WordPress ServerBuddy by PluginBuddy.com plugin <= 1.0.5 - CSRF to PHP Object Injection vulnerability

CSRF to PHP Object Injection vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin ServerBuddy by PluginBuddy.com versions = 1.0.5...

WordPress ProfilePress plugin <= 4.16.4 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by WordFence in WordPress Plugin ProfilePress versions = 4.16.4...

WordPress Soledad theme <= 8.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'pcsml_smartlists_h' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'pcsmlsmartlistsh' vulnerability discovered by stealthcopter in WordPress Theme Soledad versions = 8.6.7...

WordPress Soledad theme <= 8.6.7 - Authenticated (Contributor+) Local File Inclusion via 'header_layout' vulnerability

Authenticated Contributor+ Local File Inclusion via 'headerlayout' vulnerability discovered by stealthcopter in WordPress Theme Soledad versions = 8.6.7...

WordPress Soledad theme <= 8.6.7 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by stealthcopter in WordPress Theme Soledad versions = 8.6.7...

WordPress BetterDocs plugin <= 4.1.1 - Missing Authorization to Private And Password-Protected Posts Information Disclosure vulnerability

Missing Authorization to Private And Password-Protected Posts Information Disclosure vulnerability discovered by xitsec in WordPress Plugin BetterDocs versions = 4.1.1...

WordPress Drag and Drop Multiple File Upload for Contact Form 7 plugin <= 1.3.9.0 - Directory Traversal via `wpcf7_guest_user_id` Cookie vulnerability

Directory Traversal via wpcf7guestuserid Cookie vulnerability discovered by Thien Tran in WordPress Plugin Drag and Drop Multiple File Upload – Contact Form 7 versions = 1.3.9.0...

WordPress Advanced iFrame plugin <= 2025.6 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Advanced iFrame versions = 2025.6...

WordPress User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin <= 3.14.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Alex in WordPress Plugin Profile Builder versions = 3.14.3...

WordPress School Management System for Wordpress plugin <= 93.2.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Lucio Sá in WordPress Plugin School Management versions = 93.2.0...

WordPress WPGYM - Wordpress Gym Management System plugin <= 67.7.0 - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update vulnerability

WordPress WPGYM - Wordpress Gym Management System plugin = 67.7.0 - Authenticated Subscriber+ Local File Inclusion to Privilege Escalation via Password Update vulnerability discovered by WordFence in WordPress Plugin WPGYM versions = 67.7.0...

WordPress WPGYM plugin <= 67.7.0 - Missing Authorization to Admin Account Creation vulnerability

Missing Authorization to Admin Account Creation vulnerability discovered by Foxyyy in WordPress Plugin WPGYM versions = 67.7.0...

WordPress Intl DateTime Calendar plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via date Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via date Parameter vulnerability discovered by Gilang in WordPress Plugin Intl DateTime Calendar versions = 1.0.1...

WordPress Anber Elementor Addon plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Carousel button link vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Carousel button link vulnerability discovered by dayea song in WordPress Plugin Anber Elementor Addon versions = 1.0.1...

WordPress Soledad Theme <= 8.6.7 is vulnerable to Cross Site Scripting (XSS)

Software Soledad Type Theme Vulnerable versions = 8.6.7 Fixed in 8.6.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-8143 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 2b64551fa293 Credits stealthcopter Required privilege...

WordPress Soledad Theme <= 8.6.7 is vulnerable to Local File Inclusion

Software Soledad Type Theme Vulnerable versions = 8.6.7 Fixed in 8.6.8 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2025-8142 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID e6e0ba39a319 Credits stealthcopter Required privilege Contributor Publish...

WordPress Soledad Theme <= 8.6.7 is vulnerable to Content Injection

Software Soledad Type Theme Vulnerable versions = 8.6.7 Fixed in 8.6.8 OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2025-8105 Patch priority Medium CVSS severity Medium 7.3 Developer Claim ownership PSID e2b9e7dc47fd Credits stealthcopter Required privilege Unauthenticated...

WordPress Linux Promotional Plugin plugin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin Linux Promotional Plugin versions = 1.4...

WordPress Earnware Connect plugin <= 1.0.73 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Earnware Connect versions = 1.0.73...

WordPress Embed Bokun plugin <= 0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via align Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Embed Bokun versions = 0.23...

WordPress Last.fm Recent Album Artwork plugin <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin Last.fm Recent Album Artwork versions = 1.0.2...

WordPress Surbma | Recent Comments Shortcode plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Surbma | Recent Comments Shortcode versions = 2.0...

WordPress Al Pack plugin <= 1.1.1 - Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function vulnerability

Missing Authorization to Unauthenticated Premium Feature Activation via checkactivatepermission Function vulnerability discovered by shark3y in WordPress Plugin AL Pack versions = 1.1.1...

WordPress LatestCheckins plugin <= 1 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin LatestCheckins versions = 1...

WordPress weichuncai(WP伪春菜) plugin <= 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin weichuncaiWP伪春菜 versions = 1.5...

WordPress StoryChief plugin <= 1.0.42 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by mikemyers in WordPress Plugin StoryChief versions = 1.0.42...

WordPress Poll Maker plugin <= 5.8.9 - Unauthenticated Basic Information Exposure vulnerability

Unauthenticated Basic Information Exposure vulnerability discovered by xiaoAGiao in WordPress Plugin Poll Maker versions = 5.8.9...

WordPress Plugin README Parser plugin <= 1.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via target Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via target Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Plugin README Parser versions = 1.3.15...

WordPress Icons Factory plugin <= 1.6.12 - Missing Authorization to Unauthenticated Arbitrary File Deletion via delete_files() Function vulnerability

Missing Authorization to Unauthenticated Arbitrary File Deletion via deletefiles Function vulnerability discovered by johska in WordPress Plugin Icons Factory versions = 1.6.12...

WordPress Add User Meta plugin <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin Add User Meta versions = 1.0.1...

WordPress Assistant for NextGEN Gallery plugin <= 1.0.9 - Unauthenticated Arbitrary Directory Deletion vulnerability

Unauthenticated Arbitrary Directory Deletion vulnerability discovered by theviper17y in WordPress Plugin Assistant for NextGEN Gallery versions = 1.0.9...

WordPress elink – Embed Content plugin <= 1.1.0 - Authenticated (Contributor+) Insufficient Input Validation vulnerability

Authenticated Contributor+ Insufficient Input Validation vulnerability discovered by Shreyas Malhotra shreyas-malhotra in WordPress Plugin elink Embed Content versions = 1.1.0...

WordPress Bit Form – Contact Form plugin <= 2.20.3 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Bit Form versions = 2.20.3...

WordPress tPlayer plugin <= 1.2.1.6 - SQL Injection vulnerability

SQL Injection vulnerability discovered by 0xd4rk5id3 in WordPress Plugin tPlayer versions = 1.2.1.6...

WordPress WP Discord Post Plus – Supports Unlimited Channels plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Bao BlueRock in WordPress Plugin WP Discord Post Plus Supports Unlimited Channels versions = 1.0.2...

WordPress Extensive VC Addons for WPBakery page builder plugin <= 1.9.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Extensive VC Addons for WPBakery page builder versions = 1.9.1...

WordPress Dropshix plugin <= 4.0.14 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Vinit Lakra Patchstack Alliance in WordPress Plugin Dropshix versions = 4.0.14...

WordPress Uji Countdown plugin <= 2.3.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Uji Countdown versions = 2.3.3...

WordPress Vertical scroll slideshow gallery v2 plugin <= 9.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Peter Thaleikis Patchstack Alliance in WordPress Plugin Vertical scroll slideshow gallery v2 versions = 9.1...

WordPress Ultimate Video Player Plugin <= 10.1 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Anhchangmutrang in WordPress Plugin Ultimate Video Player versions = 10.1...

WordPress School Management Plugin <= 93.2.0 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Nguyen Kim Sang in WordPress Plugin School Management versions = 93.2.0...

WordPress School Management Plugin <= 93.1.0 - Insecure Direct Object References (IDOR) Vulnerability

Insecure Direct Object References IDOR Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin School Management versions = 93.1.0...

WordPress School Management Plugin <= 93.2.0 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Cút lộn xào me in WordPress Plugin School Management versions = 93.2.0...

WordPress SMS Alert Order Notifications plugin <= 3.8.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by ChuongVN in WordPress Plugin SMS Alert Order Notifications versions = 3.8.5...

WordPress Directory Pro plugin <= 2.5.5 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Directory Pro versions = 2.5.5...

WordPress EventON Lite plugin <= 2.4.6 - Authenticated (Contributor+) Information Disclosure vulnerability

Authenticated Contributor+ Information Disclosure vulnerability discovered by Takihana Shota in WordPress Plugin EventON versions = 2.4.6...

WordPress Gestion de tarifs plugin <= 1.4 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by johska in WordPress Plugin Gestion de tarifs versions = 1.4...

WordPress BizCalendar Web plugin <= 1.1.0.50 - Authenticated (Contributor+) Local File Inclusion vulnerability

Authenticated Contributor+ Local File Inclusion vulnerability discovered by muhammad yudha in WordPress Plugin bizcalendar-web versions = 1.1.0.53...

WordPress Radius Blocks plugin <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via subHeadingTagName Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via subHeadingTagName Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Radius Blocks versions = 2.2.1...

WordPress Alobaidi Captcha plugin <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Alobaidi Captcha versions = 1.0.3...