WordPress Netease Music plugin <= 3.2.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mika Patchstack Alliance in WordPress Plugin Netease Music versions = 3.2.1...

WordPress WP Airdrop Manager plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin WP Airdrop Manager versions = 1.0.5...

WordPress Eventin Plugin <= 4.0.31 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Eventin versions = 4.0.31...

WordPress Billplz Addon for Contact Form 7 Plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Peter Thaleikis in WordPress Plugin Billplz Addon for Contact Form 7 versions = 1.2.0...

WordPress Time Sheets plugin <= 2.1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin Time Sheets versions = 2.1.3...

WordPress Authentication and xmlrpc log writer plugin <= 1.2.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin Authentication and xmlrpc log writer versions = 1.2.2...

WordPress Blog Designer PRO plugin <= 3.4.7 - Authenticated Non-Arbitrary Local File Inclusion vulnerability

Authenticated Non-Arbitrary Local File Inclusion vulnerability discovered by Seb in WordPress Plugin Blog Designer PRO versions = 3.4.7...

WordPress Forms <= 2.9.0 - Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability discovered by astra.r3verii in WordPress Plugin Forms versions = 2.9.0...

WordPress WordPress Event Manager, Event Calendar and Booking Plugin Plugin <= 4.0.24 - Arbitrary Content Deletion Vulnerability

Arbitrary Content Deletion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin WordPress Event Manager, Event Calendar and Booking Plugin versions = 4.0.24...

WordPress Responsive Posts Carousel WordPress Plugin Plugin <= 15.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin Responsive Posts Carousel Pro versions = 15.0...

Drupal Authenticator Login module < 2.1.4 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Authenticator Login versions 2.1.4...

Drupal Layout Builder Advanced Permissions module < 2.2.1 - Authenticated Broken Access Control vulnerability

Authenticated Broken Access Control vulnerability discovered by Eelke Blok eelkeblok in WordPress Module Layout Builder Advanced Permissions versions 2.2.1...

WordPress Advanced File Manager plugin <= 5.3.6 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by tiborisaak in WordPress Plugin Advanced File Manager versions = 5.3.6...

WordPress File Manager Pro plugin <= 8.4.2 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by tiborisaak in WordPress Plugin File Manager Pro versions = 8.4.2...

WordPress File Manager Pro plugin <= 1.8.9 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by tiborisaak in WordPress Plugin File Manager Pro versions = 1.8.9...

WordPress Tutor LMS Pro plugin <= 3.7.0 - Authenticated (Tutor Instructor+) SQL Injection vulnerability

Authenticated Tutor Instructor+ SQL Injection vulnerability discovered by sergioframi in WordPress Plugin Tutor LMS Pro versions = 3.7.0...

WordPress OceanWP plugin <= 4.0.9 - 4.1.1 - Cross-Site Request Forgery to Ocean Extra Plugin Installation vulnerability

WordPress OceanWP plugin = 4.0.9 - 4.1.1 - Cross-Site Request Forgery to Ocean Extra Plugin Installation vulnerability discovered by Dmitrii Ignatyev in WordPress Theme OceanWP versions 4.0.9 - 4.1.1...

WordPress Easy restaurant menu manager plugin <= 2.0.2 - Cross-Site Request Forgery to Menu Upload vulnerability

Cross-Site Request Forgery to Menu Upload vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Easy pdf restaurant menu upload versions = 2.0.2...

WordPress Welcart e-Commerce Plugin <= 2.11.16 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by 63n0 in WordPress Plugin Welcart e-Commerce versions = 2.11.16...

WordPress Frontend Admin by DynamiApps plugin <= 3.28.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Frissi0n in WordPress Plugin Frontend Admin by DynamiApps versions = 3.28.3...

WordPress School Management Plugin <= 1.93.1 (02-07-2025) - Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability discovered by Bonds Patchstack Alliance in WordPress Plugin School Management versions = 1.93.1 02-07-2025...

WordPress Membership For WooCommerce Plugin <= 2.9.0 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by hamza alhababseh in WordPress Plugin Membership For WooCommerce versions = 2.9.0...

WordPress SoundSt SEO Search plugin <= 1.2.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Jieun Kim Patchstack Alliance in WordPress Plugin SoundSt SEO Search versions = 1.2.3...

WordPress WP Dynamic Links plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin WP Dynamic Links versions = 1.0.1...

WordPress WP Voting Plugin <= 1.8 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin WP Voting versions = 1.8...

WordPress File Manager Plugin <= 8.4.2 is vulnerable to Arbitrary File Deletion

Software File Manager Type Plugin Vulnerable versions = 8.4.2 Fixed in 8.4.3 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2025-0818 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID 5d1e46fce6a0 Credits tiborisaak Required privilege...

WordPress OceanWP Theme 4.0.9 - 4.1.1 is vulnerable to Cross Site Request Forgery (CSRF)

Software OceanWP Type Theme Vulnerable versions 4.0.9 - 4.1.1 Fixed in 4.1.2 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2025-8891 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 1d569e8bf081 Credits Dmitrii Ignatyev Requir...

WordPress Master Addons for Elementor plugin <= 2.0.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via fancyBox vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via fancyBox vulnerability discovered by Webbernaut in WordPress Plugin Master Addons for Elementor versions = 2.0.9.0...

WordPress Simple Local Avatars plugin <= 2.8.4 - Missing Authorization to Authenticated (Subscriber+) Avatar Migration vulnerability

Missing Authorization to Authenticated Subscriber+ Avatar Migration vulnerability discovered by Håkon Harnes in WordPress Plugin Simple Local Avatars versions = 2.8.4...

WordPress AnWP Football Leagues plugin <= 0.16.17 - Authenticated (Administrator+) CSV Injection vulnerability

Authenticated Administrator+ CSV Injection vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin AnWP Football Leagues versions = 0.16.17...

WordPress Elementor plugin <= 3.30.2 - Authenticated (Administrator+) Arbitrary File Read via Image Import vulnerability

Authenticated Administrator+ Arbitrary File Read via Image Import vulnerability discovered by mikemyers in WordPress Plugin Elementor Website Builder versions = 3.30.2...

WordPress UiCore Elements plugin <= 1.3.0 - Missing Authorization to Unauthenticated Arbitrary File Read vulnerability

Missing Authorization to Unauthenticated Arbitrary File Read vulnerability discovered by mikemyers in WordPress Plugin UiCore Elements versions = 1.3.0...

WordPress Software Issue Manager plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via noaccessmsg Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Software Issue Manager versions = 5.0.0...

WordPress B Blocks plugin <= 2.0.6 - Missing Authorization to Unauthenticated Privilege Escalation via rgfr_registration Function vulnerability

Missing Authorization to Unauthenticated Privilege Escalation via rgfrregistration Function vulnerability discovered by Peter Thaleikis in WordPress Plugin B Blocks versions = 2.0.6...

WordPress Mosaic Generator plugin <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'c' Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'c' Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Mosaic Generator versions = 1.0.5...

WordPress Simple Responsive Slider plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Simple Responsive Slider versions = 2.0...

WordPress Wp chart generator plugin <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpchart Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wpchart Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Wp chart generator versions = 1.0.4...

WordPress Inline Stock Quotes plugin <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via stock Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Inline Stock Quotes versions = 0.2...

WordPress WP Private Content Plus plugin <= 3.6.2 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Luca Epifanio Bitcube Security in WordPress Plugin WP Private Content Plus versions = 3.6.2...

WordPress WooCommerce Purchase Orders plugin <= 1.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by CVEhunter in WordPress Plugin WooCommerce Purchase Orders versions = 1.0.2...

WordPress GMap - Venturit plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'h' Parameter vulnerability

WordPress GMap - Venturit plugin = 1.1 - Authenticated Contributor+ Stored Cross-Site Scripting via 'h' Parameter vulnerability discovered by muhammad yudha in WordPress Plugin GMap Generator versions = 1.1...

WordPress RT Easy Builder plugin <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin RT Easy Builder – Advanced addons for Elementor versions = 2.3...

WordPress CBX Restaurant Booking plugin <= 1.2.1 - Plugin Reset via CSRF vulnerability

Plugin Reset via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin CBX Restaurant Booking versions = 1.2.1...

WordPress The7 theme <= 12.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title and data-dt-img-description Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via title and data-dt-img-description Attributes vulnerability discovered by Webbernaut in WordPress Theme The7 versions = 12.6.0...

WordPress Qi Blocks plugin <= 1.4.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Denver Jackson in WordPress Plugin Qi Blocks versions = 1.4.3...

WordPress Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.1.7 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by ch4r0n in WordPress Plugin Thank You Page Customizer for WooCommerce versions = 1.1.7...

WordPress WooCommerce Fortnox Integration <= 4.5.6 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WooCommerce Fortnox Integration versions = 4.5.6...

WordPress WordPress Event Manager, Event Calendar and Booking Plugin Plugin <= 4.0.24 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin WordPress Event Manager, Event Calendar and Booking Plugin versions = 4.0.24...

WordPress CF7 Spreadsheets Plugin <= 2.3.2 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin CF7 Spreadsheets versions = 2.3.2...

WordPress Project Cost Calculator Plugin <= 1.0.0 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by theviper17 in WordPress Plugin Project Cost Calculator versions = 1.0.0...