WordPress Download Manager plugin <= 3.3.23 - Reflected Cross-Site Scripting via `user_ids` Parameter vulnerability

Reflected Cross-Site Scripting via userids Parameter vulnerability discovered by vgo0 in WordPress Plugin Download Manager versions = 3.3.23...

WordPress Service Finder SMS System plugin <= 2.0.0 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Foxyyy in WordPress Plugin Service Finder SMS System versions = 2.0.0...

WordPress Kubio AI Page Builder plugin <= 2.6.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Plugin Installation vulnerability discovered by wesley wcraft in WordPress Plugin Kubio AI Page Builder versions = 2.6.3...

WordPress WP Hotel Booking plugin < 2.2.3 - Subscriber+ Rating Manipulation vulnerability

Subscriber+ Rating Manipulation vulnerability discovered by Muhammed Çelik in WordPress Plugin WP Hotel Booking versions 2.2.3...

WordPress JetEngine plugin <= 3.7.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by stealthcopter in WordPress Plugin JetEngine versions = 3.7.3...

WordPress Password Reset with Code plugin < 0.0.17 - Insecure Password Reset Code Creation vulnerability

Insecure Password Reset Code Creation vulnerability discovered by Tommaso Gregori p1s1o in WordPress Plugin Password Reset with Code for WordPress REST API versions 0.0.17...

WordPress Ghost Kit plugin <= 3.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Ghost Kit versions = 3.4.3...

WordPress WPLegalPages plugin <= 3.4.3 - Missing Authorization to Authenticated (Contributor+) Arbitrary Plugin Installation vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Plugin Installation vulnerability discovered by wesley wcraft in WordPress Plugin WPLegalPages versions = 3.4.3...

WordPress Chained Quiz plugin <= 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie vulnerability

Unauthenticated Insecure Direct Object Reference via Cookie vulnerability discovered by Karuppiah Sabari Kumar in WordPress Plugin Chained Quiz versions = 1.3.5...

WordPress Essential Addons for Elementor plugin <= 6.2.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Peter Thaleikis in WordPress Plugin Essential Addons for Elementor versions = 6.2.4...

WordPress Quantities and Units for WooCommerce plugin <= 1.0.13 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Quantities and Units for WooCommerce versions = 1.0.13...

WordPress Medcity theme < 1.1.9 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Medcity versions 1.1.9...

WordPress Leblix Theme <= 2.4 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Leblix versions = 2.4...

WordPress Entrada theme <= 5.7.7 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Entrada versions = 5.7.7...

WordPress Sydney plugin <= 2.56 - Missing Authorization to Authenticated (Subscriber+) Limited Theme Options Update vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Theme Options Update vulnerability discovered by Dmitrii Ignatyev in WordPress Theme Sydney versions = 2.56...

WordPress Media Player Addons for Elementor plugin <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Fields vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widget Fields vulnerability discovered by zer0gh0st in WordPress Plugin Media Player Addons for Elementor – Media Player widget for WP versions = 1.0.5...

WordPress StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Download vulnerability

Authenticated Subscriber+ Arbitrary File Download vulnerability discovered by Ryan Kozak in WordPress Plugin StoreEngine versions = 1.5.0...

WordPress Leblix Theme <= 2.4 is vulnerable to Local File Inclusion

Software Leblix Type Theme Vulnerable versions = 2.4 Fixed in 2.5 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-58995 Patch priority High CVSS severity High 8.1 Developer PBM Infotech Private Limited PSID 23479542d08b Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Entrada Theme <= 5.7.7 is vulnerable to Cross Site Request Forgery (CSRF)

Software Entrada Type Theme Vulnerable versions = 5.7.7 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2025-58918 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 5915a0847dad Credits Tran Nguyen Bao Khanh VCI - VN...

WordPress Sydney Theme <= 2.56 is vulnerable to Broken Access Control

Software Sydney Type Theme Vulnerable versions = 2.56 Fixed in 2.57 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2025-8999 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 2b984ceb50d6 Credits Dmitrii Ignatyev Required privilege...

WordPress StoreEngine plugin <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Ryan Kozak in WordPress Plugin StoreEngine versions = 1.5.0...

WordPress Blocksy Companion plugin <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via blocksy_newsletter_subscribe Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via blocksynewslettersubscribe Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Blocksy Companion versions = 2.1.10...

WordPress WP Import plugin 7.20-7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection vulnerability

Authenticated Subscriber+ Remote Code Execution via Code Injection vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin WP Ultimate CSV Importer versions 7.20-7.28...

WordPress WP Import – Ultimate CSV XML Importer for WordPress plugin <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin WP Ultimate CSV Importer versions = 7.27...

WordPress Quiz Maker plugin <= 6.7.0.56 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Rahul Sreenivasan Tr0j4n in WordPress Plugin Quiz Maker versions = 6.7.0.56...

WordPress The Hack Repair Guy's Plugin Archiver plugin <= 2.0.4 - Cross-Site Request Forgery to Arbitrary Directory Deletion in /wp-content vulnerability

Cross-Site Request Forgery to Arbitrary Directory Deletion in /wp-content vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin The Hack Repair Guy's Plugin Archiver versions = 2.0.4...

WordPress User Sync – Remote User Sync plugin <= 1.0.2 - Cross-Site Request Forgery to Plugin Deactivation vulnerability

Cross-Site Request Forgery to Plugin Deactivation vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin User Sync versions = 1.0.2...

WordPress Appointmind plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin Appointmind versions = 4.1.0...

WordPress Catch Dark Mode plugin <= 2.0 - Authenticated (Contributor+) Local File Inclusion vulnerability

Authenticated Contributor+ Local File Inclusion vulnerability discovered by zaim in WordPress Plugin Catch Dark Mode versions = 2.0...

WordPress USS Upyun plugin <= 1.5.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Claw.k in WordPress Plugin USS Upyun versions = 1.5.0...

WordPress Developer Loggers for Simple History plugin <= 0.5 - Authenticated (Admin+) Local File Inclusion vulnerability

Authenticated Admin+ Local File Inclusion vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Developer Loggers for Simple History versions = 0.5...

WordPress Social Media Shortcodes plugin <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Social Media Shortcodes versions = 1.3.1...

WordPress Productive Style plugin <= 1.1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via display_productive_breadcrumb Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via displayproductivebreadcrumb Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Productive Style versions = 1.1.23...

WordPress Wide Banner plugin <= 1.0.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Wide Banner versions = 1.0.4...

WordPress Blaze Demo Importer plugin <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Plugin Install vulnerability discovered by wesley wcraft in WordPress Plugin Blaze Demo Importer versions = 1.0.12...

WordPress Cerato theme <= 2.2.18 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Cerato versions = 2.2.18...

WordPress WP Tactical Popup plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin WP Tactical Popup versions = 1.1...

WordPress Accordion plugin <= 2.3.14 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Abu Hurayra in WordPress Plugin Accordion versions = 2.3.14...

WordPress The Events Calendar plugin <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure vulnerability

Missing Authorization to Unauthenticated Password-Protected Information Disclosure vulnerability discovered by Miguel Santareno in WordPress Plugin The Events Calendar versions = 6.15.2...

WordPress Atarim plugin <= 4.2.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by D01EXPLOIT in WordPress Plugin Atarim versions = 4.2.1...

WordPress Email Template Customizer for WooCommerce plugin <= 1.2.17 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by savphill in WordPress Plugin Email Template Customizer for WooCommerce versions = 1.2.17...

WordPress Businext theme < 2.4.4 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Businext versions 2.4.4...

WordPress Falang multilanguage Plugin <= 1.3.65 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Falang multilanguage versions = 1.3.65...

WordPress WPLMS plugin <= 1.9.9.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin WPLMS versions = 1.9.9.8...

WordPress WPLMS plugin <= 1.9.9.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin WPLMS versions = 1.9.9.7...

WordPress Grid Plus plugin <= 3.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Grid Plus versions = 3.3...

WordPress The Hack Repair Guy's Plugin Archiver plugin <= 2.0.4 - Authenticated (Administrator+) Arbitrary File Deletion vulnerability

Authenticated Administrator+ Arbitrary File Deletion vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin The Hack Repair Guy's Plugin Archiver versions = 2.0.4...

WordPress Contact Form 7 reCAPTCHA plugin <= 1.2.0 - Reflected XSS via $_SERVER['REQUEST_URI'] vulnerability

Reflected XSS via $SERVER'REQUESTURI' vulnerability discovered by Bob Matyas in WordPress Plugin Contact Form 7 reCAPTCHA versions = 1.2.0...

WordPress jQuery Colorbox plugin <= 4.6.3 - Contributor+ Stored XSS vulnerability

Contributor+ Stored XSS vulnerability discovered by Pierre Rudloff in WordPress Plugin jQuery Colorbox versions = 4.6.3...

WordPress Fidelo Snippet plugin <= 1.12 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Fidelo Snippet versions = 1.12...