WordPress Ray Enterprise Translation plugin <= 1.7.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Ray Enterprise Translation versions = 1.7.1...

WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Finag versions = 1.5.0...

WordPress Famita theme <= 1.54 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Famita versions = 1.54...

WordPress Creatify theme <= 1.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Creatify versions = 1.5...

WordPress TablePress plugin <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode_debug Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via shortcodedebug Parameter vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin TablePress versions = 3.2...

WordPress Ocean Extra plugin <= 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via oceanwp_library Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via oceanwplibrary Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Ocean Extra versions = 2.4.9...

WordPress Indutri Theme < 1.3.0 is vulnerable to Local File Inclusion

Software Indutri Type Theme Vulnerable versions 1.3.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-58214 Patch priority High CVSS severity High 8.1 Developer DDM PSID 682e3e6619f4 Credits Bonds Required privilege Unauthenticated Published 30 August, 202...

WordPress Ziston Theme < 1.4.5 is vulnerable to Local File Inclusion

Software Ziston Type Theme Vulnerable versions 1.4.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-58215 Patch priority High CVSS severity High 8.1 Developer DDM PSID d5c7d40e79bd Credits Bonds Required privilege Unauthenticated Published 30 August, 2025...

WordPress Booster for WooCommerce plugin <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload vulnerability

Unauthenticated Double Extension Arbitrary File Upload vulnerability discovered by luckybuddy in WordPress Plugin Booster for WooCommerce versions = 7.2.4...

WordPress Slider Revolution plugin <= 6.7.36 - Authenticated (Contributor+) Arbitrary File Read via 'used_svg' and 'used_images' vulnerability

Authenticated Contributor+ Arbitrary File Read via 'usedsvg' and 'usedimages' vulnerability discovered by stealthcopter in WordPress Plugin Slider Revolution versions = 6.7.36...

WordPress iATS Online Forms plugin <= 1.2 - Authenticated (Contributor+) SQL Injection via order Parameter vulnerability

Authenticated Contributor+ SQL Injection via order Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin iATS Online Forms versions = 1.2...

WordPress Related Posts Lite plugin <= 1.12 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Claw.k in WordPress Plugin Related Posts Lite versions = 1.12...

WordPress PostX Plugin <= 4.1.35 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by Denver Jackson in WordPress Plugin PostX versions = 4.1.35...

WordPress YayPricing plugin <= 3.5.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Denver Jackson in WordPress Plugin YayPricing versions = 3.5.3...

WordPress Printeers Print & Ship plugin <= 1.17.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Printeers Print & Ship versions = 1.17.0...

WordPress Nifty Backups plugin <= 1.08 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Nifty Backups versions = 1.08...

WordPress Task Manager plugin <= 3.0.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Task Manager versions = 3.0.2...

WordPress Cookie Notice & Consent plugin <= 1.6.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin Cookie Notice & Consent versions = 1.6.4...

WordPress Sunshine Photo Cart plugin <= 3.5.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Sunshine Photo Cart versions = 3.5.3...

WordPress Blog Designer PRO plugin <= 3.4.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Blog Designer PRO versions = 3.4.8...

WordPress MultiSite Clone Duplicator plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin MultiSite Clone Duplicator versions = 1.5.3...

WordPress Accordion FAQ plugin <= 2.2.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Accordion FAQ versions = 2.2.1...

WordPress Events Addon for Elementor plugin <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter and Countdown Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Typewriter and Countdown Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Events Addon for Elementor versions = 2.2.9...

WordPress LWSCache plugin <= 2.8.5 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation via lwscache_activatePlugin Function vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Plugin Activation via lwscacheactivatePlugin Function vulnerability discovered by wesley wcraft in WordPress Plugin LWSCache versions = 2.8.5...

WordPress List Subpages plugin <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via title Parameter vulnerability discovered by Gilang in WordPress Plugin List Subpages versions = 1.0.6...

WordPress Ultimate Tag Warrior Importer plugin <= 0.2 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Nabil Irawan in WordPress Plugin Ultimate Tag Warrior Importer versions = 0.2...

WordPress OSM Map Widget for Elementor plugin <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Button URL vulnerability discovered by zer0gh0st in WordPress Plugin OSM Map Widget for Elementor versions = 1.3.0...

WordPress StopBadBots plugin <= 11.58 - Insufficient Authorization to Unauthenticated Blocklist Bypass vulnerability

Insufficient Authorization to Unauthenticated Blocklist Bypass vulnerability discovered by Jarno Vos jarnovos in WordPress Plugin StopBadBots versions = 11.58...

WordPress Dynamic AJAX Product Filters for WooCommerce plugin <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via name Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Dynamic AJAX Product Filters for WooCommerce versions = 1.3.7...

WordPress Xagio SEO plugin <= 7.1.0.5 - Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files vulnerability

Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files vulnerability discovered by wesley wcraft in WordPress Plugin Xagio SEO versions = 7.1.0.5...

WordPress Ajax Search Lite plugin <= 4.13.1 - Missing Authorization to Unauthenticated Basic Information Exposure via ASL_Query in AJAX Search Handler vulnerability

Missing Authorization to Unauthenticated Basic Information Exposure via ASLQuery in AJAX Search Handler vulnerability discovered by stealthcopter in WordPress Plugin Ajax Search Lite versions = 4.13.1...

WordPress RingCentral Communications plugin 1.5-1.6.8 - Missing Server‑Side Verification to Authentication Bypass via ringcentral_admin_login_2fa_verify Function

Missing Server‑Side Verification to Authentication Bypass via ringcentraladminlogin2faverify Function vulnerability discovered by kr0d in WordPress Plugin RingCentral Communications versions 1.5-1.6.8...

WordPress Simple Download Monitor plugin <= 3.9.33 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality vulnerability

Authenticated Contributor+ SQL Injection via order parameter in Log Export functionality vulnerability discovered by dutafi in WordPress Plugin Simple Download Monitor versions = 3.9.33...

WordPress ArcHub theme <= 1.2.12 - Missing Authorization to Authenticated (Subscriber+) All Plugins Deactivated vulnerability

Missing Authorization to Authenticated Subscriber+ All Plugins Deactivated vulnerability discovered by Lucio Sá in WordPress Theme ArcHub versions = 1.2.12...

WordPress Hub theme <= 5.0.7 - Missing Authorization to Authenticated (Subscriber+) All Plugins Deactivated vulnerability

Missing Authorization to Authenticated Subscriber+ All Plugins Deactivated vulnerability discovered by Lucio Sá in WordPress Theme Hub versions = 1.2.12...

WordPress WP ULike Pro plugin <= 1.9.3 - Unauthenticated Limited Arbitrary File Upload vulnerability

Unauthenticated Limited Arbitrary File Upload vulnerability discovered by wesley wcraft in WordPress Plugin WP ULike Pro versions = 1.9.3...

WordPress Booking Calendar plugin <= 10.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Cody Sixteen in WordPress Plugin Booking Calendar versions = 10.14.1...

WordPress File Manager, Code Editor, and Backup by Managefy plugin <= 1.4.8 - Authenticated (Admin+) Path Traversal to Arbitrary File Download vulnerability

Authenticated Admin+ Path Traversal to Arbitrary File Download vulnerability discovered by Đỗ Quang Huy in WordPress Plugin File Manager, Code Editor, and Backup by Managefy versions = 1.4.8...

WordPress Unlimited Elements For Elementor plugin <= 1.5.148 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 1.5.148...

WordPress Video Share VOD – Turnkey Video Site Builder Script plugin <= 2.7.6 - Cross-Site Request Forgery to Command Injection vulnerability

Cross-Site Request Forgery to Command Injection vulnerability discovered by Gai Tanaka in WordPress Plugin Video Share VOD versions = 2.7.6...

WordPress Beaver Builder plugin <= 2.9.2.1 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Jack Pas Dark. in WordPress Plugin Beaver Builder versions = 2.9.2.1...

WordPress UsersWP plugin <= 1.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by stealthcopter in WordPress Plugin UsersWP versions = 1.2.42...

WordPress Pronamic Google Maps plugin <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Pronamic Google Maps versions = 2.4.1...

WordPress Small Package Quotes – USPS Edition Plugin <= 1.3.9 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Drew / mcdruid in WordPress Plugin Small Package Quotes – USPS Edition versions = 1.3.9...

WordPress Instant Breaking News Plugin <= 1.0 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Instant Breaking News versions = 1.0...

WordPress WP Thumbtack Review Slider Plugin <= 2.6 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Vinit Lakra in WordPress Plugin WP Thumbtack Review Slider versions = 2.6...

WordPress Booking System Trafft Plugin <= 1.0.14 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin Booking System Trafft versions = 1.0.14...

WordPress Epeken All Kurir Plugin <= 2.0.1 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Epeken All Kurir versions = 2.0.1...

WordPress Chatbox Manager Plugin <= 1.2.6 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by theviper17 in WordPress Plugin Chatbox Manager versions = 1.2.6...

WordPress Makeaholic Theme <= 1.8.5 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Makeaholic versions = 1.8.5...