WordPress W&D theme <= 1.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme W&D versions = 1.0...

WordPress MaxCube theme <= 1.3.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme MaxCube versions = 1.3.1...

WordPress OnLeash theme <= 1.5.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme OnLeash versions = 1.5.2...

WordPress Fabrica theme <= 1.8.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Fabrica versions = 1.8.1...

WordPress Winger theme <= 1.0.16 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Winger versions = 1.0.16...

WordPress BugsPatrol theme <= 1.5.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Theme BugsPatrol versions = 1.5.0...

WordPress DJ Rainflow theme <= 1.3.13 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme DJ Rainflow versions = 1.3.13...

WordPress DetailX theme <= 1.10.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme DetailX versions = 1.10.0...

WordPress White Rabbit theme <= 1.5.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Theme White Rabbit versions = 1.5.2...

WordPress smart SEO theme <= 2.12 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme smart SEO versions = 2.12...

WordPress Pubzinne theme <= 1.0.12 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Pubzinne versions = 1.0.12...

WordPress Kicker theme <= 2.2.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Kicker versions = 2.2.0...

WordPress Page Transition plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin Page Transition versions = 1.3...

WordPress Terms of Service & Privacy Policy Generator plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin Terms of Service & Privacy Policy Generator versions = 1.0...

WordPress Markup Markdown plugin <= 3.20.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by JeonKim in WordPress Plugin Markup Markdown versions = 3.20.6...

WordPress ColorMag Theme <= 4.0.19 is vulnerable to Broken Access Control

Software ColorMag Type Theme Vulnerable versions = 4.0.19 Fixed in 4.0.20 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2025-9202 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 43bacb806b7e Credits Dmitrii Ignatyev Required privilege...

WordPress FunnelKit plugin <= 3.11.0.2 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by wesley wcraft in WordPress Plugin Funnel Builder by FunnelKit versions = 3.11.0.2...

WordPress FunnelKit Automations plugin <= 3.6.3 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by wesley wcraft in WordPress Plugin FunnelKit Automations versions = 3.6.3...

WordPress Nexter Blocks plugin <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Nexter Blocks versions = 4.5.4...

WordPress Cloudflare Image Resizing plugin <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook vulnerability

Missing Authentication to Unauthenticated Remote Code Execution via restpredispatch Hook vulnerability discovered by kr0d in WordPress Plugin Cloudflare Image Resizing versions = 1.5.6...

WordPress Flexible Maps plugin <= 1.18.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Flexible Maps Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Flexible Maps Shortcode vulnerability discovered by zer0gh0st in WordPress Plugin Flexible Map versions = 1.18.0...

WordPress Real Spaces - WordPress Properties Directory Theme plugin <= 3.6 - Unauthenticated Privilege Escalation to Administrator via 'imic_agent_register' vulnerability

WordPress Real Spaces - WordPress Properties Directory Theme plugin = 3.6 - Unauthenticated Privilege Escalation to Administrator via 'imicagentregister' vulnerability discovered by Alyudin Nafiie in WordPress Theme Real Spaces versions = 3.6...

WordPress Real Spaces - WordPress Properties Directory Theme plugin <= 3.5 - Authenticated (Subscriber+) Privilege Escalation to Administrator via 'change_role_member' vulnerability

WordPress Real Spaces - WordPress Properties Directory Theme plugin = 3.5 - Authenticated Subscriber+ Privilege Escalation to Administrator via 'changerolemember' vulnerability discovered by Alyudin Nafiie in WordPress Theme Real Spaces versions = 3.5...

WordPress Media Library Assistant plugin <= 3.27 - Authenticated (Author+) Limited File Deletion vulnerability

Authenticated Author+ Limited File Deletion vulnerability discovered by wesley wcraft in WordPress Plugin Media LIbrary Assistant versions = 3.27...

WordPress WPC Smart Compare for WooCommerce plugin <= 6.4.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin WPC Smart Compare for WooCommerce versions = 6.4.7...

WordPress iframe Wrapper plugin <= 0.1.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by muhammad yudha Patchstack Alliance in WordPress Plugin iframe Wrapper versions = 0.1.1...

WordPress Essential Doo Components for Visual Composer plugin <= 1.9 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by theviper17 Patchstack Alliance in WordPress Plugin Essential Doo Components for Visual Composer versions = 1.9...

WordPress Cookie Warning plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin Cookie Warning versions = 1.3...

WordPress Cookie Warning plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin Cookie Warning versions = 1.3...

WordPress Muut – Commenting and Forums Re-Imagined plugin <= 3.0.6 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin Muut – Commenting and Forums Re-Imagined versions = 3.0.6...

WordPress MDTF Plugin <= 1.3.3.7 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Que Thanh Tuan - Blue Rock in WordPress Plugin MDTF versions = 1.3.3.7...

WordPress King Addons for Elementor plugin <= 51.1.59 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Abu Hurayra in WordPress Plugin King Addons for Elementor versions = 51.1.59...

WordPress King Addons for Elementor plugin <= 51.1.59 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Abu Hurayra in WordPress Plugin King Addons for Elementor versions = 51.1.59...

WordPress Contact Form by Supsystic plugin <= 1.7.36 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by 63n0 in WordPress Plugin Contact Form by Supsystic versions = 1.7.36...

WordPress Real Spaces Theme <= 3.5 is vulnerable to Privilege Escalation

Software Real Spaces Type Theme Vulnerable versions = 3.5 Fixed in 3.6 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2025-8218 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID dbcfbeba0421 Credits Alyudin Nafiie...

WordPress Real Spaces Theme <= 3.6 is vulnerable to Privilege Escalation

Software Real Spaces Type Theme Vulnerable versions = 3.6 Fixed in 3.6.1 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2025-6758 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 53452ea06b41 Credits Alyudin Nafiie...

WordPress IDonatePro plugin <= 2.1.9 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin IDonatePro versions = 2.1.9...

WordPress Slide Puzzle plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Slide Puzzle versions = 1.0.0...

WordPress Filr plugin <= 1.2.10 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Filr versions = 1.2.10...

WordPress Jenga Payment Gateway for WooCommerce plugin <= 3.0.15 - SQL Injection vulnerability

SQL Injection vulnerability discovered by 0se1do in WordPress Plugin Jenga Payment Gateway for WooCommerce versions = 3.0.15...

WordPress Laposta WooCommerce plugin <= 1.9.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin Laposta WooCommerce versions = 1.9.1...

WordPress Custom Menu plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by muhammad yudha Patchstack Alliance in WordPress Plugin Custom Menu versions = 1.8...

WordPress Simple Login Log plugin <= 1.1.3 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by mcdruid in WordPress Plugin Simple Login Log versions = 1.1.3...

WordPress Custom Comment plugin <= 2.1.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin Custom Comment versions = 2.1.6...

WordPress AWStats Script plugin <= 0.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin AWStats Script versions = 0.3...

WordPress Contact Info Widget plugin <= 2.6.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Que Thanh Tuan Blue Rock in WordPress Plugin Contact Info Widget versions = 2.6.2...

WordPress Pending Order Bot plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Vinit Lakra Patchstack Alliance in WordPress Plugin Pending Order Bot versions = 1.0.2...

WordPress Emu2 plugin <= 0.83b - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Emu2 versions = 0.83b...

WordPress Elizaibots plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Mika Patchstack Alliance in WordPress Plugin Elizaibots versions = 1.0.2...

WordPress WP Emmet plugin <= 0.3.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Que Thanh Tuan Blue Rock in WordPress Plugin WP Emmet versions = 0.3.4...