WordPress XStore Theme <= 9.5.3 is vulnerable to Content Injection

Software XStore Type Theme Vulnerable versions = 9.5.3 Fixed in N/A OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2025-60100 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 55131c12c2eb Credits Rafie Muhammad Patchstack Required privilege...

WordPress TheGem Theme <= 5.10.5 is vulnerable to Broken Access Control

Software TheGem Type Theme Vulnerable versions = 5.10.5 Fixed in 5.10.5.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-60097 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID f811c174fae7 Credits Rafie Muhammad Patchstack Required...

WordPress TheGem (Elementor) Theme <= 5.10.5 is vulnerable to Broken Access Control

Software TheGem Elementor Type Theme Vulnerable versions = 5.10.5 Fixed in 5.10.5.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-60096 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 2ce2db30c88d Credits Rafie Muhammad Patchstack...

WordPress Woostify Theme <= 2.4.2 is vulnerable to Cross Site Scripting (XSS)

Software Woostify Type Theme Vulnerable versions = 2.4.2 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-60101 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID a0bb364dd50b Credits savphill Required privilege Shop Manager Publish...

WordPress Snow Monkey plugin <= 29.1.5 - Unauthenticated Blind Server-Side Request Forgery vulnerability

Unauthenticated Blind Server-Side Request Forgery vulnerability discovered by elmore in WordPress Theme Snow Monkey versions 29.1.5...

WordPress WP-DownloadManager plugin <= 1.68.11 - Authenticated (Admin+) Arbitrary File Upload vulnerability

Authenticated Admin+ Arbitrary File Upload vulnerability discovered by n4ur15 in WordPress Plugin WP-DownloadManager versions = 1.68.11...

WordPress Popup Maker plugin <= 1.20.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via title Parameter vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Popup Maker versions = 1.20.6...

WordPress Featured Image from URL (FIFU) plugin <= 5.2.7 - Authenticated (Admin+) SQL Injection vulnerability

Authenticated Admin+ SQL Injection vulnerability discovered by ifoundbug in WordPress Plugin Featured Image from URL versions = 5.2.7...

WordPress Featured Image from URL (FIFU) plugin <= 5.2.7 - Missing Authorization to Password Protected Post Disclosure vulnerability

Missing Authorization to Password Protected Post Disclosure vulnerability discovered by ifoundbug in WordPress Plugin Featured Image from URL versions = 5.2.7...

WordPress Featured Image from URL (FIFU) plugin <= 5.2.7 - Unauthenticated Information Exposure via Log File vulnerability

Unauthenticated Information Exposure via Log File vulnerability discovered by ifoundbug in WordPress Plugin Featured Image from URL versions = 5.2.7...

WordPress System Dashboard plugin <= 2.8.20 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Đỗ Quang Huy in WordPress Plugin System Dashboard versions = 2.8.20...

WordPress Mapster WP Maps plugin <= 1.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Mapster WP Maps versions = 1.20.0...

WordPress Banhammer plugin <= 3.4.8 - Unauthenticated Protection Mechanism Bypass vulnerability

Unauthenticated Protection Mechanism Bypass vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Banhammer versions = 3.4.8...

WordPress ShopEngine plugin <= 4.8.3 - Insufficient Authorization to Authenticated (Editor+) Settings Update vulnerability

Insufficient Authorization to Authenticated Editor+ Settings Update vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin ShopEngine versions = 4.8.3...

WordPress Mega Elements plugin <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Countdown Timer Widget vulnerability discovered by zer0gh0st in WordPress Plugin Mega Elements versions = 1.3.2...

WordPress OAuth Single Sign On – SSO (OAuth Client) plugin <= 6.26.12 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin OAuth Single Sign On – SSO OAuth Client versions = 6.26.12...

WordPress Widgets for Tiktok Feed plugin <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Widgets for Tiktok Feed versions = 1.7.3...

WordPress CM Business Directory plugin <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by theviper17y in WordPress Plugin CM Business Directory versions = 1.5.2...

WordPress Email marketing for WordPress by GetResponse Official plugin <= 1.5.3 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Bao - BlueRock in WordPress Plugin Email marketing for WordPress by GetResponse Official versions = 1.5.3...

WordPress Email marketing for WordPress by GetResponse Official plugin <= 1.5.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bao - BlueRock in WordPress Plugin Email marketing for WordPress by GetResponse Official versions = 1.5.3...

WordPress Download After Email Plugin 2.1.5-2.1.6 - Other Vulnerability Type Vulnerability

Other Vulnerability Type Vulnerability discovered by Marcin 'maskopatol' Nowak in WordPress Plugin Download After Email versions 2.1.5-2.1.6...

WordPress Snow Monkey Theme 29.1.5 is vulnerable to Server Side Request Forgery (SSRF)

Software Snow Monkey Type Theme Vulnerable versions 29.1.5 Fixed in 29.1.6 OWASP Top 10 A1: Injection Classification Server Side Request Forgery SSRF CVE CVE-2025-10137 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 607b6876f535 Credits elmore Required privilege...

WordPress Di Themes Demo Site Importer plugin <= 1.2 - Cross Site Request Forgery (CSRF) to Plugin Activation vulnerability

Cross Site Request Forgery CSRF to Plugin Activation vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Di Themes Demo Site Importer versions = 1.2...

WordPress TranslatePress Plugin <= 2.10.2 - Deserialization of untrusted data Vulnerability

Deserialization of untrusted data Vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin TranslatePress versions = 2.10.2...

WordPress Advanced Settings Plugin <= 3.1.1 - Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability discovered by R1sky in WordPress Plugin Advanced Settings versions = 3.1.1...

WordPress MultiLoca - WooCommerce Multi Locations Inventory Management plugin <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Options Update via 'wcmlim_settings_ajax_handler' vulnerability

WordPress MultiLoca - WooCommerce Multi Locations Inventory Management plugin = 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Options Update via 'wcmlimsettingsajaxhandler' vulnerability discovered by Thái An in WordPress Plugin MultiLoca versions = 4.2.8...

WordPress Themify Builder plugin <= 7.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Themify Builder versions = 7.6.9...

Drupal Currency module < 3.5.0 - Unauthenticated Cross Site Request Forgery (CSRF) vulnerability

Unauthenticated Cross Site Request Forgery CSRF vulnerability discovered by Juraj Nemec poker10 in WordPress Module Currency versions 3.5.0...

Drupal Access code module < 2.0.5 - Authenticated Broken Access Control vulnerability

Authenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Access code versions 2.0.5...

Drupal Reverse Proxy Header module < 1.1.2 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Reverse Proxy Header versions 1.1.2...

Drupal Umami Analytics module < 1.0.1 - Authenticated Cross Site Scripting (XSS) vulnerability

Authenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Umami Analytics versions 1.0.1...

Drupal Plausible tracking module < 1.0.2 - Unauthenticated Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Plausible tracking versions 1.0.2...

WordPress SureForms plugin < 1.9.1 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin SureForms versions 1.9.1...

WordPress Houzez Theme - Functionality Plugin <= 4.1.2 - Broken Access Control Vulnerability

WordPress Houzez Theme - Functionality Plugin = 4.1.2 - Broken Access Control Vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Houzez Theme - Functionality versions = 4.1.2...

WordPress HieCOR Payment Gateway plugin plugin <= 1.5.11 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nguyen Kim Sang HPT Vietnam in WordPress Plugin HieCOR Payment Gateway Plugin versions = 1.5.11...

WordPress TF Woo Product Grid Addon For Elementor Plugin <= 1.0.1 - Deserialization of untrusted data Vulnerability

Deserialization of untrusted data Vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin TF Woo Product Grid Addon For Elementor versions = 1.0.1...

WordPress Super Blank Plugin <= 1.2.0 - Arbitrary Content Deletion Vulnerability

Arbitrary Content Deletion Vulnerability discovered by Denver Jackson in WordPress Plugin Super Blank versions = 1.2.0...

WordPress BM Content Builder Plugin < 3.16.3.3 - Arbitrary File Deletion Vulnerability

Arbitrary File Deletion Vulnerability discovered by Bonds Patchstack Alliance in WordPress Plugin BM Content Builder versions 3.16.3.3...

WordPress DentiCare Theme < 1.4.3 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Bonds Patchstack Alliance in WordPress Theme DentiCare versions 1.4.3...

WordPress Gutenify Plugin <= 1.5.7 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by LVT-tholv2k in WordPress Plugin Gutenify versions = 1.5.7...

WordPress Sign-up Sheets Plugin <= 2.3.2 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by ChuongVN in WordPress Plugin Sign-up Sheets versions = 2.3.2...

WordPress Houzez Theme - Functionality Plugin <= 4.1.2 - Arbitrary File Download Vulnerability

WordPress Houzez Theme - Functionality Plugin = 4.1.2 - Arbitrary File Download Vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Houzez Theme - Functionality versions = 4.1.2...

WordPress VOD Infomaniak plugin <= 1.5.11 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by ? in WordPress Plugin VOD Infomaniak versions = 1.5.11...

WordPress Goldenblatt theme < 1.3.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Theme Goldenblatt versions 1.3.0...

WordPress WorkScout-Core plugin < 1.7.06 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin WorkScout-Core versions 1.7.06...

WordPress Goodlayers Core plugin < 2.1.7 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Bonds in WordPress Plugin Goodlayers Core versions 2.1.7...

WordPress Addison theme < 1.4.8 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Theme Addison versions 1.4.8...

WordPress Request a Quote plugin <= 2.5.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by muhammad yudha in WordPress Plugin Request a Quote versions = 2.5.0...

WordPress WP Ticket Customer Service Software & Support Ticket System plugin <= 6.0.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by muhammad yudha in WordPress Plugin WP Ticket Customer Service Software & Support Ticket System versions = 6.0.0...

WordPress Employee Spotlight plugin <= 5.1.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by muhammad yudha in WordPress Plugin Employee Spotlight versions = 5.1.0...