WordPress Maspik plugin <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export vulnerability

Authenticated Subscriber+ Missing Authorization to Spam Log Export vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Maspik – Spam blacklist versions = 2.5.6...

WordPress PowerPack Lite for Elementor plugin <= 2.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Via 'cursor_url' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting Via 'cursorurl' vulnerability discovered by zer0gh0st in WordPress Plugin PowerPack Addons for Elementor versions = 2.9.4...

WordPress Ninja-forms plugin < 3.11.1 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by wcraft in WordPress Plugin Ninja Forms versions 3.11.1...

WordPress WPBOT plugin < 7.1.0 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Krugov Artyom in WordPress Plugin ChatBot versions 7.1.0...

WordPress Compress Then Upload plugin < 1.0.5 - Admin+ Arbitrary File Upload vulnerability

Admin+ Arbitrary File Upload vulnerability discovered by Muhammed Çelik in WordPress Plugin Compress Then Upload versions 1.0.5...

WordPress Easy Appointments plugin <= 3.12.14 - Content Injection vulnerability

Content Injection vulnerability discovered by NAJIB Sinjari in WordPress Plugin Easy Appointments versions = 3.12.14...

WordPress Advanced Settings Plugin <= 3.1.1 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by R1sky in WordPress Plugin Advanced Settings versions = 3.1.1...

WordPress Accessibility Checker by Equalize Digital Plugin <= 1.31.0 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Certus Cybersecurity in WordPress Plugin Accessibility Checker by Equalize Digital versions = 1.31.0...

WordPress WP eBay Product Feeds Plugin <= 3.4.8 - Server Side Request Forgery (SSRF) Vulnerability

Server Side Request Forgery SSRF Vulnerability discovered by Nabil Irawan in WordPress Plugin WP eBay Product Feeds versions = 3.4.8...

WordPress PDF Generator for WordPress Plugin <= 1.5.4 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Tran Hoang Tuan Kiet in WordPress Plugin PDF Generator for WordPress versions = 1.5.4...

WordPress BerqWP Plugin <= 2.2.53 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Bao - BlueRock in WordPress Plugin BerqWP versions = 2.2.53...

WordPress Export WP Page to Static HTML/CSS Plugin <= 4.1.0 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Bao - BlueRock in WordPress Plugin Export WP Page to Static HTML/CSS versions = 4.1.0...

WordPress Accessibility Checker by Equalize Digital Plugin <= 1.31.0 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Certus Cybersecurity in WordPress Plugin Accessibility Checker by Equalize Digital versions = 1.31.0...

WordPress Pixeline's Email Protector Plugin <= 1.3.8 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nabil Irawan in WordPress Plugin Pixelines Email Protector versions = 1.3.8...

WordPress Include Me Plugin <= 1.3.2 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Jihwan Moon in WordPress Plugin Include Me versions = 1.3.2...

WordPress Welcart e-Commerce Plugin <= 2.11.20 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by 63n0 in WordPress Plugin Welcart e-Commerce versions = 2.11.20...

WordPress Additional Custom Product Tabs for WooCommerce Plugin <= 1.7.3 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Additional Custom Product Tabs for WooCommerce versions = 1.7.3...

WordPress Football Pool Plugin <= 2.12.6 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Football Pool versions = 2.12.6...

WordPress My Tickets Plugin <= 2.0.22 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin My Tickets versions = 2.0.22...

WordPress Dynamic Text Field For Contact Form 7 Plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Dynamic Text Field For Contact Form 7 versions = 1.0...

WordPress ShopLentor Plugin <= 3.2.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Denver Jackson in WordPress Plugin ShopLentor versions = 3.2.0...

WordPress WooCommerce Booking Bundle Hours Plugin <= 0.7.4 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WooCommerce Booking Bundle Hours versions = 0.7.4...

WordPress Tutor LMS Plugin <= 3.7.4 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by YCInfosec in WordPress Plugin Tutor LMS versions = 3.7.4...

WordPress Mow Theme <= 4.10 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Mow versions = 4.10...

WordPress Mow Theme <= 4.10 is vulnerable to Cross Site Request Forgery (CSRF)

Software Mow Type Theme Vulnerable versions = 4.10 Fixed in 4.11 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2025-58997 Patch priority Low CVSS severity Low 9.6 Developer Claim ownership PSID 5da80db52724 Credits Tran Nguyen Bao Khanh VCI - VNPT...

WordPress Goza theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary File Deletion vulnerability discovered by Thái An in WordPress Theme Goza versions 3.2.2...

WordPress Goza theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation vulnerability

Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation vulnerability discovered by GR0V in WordPress Theme Goza versions = 3.2.2...

WordPress Doccure plugin <= 1.4.8 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by István Márton in WordPress Theme Doccure versions = 1.4.8...

WordPress AutomatorWP plugin <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation vulnerability

Missing Authorization To Authenticated Subscriber+ Remote Code Execution via Automation Creation vulnerability discovered by stealthcopter in WordPress Plugin AutomatorWP versions = 5.3.6...

WordPress AutomatorWP plugin <= 5.3.7 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions vulnerability

Authenticated Subscriber+ Missing Authorization to Multiple Functions vulnerability discovered by stealthcopter in WordPress Plugin AutomatorWP versions = 5.3.7...

WordPress Wilmer Core plugin <= 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin Wilmer Core versions = 2.4.5...

WordPress Mikado Core plugin <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton in WordPress Plugin Mikado Core versions = 1.5.2...

WordPress WP-Members Membership Plugin plugin <= 3.5.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names vulnerability

Authenticated Subscriber+ Arbitrary Shortcode Execution via Profile Names vulnerability discovered by Kishan Vyas in WordPress Plugin WP-Members versions = 3.5.4.2...

WordPress Ditty plugin < 3.1.58 - Unauthenticated SSRF vulnerability

Unauthenticated SSRF vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Ditty versions 3.1.58...

WordPress Doccure plugin <= 1.4.8 - Unauthenticated Arbitrary User Password Change vulnerability

Unauthenticated Arbitrary User Password Change vulnerability discovered by István Márton in WordPress Theme Doccure versions = 1.4.8...

WordPress Doccure plugin <= 1.4.8 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by István Márton in WordPress Theme Doccure versions = 1.4.8...

WordPress Insurance Ancora Theme <= 2.10.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Insurance Ancora versions = 2.10.0...

WordPress OldStory Theme <= 2.15.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme OldStory versions = 2.15.0...

WordPress Plastica Theme <= 1.8.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Plastica versions = 1.8.0...

WordPress Childy Theme <= 1.7.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Childy versions = 1.7.0...

WordPress Stratego Theme <= 1.4.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Stratego versions = 1.4.0...

WordPress Solio Theme <= 1.7.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Solio versions = 1.7.0...

WordPress Floria theme <= 1.7.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Floria versions = 1.7.0...

WordPress Def Theme <= 1.4.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Def versions = 1.4.0...

WordPress ShoppyStore theme <= 3.7.16 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds Patchstack Alliance in WordPress Theme ShoppyStore versions = 3.7.16...

WordPress Autusin theme <= 2.8.5 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds Patchstack Alliance in WordPress Theme Autusin versions = 2.8.5...

WordPress WC Return products plugin <= 1.5 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin WC Return products versions = 1.5...

WordPress Juno Theme <= 2.25 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Bonds in WordPress Theme Juno versions = 2.25...

WordPress Abogado Theme <= 1.14.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Abogado versions = 1.14.0...

WordPress Categorify plugin <= 1.0.7.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Categorify versions = 1.0.7.5...