WordPress Folderly plugin <= 0.3 - Incorrect Authorization to Authenticated (Author+) Term Deletion vulnerability

Incorrect Authorization to Authenticated Author+ Term Deletion vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Folderly versions = 0.3...

WordPress Employee Spotlight plugin <= 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Employee Spotlight versions = 5.1.2...

WordPress Community Events plugin <= 1.5.2 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by ifoundbug in WordPress Plugin Community Events versions = 1.5.2...

WordPress List category posts plugin <= 0.92.0 - Authenticated (Contributor+) Information Exposure vulnerability

Authenticated Contributor+ Information Exposure vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin List category posts versions = 0.92.0...

WordPress Flying Images plugin <= 2.4.14 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Karuppiah Sabari Kumar - Mobikwik in WordPress Plugin Flying Images versions = 2.4.14...

WordPress Schema Scalpel plugin <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in JSON-LD Schema vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Title in JSON-LD Schema vulnerability discovered by Peter Thaleikis in WordPress Plugin Schema Scalpel versions = 1.6.1...

WordPress SiteSEO plugin <= 1.3.1 - Missing Authorization to Authenticated (Author+) Plugin Settings Update vulnerability

Missing Authorization to Authenticated Author+ Plugin Settings Update vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin SiteSEO versions = 1.3.1...

WordPress CSS & JavaScript Toolbox plugin <= 12.0.5 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Kyokito - - in WordPress Plugin CSS & JavaScript Toolbox versions = 12.0.5...

WordPress WP Legal Pages plugin <= 3.5.1 - Missing Authorization to Unauthenticated API Disconnect vulnerability

Missing Authorization to Unauthenticated API Disconnect vulnerability discovered by Rafshanzani Suhada in WordPress Plugin WPLegalPages versions = 3.5.1...

WordPress Document Library Lite plugin <= 1.1.6 - Missing Authorization to Sensitive Information Exposure vulnerability

Missing Authorization to Sensitive Information Exposure vulnerability discovered by Avraham Shemesh and Kai Aizen in WordPress Plugin Document Library Lite versions = 1.1.6...

WordPress WPCOM Member plugin <= 1.7.14 - Authenticated (Contributor+) Local File Inclusion via Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion via Shortcode vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin WPCOM Member versions = 1.7.14...

WordPress Inactive Logout plugin <= 3.5.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by shark3y in WordPress Plugin Inactive Logout versions = 3.5.5...

WordPress RealPress plugin < 1.1.0 - Unauthenticated Content Creation/Email Sending via REST vulnerability

Unauthenticated Content Creation/Email Sending via REST vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin RealPress versions 1.1.0...

WordPress Post SMTP plugin <= 3.6.0 - Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure vulnerability

Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure vulnerability discovered by netranger in WordPress Plugin Post SMTP versions = 3.6.0...

WordPress WP Snow Effect plugin <= 1.1.19 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WP Snow Effect versions = 1.1.19...

WordPress North - Required Plugin plugin <= 1.4.2 - Local File Inclusion vulnerability

WordPress North - Required Plugin plugin = 1.4.2 - Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin North - Required Plugin versions = 1.4.2...

WordPress Kallyas Theme <= 4.23.0 is vulnerable to Cross Site Scripting (XSS)

Software Kallyas Type Theme Vulnerable versions = 4.23.0 Fixed in 4.24.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-6988 Patch priority Low CVSS severity Low 6.5 Developer EPC PSID e0831bfa42ea Credits stealthcopter Required privilege Contributo...

WordPress Kallyas Theme <= 4.24.0 is vulnerable to Remote Code Execution (RCE)

Software Kallyas Type Theme Vulnerable versions = 4.24.0 Fixed in N/A OWASP Top 10 A1: Injection Classification Remote Code Execution RCE CVE CVE-2025-6990 Patch priority Medium CVSS severity Medium 8.8 Developer EPC PSID fef69fa1779b Credits stealthcopter Required privilege Contributor Published...

WordPress YOP Poll plugin <= 6.5.38 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Que Thanh Tuan - Blue Rock in WordPress Plugin YOP Poll versions = 6.5.38...

WordPress WP Maps plugin <= 4.8.6 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by kr0no in WordPress Plugin WP Maps versions = 4.8.6...

WordPress SmartMag theme <= 10.3.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme SmartMag versions = 10.3.0...

WordPress Booking and Rental Manager plugin <= 2.5.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ryan Novotny in WordPress Plugin Booking and Rental Manager versions = 2.5.3...

WordPress SmartMag Theme <= 10.3.0 is vulnerable to Local File Inclusion

Software SmartMag Type Theme Vulnerable versions = 10.3.0 Fixed in 10.3.1 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-64216 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID de6195233272 Credits João Pedro S Alcântara Kinorth Required privileg...

WordPress Bard theme <= 2.229 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mohamad Fattyr in WordPress Theme Bard versions = 2.229...

WordPress Google XML Sitemaps plugin <= 4.1.22 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin Google XML Sitemaps versions = 4.1.22...

WordPress Popup addon for Ninja Forms plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Kim YunJi in WordPress Plugin Popup addon for Ninja Forms versions = 3.5.1...

WordPress ERI File Library plugin <= 1.1.0 - Missing Authorization to Unauthenticated Protected File Download vulnerability

Missing Authorization to Unauthenticated Protected File Download vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ERI File Library versions = 1.1.0...

WordPress WPC Name Your Price for WooCommerce plugin <= 2.1.9 - Unauthenticated Price Alteration vulnerability

Unauthenticated Price Alteration vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin WPC Name Your Price for WooCommerce versions = 2.1.9...

WordPress The Events Calendar plugin <= 6.15.9 - Missing Authorization to Authenticated (Subscriber+) Draft Event Title/QR Code Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Draft Event Title/QR Code Exposure vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin The Events Calendar versions = 6.15.9...

WordPress OOPSpam Anti-Spam plugin <= 1.2.53 - Unauthenticated IP Header Spoofing vulnerability

Unauthenticated IP Header Spoofing vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin OOPSpam Anti-Spam versions = 1.2.53...

WordPress WooCommerce Designer Pro plugin <= 1.9.28 - Unauthenticated Arbitrary File Read vulnerability

Unauthenticated Arbitrary File Read vulnerability discovered by István Márton in WordPress Plugin WooCommerce Designer Pro versions = 1.9.28...

WordPress Zombify plugin <= 1.7.5 - Authenticated (Subscriber+) Path Traversal to Arbitrary File Read vulnerability

Authenticated Subscriber+ Path Traversal to Arbitrary File Read vulnerability discovered by Tonn in WordPress Plugin Zombify versions = 1.7.5...

WordPress Jobmonster theme <= 4.8.1 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Thái An in WordPress Theme Jobmonster versions = 4.8.1...

WordPress User Extra Fields plugin <= 16.7 - Authenticated (Subscriber+) Arbitrary File Deletion via save_fields Function vulnerability

Authenticated Subscriber+ Arbitrary File Deletion via savefields Function vulnerability discovered by Tonn in WordPress Plugin User Extra Fields versions = 16.7...

WordPress Analytify Pro plugin <= 7.0.3 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by WPBrigade Support in WordPress Plugin Analytify Pro versions = 7.0.3...

WordPress Qzzr Shortcode Plugin plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Qzzr Shortcode versions = 1.0.1...

WordPress FuseWP plugin <= 1.1.23.0 - Missing Authorization to Authenticated (Subscriber+) Sync Rule Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Sync Rule Creation vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin FuseWP versions = 1.1.23.0...

WordPress Core <= 1.0.1 is vulnerable to Cross Site Scripting (XSS)

Software Qzzr Shortcode Type WordPress Core Vulnerable versions = 1.0.1 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-11806 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8319539fe579 Credits zakaria Required...

WordPress Jobmonster Theme <= 4.8.1 is vulnerable to Broken Authentication

Software Jobmonster Type Theme Vulnerable versions = 4.8.1 Fixed in 4.8.2 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2025-5397 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 91f66baeb6e0 Credits Thái An...

WordPress SmartMag theme <= 10.3.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme SmartMag versions = 10.3.1...

WordPress Masterstudy theme < 4.8.126 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Masterstudy versions 4.8.126...

WordPress Frontend File Manager plugin <= 23.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Frontend File Manager versions = 23.2...

WordPress Smart Coupons for WooCommerce plugin <= 2.2.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Smart Coupons for WooCommerce versions = 2.2.3...

WordPress WebToffee eCommerce Marketing Automation plugin <= 2.1.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin WebToffee eCommerce Marketing Automation versions = 2.1.1...

WordPress Product Feed for WooCommerce plugin <= 2.3.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Product Feed for WooCommerce versions = 2.3.1...

WordPress Order Export & Order Import for WooCommerce plugin <= 2.6.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Order Export & Order Import for WooCommerce versions = 2.6.7...

WordPress Advanced Database Cleaner plugin <= 3.1.6 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Bao - BlueRock in WordPress Plugin Advanced Database Cleaner versions = 3.1.6...

WordPress Booster for WooCommerce plugin <= 7.4.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Booster for WooCommerce versions = 7.4.0...

WordPress Accessibility Toolkit by WebYes plugin <= 2.0.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Accessibility Toolkit by WebYes versions = 2.0.4...

WordPress Arconix Shortcodes plugin <= 2.1.18 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Arconix Shortcodes versions = 2.1.18...