WordPress ListingPro theme <= 2.9.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Denver Jackson in WordPress Theme ListingPro versions = 2.9.9...

WordPress EventPrime plugin <= 4.2.4.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by daroo in WordPress Plugin EventPrime versions = 4.2.4.1...

WordPress JetElements For Elementor plugin <= 2.7.12 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin JetElements For Elementor versions = 2.7.12...

WordPress Feeds for YouTube plugin <= 2.4.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bao - BlueRock in WordPress Plugin Feeds for YouTube versions = 2.4.0...

WordPress LearnPress plugin <= 4.2.9.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Peter Thaleikis in WordPress Plugin LearnPress versions = 4.2.9.4...

WordPress EventPrime plugin <= 4.2.4.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin EventPrime versions = 4.2.4.1...

WordPress Strong Testimonials plugin <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Kishan Vyas in WordPress Plugin Strong Testimonials versions = 3.2.16...

WordPress Better Find and Replace plugin <= 1.7.7 - Missing Authorization vulnerability

Missing Authorization vulnerability discovered by Adrian Lukita in WordPress Plugin Better Find and Replace versions = 1.7.7...

WordPress Hubbub Lite plugin <= 1.36.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by LionTree in WordPress Plugin Hubbub Lite versions = 1.36.0...

WordPress Blog2Social plugin <= 8.6.0 - Incorrect Authorization to Video File Upload vulnerability

Incorrect Authorization to Video File Upload vulnerability discovered by thinnawarth mathuros in WordPress Plugin Blog2Social versions = 8.6.0...

WordPress Blog2Social plugin <= 8.6.0 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url vulnerability

Authenticated Subscriber+ Blind Server-Side Request Forgery via posturl vulnerability discovered by LionTree in WordPress Plugin Blog2Social versions = 8.6.0...

WordPress Easy Digital Download plugin <= 3.5.2 - Insufficient Verification to Order Manipulation vulnerability

Insufficient Verification to Order Manipulation vulnerability discovered by Jay - Student in WordPress Plugin Easy Digital Downloads versions = 3.5.2...

WordPress Easy Email Subscription plugin <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion vulnerability

Cross-Site Request Forgery to Arbitrary Subscriber Deletion vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Easy Email Subscription versions = 1.3...

WordPress Easy Email Subscription plugin <= 1.3 - Authenticated (Admin+) SQL Injection via uid vulnerability

Authenticated Admin+ SQL Injection via uid vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Easy Email Subscription versions = 1.3...

WordPress Rey Core plugin <= 3.1.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Rey Core versions = 3.1.8...

WordPress Feather Login Page plugin <= 1.1.7 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by daroo in WordPress Plugin Feather Login Page versions = 1.1.7...

WordPress WP Hotel Booking plugin <= 2.2.7 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by daroo in WordPress Plugin WP Hotel Booking versions = 2.2.7...

WordPress The Events Calendar plugin 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s vulnerability

WordPress The Events Calendar plugin 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s vulnerability discovered by holme in WordPress Plugin The Events Calendar versions 6.15.1.1-6.15.9...

WordPress WP Hotel Booking plugin <= 2.2.8 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by daroo in WordPress Plugin WP Hotel Booking versions = 2.2.8...

WordPress WP Hotel Booking plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin WP Hotel Booking versions = 2.2.8...

WordPress Phlox Portfolio plugin <= 2.3.10 - Unauthenticated Local File Inclusion via args[extra_template_path] vulnerability

Unauthenticated Local File Inclusion via argsextratemplatepath vulnerability discovered by LionTree in WordPress Plugin Phlox Portfolio versions = 2.3.10...

WordPress Visual Link Preview plugin <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via visual-link-preview Shortcode vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Visual Link Preview versions = 2.2.7...

WordPress Ad Inserter plugin <= 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom Field vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Ad Inserter versions = 2.8.7...

WordPress FunnelKit Automations plugin <= 3.6.4.1 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Rafshanzani Suhada in WordPress Plugin FunnelKit Automations versions = 3.6.4.1...

WordPress Graphina plugin <= 3.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Chart Widgets vulnerability discovered by Webbernaut in WordPress Plugin Graphina versions = 3.1.8...

WordPress The Events Calendar plugin <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure vulnerability

Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure vulnerability discovered by mikemyers in WordPress Plugin The Events Calendar versions = 6.15.9...

WordPress FunnelKit Automations plugin <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Email Sending vulnerability discovered by Rafshanzani Suhada in WordPress Plugin FunnelKit Automations versions = 3.6.4.1...

WordPress KiotViet Sync plugin <= 1.8.5 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin KiotViet Sync versions = 1.8.5...

WordPress KiotViet Sync plugin <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass vulnerability

Use of Hard-coded Password to Authorization Bypass vulnerability discovered by kr0d in WordPress Plugin KiotViet Sync versions = 1.8.5...

WordPress KiotViet Sync plugin <= 1.8.5 - Unauthenticated Webhook Key Exposure vulnerability

Unauthenticated Webhook Key Exposure vulnerability discovered by kr0d in WordPress Plugin KiotViet Sync versions = 1.8.5...

WordPress Depicter Slider plugin <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload vulnerability

Missing Authorization to Authenticated Contributor+ Safe File Type Upload vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Depicter Slider versions = 4.0.4...

WordPress File Manager for Google Drive plugin <= 1.5.3 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by ifoundbug in WordPress Plugin Integrate Google Drive versions = 1.5.3...

WordPress B Carousel Block plugin <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery vulnerability

Missing Authorization to Authenticated Subscriber+ Server-Side Request Forgery vulnerability discovered by Sushi Com Abacate in WordPress Plugin B Carousel Block versions = 1.1.5...

WordPress WPeMatico RSS Feed Fetcher plugin <= 2.8.11 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed vulnerability

Authenticated Subscriber+ Server-Side Request Forgery via wpematicotestfeed vulnerability discovered by Rafshanzani Suhada in WordPress Plugin WPeMatico RSS Feed Fetcher versions = 2.8.11...

WordPress Document Embedder plugin <= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation vulnerability

Missing Authorization to Unauthenticated Document Manipulation vulnerability discovered by ohmymex in WordPress Plugin Document Embedder versions = 2.0.0...

WordPress AI Engine plugin <= 3.1.3 - Unauthenticated Sensitive Information Exposure to Privilege Escalation vulnerability

Unauthenticated Sensitive Information Exposure to Privilege Escalation vulnerability discovered by Emiliano Versini in WordPress Plugin AI Engine versions = 3.1.3...

WordPress Spectra plugin <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom CSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Spectra versions = 2.19.14...

WordPress Features plugin <= 0.0.2 - Missing Authorization to Authenticated (Subscriber+) Option Reset vulnerability

Missing Authorization to Authenticated Subscriber+ Option Reset vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Module Features versions = 0.0.2...

WordPress Paid Membership Subscriptions plugin <= 2.16.4 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal vulnerability

Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Paid Member Subscriptions versions = 2.16.4...

WordPress SMS for WordPress plugin <= 1.1.8 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin SMS for WordPress versions = 1.1.8...

WordPress Everest Forms Pro plugin <= 1.9.7 - Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature vulnerability

Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature vulnerability discovered by Alex Thomas - Wordfence in WordPress Plugin Everest Forms Pro versions = 1.9.7...

Drupal Email TFA module < 2.0.6 - Authenticated Broken Access Control vulnerability

Authenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Email TFA versions 2.0.6...

Drupal Simple multi step form module < 2.0.0 - Authenticated Cross Site Scripting (XSS) vulnerability

Authenticated Cross Site Scripting XSS vulnerability discovered by Ide Braakman idebr in WordPress Module Simple multi step form versions 2.0.0...

Drupal Features Module <= 0.0.2 is vulnerable to Broken Access Control

Software Features Type Module Vulnerable versions = 0.0.2 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2025-12582 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 2b7c0646055d Credits Nabil Irawan - Heroes Cyber Security...

WordPress Booking Manager plugin <= 2.1.17 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jan Barszcz in WordPress Plugin Booking Manager versions = 2.1.17...

WordPress Top Bar Notification plugin <= 1.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Top Bar Notification versions = 1.12...

WordPress Easy Upload Files During Checkout plugin <= 2.9.8 - Unauthenticated Arbitrary JavaScript File Upload vulnerability

Unauthenticated Arbitrary JavaScript File Upload vulnerability discovered by Ahmad Salem a7mad.cc in WordPress Plugin Easy Upload Files During Checkout versions = 2.9.8...

WordPress Orbit Fox Companion plugin <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Post Taxonomy vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Orbit Fox by ThemeIsle versions = 3.0.2...

WordPress ShopLentor plugin <= 3.2.5 - Unauthenticated Local PHP File Inclusion via 'load_template' vulnerability

Unauthenticated Local PHP File Inclusion via 'loadtemplate' vulnerability discovered by mikemyers in WordPress Plugin ShopLentor versions = 3.2.5...

WordPress Master Blocks plugin <= 1.4.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Upload vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Upload vulnerability discovered by theviper17y in WordPress Plugin Master Blocks versions = 1.4.1.3...