versions = 3.1.3...

WordPress Seriously Simple Podcasting plugin <= 3.13.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by daroo in WordPress Plugin Seriously Simple Podcasting versions = 3.13.0...

WordPress Hydra Booking plugin <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass vulnerability

Missing Payment Verification to Unauthenticated Payment Bypass vulnerability discovered by Ahmad Salem a7mad.cc in WordPress Plugin Hydra Booking versions = 1.1.27...

WordPress Classified Listing plugin <= 5.2.0 - Missing Authorization to Authenticated (Subscriber+) Listing Types Tampering vulnerability

Missing Authorization to Authenticated Subscriber+ Listing Types Tampering vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Classified Listing versions = 5.2.0...

WordPress TNC Toolbox: Web Performance plugin <= 1.4.2 - Unauthenticated Sensitive Information Exposure to Privilege Escalation/cPanel Account Takeover vulnerability

Unauthenticated Sensitive Information Exposure to Privilege Escalation/cPanel Account Takeover vulnerability discovered by kr0d in WordPress Plugin TNC Toolbox: Web Performance versions = 1.4.2...

WordPress Hydra Booking plugin <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation vulnerability

Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation vulnerability discovered by Ahmad Salem a7mad.cc in WordPress Plugin Hydra Booking versions = 1.1.27...

WordPress Blocksy Companion plugin <= 2.1.19 - Authenticated (Author+) Arbitrary File Upload via SVG Upload Bypass vulnerability

Authenticated Author+ Arbitrary File Upload via SVG Upload Bypass vulnerability discovered by shark3y in WordPress Plugin Blocksy Companion versions = 2.1.19...

WordPress Progress Bar Blocks for Gutenberg plugin <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG vulnerability

Authenticated Author+ Stored Cross-Site Scripting via SVG vulnerability discovered by Peerapat Samatathanyakorn in WordPress Plugin Progress Bar Blocks for Gutenberg versions = 1.0.0...

WordPress Slippy Slider – Responsive Touch Navigation Slider plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Slippy Slider versions = 2.0...

WordPress WP-Iconics plugin <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin WP-Iconics versions = 0.0.4...

WordPress Five9 Live Chat plugin <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Five9 Live Chat versions = 1.1.2...

WordPress GitHub Gist Shortcode Plugin plugin <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin GitHub Gist Shortcode versions = 0.2...

WordPress Authors List plugin <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in plugin's Shortcode vulnerability

Authenticated Contributor+ Sensitive Information Exposure via Limited Method Call in plugin's Shortcode vulnerability discovered by kai in WordPress Plugin Authors List versions = 2.0.6.1...

WordPress USB Qr Code Scanner For Woocommerce plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin USB Qr Code Scanner For Woocommerce versions = 1.0.0...

WordPress Auto Amazon Links – Amazon Associates Affiliate Plugin plugin <= 5.4.3 - Unauthenticated Arbitrary File Read vulnerability

Unauthenticated Arbitrary File Read vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Auto Amazon Links versions = 5.4.3...

WordPress Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress plugin <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom Fields vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Nonaki versions = 1.0.11...

WordPress Flickr Show plugin <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Flickr Show versions = 1.5...

WordPress Ungapped Widgets plugin <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Ungapped Widgets versions = 1...

WordPress WP BBCode plugin <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin WP BBCode versions = 1.8.1...

WordPress Geopost plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Geopost versions = 1.2...

WordPress The Total Book Project plugin <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Book Manipulation vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin The Total Book Project versions = 1.0...

WordPress Add Multiple Marker plugin <= 1.2 - Missing Authorization to Unauthenticated Settings Update vulnerability

Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Bhayanak Atma in WordPress Plugin Add Multiple Marker versions = 1.2...

WordPress Twitter Feed plugin <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Twitter Feed versions = 1.3.1...

WordPress Skip to Timestamp plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Skip to Timestamp versions = 1.4.4...

WordPress Find Unused Images plugin <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Attachment Deletion vulnerability discovered by johska in WordPress Plugin Find Unused Images versions = 1.0.7...

WordPress WP-OAuth plugin <= 0.4.1 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin WP-OAuth versions = 0.4.1...

WordPress Chart Expert plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Chart Expert versions = 1.0...

WordPress Shelf Planner plugin <= 2.7.0 - Missing Authorization to Unauthenticated Settings Update vulnerability

Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Shelf Planner versions = 2.7.0...