WordPress AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin <= 1.6.5 - Unauthenticated CSV Injection vulnerability

Unauthenticated CSV Injection vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin AI Chatbot Free Models versions = 1.6.5...

WordPress WooCommerce Designer Pro plugin <= 1.9.26 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Tonn in WordPress Plugin WooCommerce Designer Pro versions = 1.9.26...

WordPress Jeg Elementor Kit plugin < 2.7.0 - Author+ Stored XSS vulnerability

Author+ Stored XSS vulnerability discovered by Tony in WordPress Plugin Jeg Elementor Kit versions 2.7.0...

WordPress Orbit Fox plugin < 3.0.2 - Author+ Server-Side Request Forgery vulnerability

Author+ Server-Side Request Forgery vulnerability discovered by Ryan Roth in WordPress Plugin Orbit Fox by ThemeIsle versions 3.0.2...

WordPress PixelYourSite plugin < 11.1.2 - Admin+ LFI vulnerability

Admin+ LFI vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin PixelYourSite – Your smart PIXEL TAG Manager versions 11.1.2...

WordPress Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin <= 2.1.4 - Unauthenticated Server-Side Request Forgery vulnerability

Unauthenticated Server-Side Request Forgery vulnerability discovered by Rafshanzani Suhada in WordPress Plugin PopupKit versions = 2.1.4...

WordPress Slider Templates plugin <= 1.0.3 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Slider Templates versions = 1.0.3...

WordPress WPComplete plugin <= 2.9.5.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WPComplete versions = 2.9.5.3...

WordPress ThemeRain Core plugin <= 1.1.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin ThemeRain Core versions = 1.1.9...

WordPress MDTF plugin <= 1.3.3.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin MDTF versions = 1.3.3.9...

WordPress Advanced FAQ Manager plugin <= 1.5.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Advanced FAQ Manager versions = 1.5.2...

WordPress Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin <= 5.2.4 - Authenticated (Admin+) Server-Side Request Forgery via scan-without-login Endpoint vulnerability

Authenticated Admin+ Server-Side Request Forgery via scan-without-login Endpoint vulnerability discovered by SpiderSec in WordPress Plugin Real Cookie Banner versions = 5.2.4...

WordPress ZoloBlocks plugin <= 2.3.11 - Missing Authorization to Unauthenticated Popup Enable/Disable vulnerability

Missing Authorization to Unauthenticated Popup Enable/Disable vulnerability discovered by Jay in WordPress Plugin ZoloBlocks versions = 2.3.11...

WordPress URL Shortener Plugin For WordPress plugin <= 3.0.7 - Missing Authorization to Authenticated (Subscriber+) Link Manipulation vulnerability

Missing Authorization to Authenticated Subscriber+ Link Manipulation vulnerability discovered by ifoundbug in WordPress Plugin URL Shortener versions = 3.0.7...

WordPress Microsoft Azure Storage for WordPress plugin <= 4.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Media Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Media Deletion vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Microsoft Azure Storage for WordPress versions = 4.5.1...

WordPress Multi Item Responsive Slider plugin <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Multi Item Responsive Slider versions = 1.0...

WordPress Disable Content Editor For Specific Template plugin <= 2.0 - Cross-Site Request Forgery to Template Configuration Update vulnerability

Cross-Site Request Forgery to Template Configuration Update vulnerability discovered by Nabil Irawan in WordPress Plugin Disable Content Editor For Specific Template versions = 2.0...

WordPress RapidResult plugin <= 1.2 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by John Lee in WordPress Plugin RapidResult versions = 1.2...

WordPress NGINX Cache Optimizer plugin <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Dynamic Caching Exclusion Update vulnerability

Missing Authorization to Authenticated Subscriber+ Dynamic Caching Exclusion Update vulnerability discovered by Legion Hunter in WordPress Plugin NGINX Cache Optimizer versions = 1.1...

WordPress AIO Forms plugin <= 1.3.18 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by tmrswrr in WordPress Plugin AIO Forms versions = 1.3.18...

WordPress Check Plagiarism plugin <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Update vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Check Plagiarism versions = 2.0...

WordPress IndieAuth plugin <= 4.5.4 - Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens vulnerability

Cross-Site Request Forgery to Account Takeover via Stolen OAuth Tokens vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin IndieAuth versions = 4.5.4...

WordPress LLM Hubspot Blog Import plugin <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Hubspot Import vulnerability

Missing Authorization to Authenticated Subscriber+ Hubspot Import vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin LLM Hubspot Blog Import versions = 1.0.1...

WordPress VNPAY for Woocommerce plugin <= 1.0.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin VNPAY Payment gateway versions = 1.0.0...

WordPress qnotsquiz plugin <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by dayea song in WordPress Plugin qnotsquiz versions = 1.0.0...

WordPress Supervisor plugin <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Update vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Supervisor versions = 1.3.2...

WordPress Time Clock plugin <= 1.3.1 - Authenticated (Custom+) Stored Cross-Site Scripting vulnerability

Authenticated Custom+ Stored Cross-Site Scripting vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Time Clock versions = 1.3.1...

WordPress Simple Excel Pricelist for WooCommerce plugin <= 1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Simple Excel Pricelist for WooCommerce versions = 1.13...

WordPress Quickcreator – AI Blog Writer plugin 0.0.9-0.1.17 - Unauthenticated API Key Exposure vulnerability

Unauthenticated API Key Exposure vulnerability discovered by kr0d in WordPress Plugin Quickcreator – AI Blog Writer versions 0.0.9-0.1.17...

WordPress Originality.ai AI Checker plugin <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'ai_get_table' vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Disclosure via 'aigettable' vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Originality.ai AI Checker versions = 1.0.12...

WordPress Originality.ai AI Checker plugin <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Scan Log Deletion via ' ai_scan_result_remove' vulnerability

Missing Authorization to Authenticated Subscriber+ Scan Log Deletion via ' aiscanresultremove' vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Originality.ai AI Checker versions = 1.0.12...

WordPress Bold Page Builder plugin <= 5.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via percentage Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Bold Page Builder versions = 5.4.5...

WordPress Beaver Builder Plugin (Starter Version) plugin <= 2.9.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'auto_play' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'autoplay' vulnerability discovered by Sulabh Jain pentestmonkey11 in WordPress Plugin Beaver Builder Plugin Starter Version versions = 2.9.2.1...

WordPress MxChat – AI Chatbot for WordPress plugin <= 2.4.6 - Unauthenticated Blind Server-Side Request Forgery vulnerability

Unauthenticated Blind Server-Side Request Forgery vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin MxChat versions = 2.4.6...

WordPress Feedzy RSS Feeds Lite plugin <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Server-Side Request Forgery vulnerability discovered by Lucas Montes Nirox in WordPress Plugin Feedzy versions = 5.1.0...

WordPress Sprout Clients plugin <= 3.2.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Sprout Clients versions = 3.2.1...

WordPress Soledad theme <= 8.6.9 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Denver Jackson in WordPress Theme Soledad versions = 8.6.9...

WordPress Builderall Builder for WordPress plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Builderall Builder for WordPress versions = 3.0.1...

WordPress FanBridge signup plugin <= 0.6 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin FanBridge signup versions = 0.6...

WordPress Simple Pull Quote plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Simple Pull Quote versions = 1.6.3...

WordPress Academy LMS Pro plugin <= 3.3.7 - Unauthenticated Privilege Escalation via Social Login Addon vulnerability

Unauthenticated Privilege Escalation via Social Login Addon vulnerability discovered by Thái An in WordPress Plugin Academy LMS Pro versions = 3.3.7...

WordPress Meta Tag Manager plugin < 3.3 - Contributor+ Open Redirect vulnerability

Contributor+ Open Redirect vulnerability discovered by Pierre Rudloff in WordPress Plugin Meta Tag Manager versions 3.3...

WordPress NS Maintenance Mode for WP plugin <= 1.3.1 - Unauthenticated Subscribers Export vulnerability

Unauthenticated Subscribers Export vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin NS Maintenance Mode for WP versions = 1.3.1...

WordPress WP AdCenter plugin <= 2.6.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Peter Thaleikis in WordPress Plugin WP AdCenter versions = 2.6.1...

WordPress Listify theme <= 3.2.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Ananda Dhakal Patchstack in WordPress Theme Listify versions = 3.2.5...

WordPress Email Subscription Popup plugin <= 1.2.26 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Kim YunJi in WordPress Plugin Email Subscription Popup versions = 1.2.26...

WordPress Posts By Tag plugin <= 3.2.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Posts By Tag versions = 3.2.1...

WordPress All in One Time Clock Lite plugin <= 2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Clocking In/Out vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin All in One Time Clock Lite versions = 2.0...

WordPress Simple Tableau Viz plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Simple Tableau Viz versions = 2.0...

WordPress Mixlr Shortcode plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Mixlr Shortcode versions = 1.0.1...