WordPress eID Easy plugin <= 4.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via id Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin eID Easy versions = 4.9.3...

WordPress Blog Designer For Elementor plugin <= 1.1.7 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by wesley wcraft in WordPress Plugin Blog Designer For Elementor versions = 1.1.7...

WordPress Elements Plus! plugin <= 2.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Elements Plus! versions = 2.16.4...

WordPress Digital Events Calendar plugin <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via column Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via column Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Digital Events Calendar versions = 1.0.8...

WordPress ThemeLoom Widgets plugin <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang in WordPress Plugin ThemeLoom Widgets versions = 1.8.5...

WordPress Mixtape plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang in WordPress Plugin Mixtape versions = 1.1...

WordPress AutoCatSet plugin <= 2.1.4 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Nabil Irawan in WordPress Plugin AutoCatSet versions = 2.1.4...

WordPress Run Log plugin <= 1.7.10 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Claw.k in WordPress Plugin Run Log versions = 1.7.10...

WordPress Ultimate Classified Listings plugin <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Settings Update vulnerability discovered by Ivan Kuzymchak in WordPress Plugin Ultimate Classified Listings versions = 1.6...

WordPress WP Scriptcase plugin <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via url Parameter vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP Scriptcase versions = 2.0.0...

WordPress Admin in English with Switch plugin <= 1.1 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Claw.k in WordPress Plugin Admin in English with Switch versions = 1.1...

WordPress Seo Monster plugin <= 3.3.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Claw.k in WordPress Plugin Seo Monster versions = 3.3.3...

WordPress azurecurve BBCode plugin <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via url Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin azurecurve BBCode versions = 2.0.4...

WordPress User Meta – User Profile Builder and User management plugin plugin <= 3.1.2 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by Kishan Vyas in WordPress Plugin User Meta versions = 3.1.2...

WordPress Workable API plugin <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via workable_jobs Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via workablejobs Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Workable Api versions = 1.0.4...

WordPress Coupon API plugin <= 6.2.12 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Coupon API versions = 6.2.12...

WordPress All in one Minifier plugin <= 3.2 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by p0cket in WordPress Plugin All in one Minifier versions = 3.2...

WordPress Responsive Addons for Elementor plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zer0gh0st in WordPress Plugin Responsive Addons for Elementor versions = 2.0.1...

WordPress Catalog Importer, Scraper & Crawler plugin <= 5.1.4 - Unauthenticated PHP Code Injection vulnerability

Unauthenticated PHP Code Injection vulnerability discovered by CVEhunter in WordPress Plugin Catalog Importer, Scraper & Crawler versions = 5.1.4...

WordPress BeyondCart Connector plugin <= 3.0.1 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by kr0d in WordPress Plugin BeyondCart Connector versions = 3.0.1...

WordPress Evenium plugin <= 1.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin Evenium versions = 1.3.11...

WordPress Jobify plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via keyword Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via keyword Parameter vulnerability discovered by Muhammad Yudha - DJ in WordPress Theme Jobify versions = 1.4.4...

WordPress Salon booking system plugin <= 10.22 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by CodeCheq Devs in WordPress Plugin Salon booking system versions = 10.22...

WordPress Mitfahrgelegenheit plugin <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via date Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via date Parameter vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Mitfahrgelegenheit versions = 1.1.5...

WordPress Analytics Reduce Bounce Rate plugin <= 2.3 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Nabil Irawan in WordPress Plugin Analytics Reduce Bounce Rate versions = 2.3...

WordPress Smartcat Translator for WPML plugin <= 3.1.72 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Peter Thaleikis in WordPress Plugin Smartcat Translator for WPML versions = 3.1.72...

WordPress Certifica WP plugin <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via evento Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via evento Parameter vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Certifica WP versions = 3.1...

WordPress Plugin updates blocker plugin <= 0.2 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Nabil Irawan in WordPress Plugin Plugin updates blocker versions = 0.2...

WordPress CatFolders plugin <= 2.5.2 - Authenticated (Author+) SQL Injection via CSV Import vulnerability

Authenticated Author+ SQL Injection via CSV Import vulnerability discovered by SnailSploit in WordPress Plugin CatFolders versions = 2.5.2...

WordPress Jobify - Job Board WordPress Theme Theme <= 1.4.4 is vulnerable to Cross Site Scripting (XSS)

Software Jobify - Job Board WordPress Theme Type Theme Vulnerable versions = 1.4.4 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-8318 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID edb43386dd8c Credits Muhammad...

WordPress Resca theme <= 3.0.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Resca versions = 3.0.2...

WordPress XStore theme < 9.6.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions 9.6.1...

WordPress XStore theme < 9.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions 9.6...

WordPress XStore theme < 9.6.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions 9.6.1...

WordPress Authorsy Plugin <= 1.0.5 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Denver Jackson Patchstack Alliance in WordPress Plugin Authorsy versions = 1.0.5...

WordPress Responsive Filterable Portfolio plugin <= 1.0.24 - Authenticated (Admin+) Arbitrary File Upload vulnerability

Authenticated Admin+ Arbitrary File Upload vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Responsive Filterable Portfolio versions = 1.0.24...

WordPress WP All Import plugin <= 3.9.3 - Authenticated (Admin+) Limited Unsafe File Upload vulnerability

Authenticated Admin+ Limited Unsafe File Upload vulnerability discovered by Nguyen Quang Truong Roll in WordPress Plugin WP All Import versions = 3.9.3...

WordPress PagBank / PagSeguro Connect plugin <= 4.44.3 - Authenticated (Shop Manager+) SQL Injection vulnerability

Authenticated Shop Manager+ SQL Injection vulnerability discovered by Moose Love in WordPress Plugin PagBank / PagSeguro Connect versions = 4.44.3...

WordPress PeachPay Payments plugin <= 1.117.5 - Authenticated (Contributor+) SQL Injection via order_by Parameter vulnerability

Authenticated Contributor+ SQL Injection via orderby Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin PeachPay Payments versions = 1.117.5...

WordPress NitroPack plugin <= 1.18.4 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update via nitropack_set_compression_ajax Function vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Settings Update via nitropacksetcompressionajax Function vulnerability discovered by Peter Thaleikis in WordPress Plugin NitroPack versions = 1.18.4...

WordPress WP Import – Ultimate CSV XML Importer plugin <= 7.27 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ FTP/SFTP Credential Exposure vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin WP Ultimate CSV Importer versions = 7.27...

WordPress WP Blast plugin <= 1.8.6 - Cross-Site Request Forgery to Cache Clearing vulnerability

Cross-Site Request Forgery to Cache Clearing vulnerability discovered by Nabil Irawan in WordPress Plugin WP Blast versions = 1.8.6...

WordPress MyBrain Utilities plugin <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang in WordPress Plugin MyBrain Utilities versions = 1.0.8...

WordPress Heateor Login – Social Login Plugin plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang in WordPress Plugin Heateor Login versions = 1.1.9...

WordPress Resideo Plugin for Resideo - Real Estate WordPress Theme plugin <= 2.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Privilege Escalation via Account Takeover vulnerability

WordPress Resideo Plugin for Resideo - Real Estate WordPress Theme plugin = 2.5.4 - Authenticated Subscriber+ Insecure Direct Object Reference to Privilege Escalation via Account Takeover vulnerability discovered by Alyudin Nafiie in WordPress Plugin Resideo Plugin for Resideo versions = 2.5.4...

WordPress WPGYM - Wordpress Gym Management System plugin <= 67.7.0 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover vulnerability

WordPress WPGYM - Wordpress Gym Management System plugin = 67.7.0 - Authenticated Subscriber+ Privilege Escalation via Account Takeover vulnerability discovered by Michelle Porter in WordPress Plugin WPGYM versions = 67.7.0...

WordPress Auto Save Remote Images (Drafts) plugin <= 1.0.9 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Nabil Irawan in WordPress Plugin Auto Save Remote Images Drafts versions = 1.0.9...

WordPress Testimonial plugin <= 2.3 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by ch4r0n in WordPress Plugin IndiaNIC Testimonial versions = 2.3...

WordPress Duplicate Page and Post plugin <= 2.9.5 - Authenticated (Contributor+) SQL Injection via meta_key Parameter vulnerability

Authenticated Contributor+ SQL Injection via metakey Parameter vulnerability discovered by ISMAILSHADOW in WordPress Plugin Duplicate Page and Post versions = 2.9.5...

WordPress Maspik plugin <= 2.5.6 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Maspik – Spam blacklist versions = 2.5.6...