WordPress Blogger Buzz Theme <= 1.2.6 is vulnerable to Cross Site Scripting (XSS)

Software Blogger Buzz Type Theme Vulnerable versions = 1.2.6 Fixed in 1.2.7 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-54680 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID b2b9bc739162 Credits Peter Thaleikis Required privilege...

WordPress Cook&Meal; Theme <= 1.2.3 is vulnerable to Local File Inclusion

Software Cook&Meal Type Theme Vulnerable versions = 1.2.3 Fixed in 1.2.4 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-48149 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID ab26fb7dc392 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Smart Slider 3 plugin <= 3.5.1.28 - Authenticated (Administrator+) SQL Injection via `sliderid` Parameter vulnerability

Authenticated Administrator+ SQL Injection via sliderid Parameter vulnerability discovered by Chive in WordPress Plugin Smart Slider 3 versions = 3.5.1.28...

WordPress smart SEO Plugin <= 4.0 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme smart SEO versions = 4.0...

WordPress Anchor smooth scroll plugin <= 1.0.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Anchor smooth scroll versions = 1.0.2...

WordPress Bookify <= 1.0.9 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by Denver Jackson in WordPress Plugin Bookify versions = 1.0.9...

WordPress Sky Addons for Elementor plugin <= 3.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Sky Addons for Elementor versions = 3.1.4...

WordPress Bonanza – WooCommerce Free Gifts Lite plugin <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Opt In Success vulnerability

Missing Authorization to Authenticated Subscriber+ Opt In Success vulnerability discovered by Poli in WordPress Plugin Bonanza – WooCommerce Free Gifts Lite versions = 1.0.0...

WordPress MetForm plugin <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via `mf-template` DOM Element vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via mf-template DOM Element vulnerability discovered by Asaf Mozes in WordPress Plugin Metform versions = 4.0.1...

WordPress StreamWeasels YouTube Integration plugin <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gai Tanaka in WordPress Plugin StreamWeasels YouTube Integration versions = 1.4.0...

WordPress StreamWeasels Kick Integration plugin <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gai Tanaka in WordPress Plugin SW Kick Integration versions = 1.1.4...

WordPress Appzend theme <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via progressbarLayout Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via progressbarLayout Parameter vulnerability discovered by Peter Thaleikis in WordPress Theme Appzend versions = 1.2.6...

WordPress Newsletters plugin <= 4.10 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Newsletters versions = 4.10...

WordPress Paid Member Subscriptions <= 2.15.4 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k in WordPress Plugin Paid Member Subscriptions versions = 2.15.4...

WordPress Atarim plugin <= 4.2.1 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Denver Jackson in WordPress Plugin Atarim versions = 4.2.1...

WordPress WP LOL Rotation <= 1.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin WP LOL Rotation versions = 1.0...

WordPress Atarim plugin <= 4.2.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Denver Jackson in WordPress Plugin Atarim versions = 4.2.1...

WordPress Appzend Theme <= 1.2.6 is vulnerable to Cross Site Scripting (XSS)

Software Appzend Type Theme Vulnerable versions = 1.2.6 Fixed in 1.2.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-5587 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 9aa23509b5fd Credits Peter Thaleikis Required privileg...

WordPress Magical Addons For Elementor plugin <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom Attributes vulnerability discovered by zer0gh0st in WordPress Plugin Magical Addons For Elementor versions = 1.3.8...

WordPress Hydra Booking plugin 1.1.0-1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Missing Authorization to Authenticated Subscriber+ Privilege Escalation vulnerability discovered by kr0d in WordPress Plugin Hydra Booking versions 1.1.0-1.1.18...

WordPress Fan Page plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via width Parameter vulnerability discovered by Gilang in WordPress Plugin Fan Page versions = 1.0.1...

WordPress YouTube Embed plugin <= 10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via instance Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via instance Parameter vulnerability discovered by Gilang in WordPress Plugin YouTube Embed - YouTube Gallery, Vimeo Gallery - Wordpress Plugin versions = 10.3...

WordPress Kallyas theme <= 4.21.0 - Authenticated (Contributor+) Arbitrary Folder Deletion vulnerability

Authenticated Contributor+ Arbitrary Folder Deletion vulnerability discovered by stealthcopter in WordPress Theme KALLYAS versions = 4.21.0...

WordPress MinimogWP theme <= 3.9.0 - Unauthenticated Price Manipulation vulnerability

Unauthenticated Price Manipulation vulnerability discovered by Valatty in WordPress Theme MinimogWP versions = 3.9.0...

WordPress My Reservation System plugin <= 2.3 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Matías Schiappacasse & Lukas Gaete in WordPress Plugin My Reservation System versions = 2.3...

WordPress Platform theme < 1.4.4 - Missing Authorization to Unauthenticated Arbitrary Options Update vulnerability

Missing Authorization to Unauthenticated Arbitrary Options Update vulnerability discovered by Marc-Alexandre Montpas in WordPress Theme Platform versions 1.4.4...

WordPress Dataverse Integration plugin 2.77-2.81 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Missing Authorization to Authenticated Subscriber+ Privilege Escalation vulnerability discovered by kr0d in WordPress Plugin Dataverse Integration versions 2.77-2.81...

WordPress Affiliate Plus plugin <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by johska in WordPress Plugin Affiliate Plus versions = 1.3.2...

WordPress Brizy plugin <= 2.6.20 - Missing Authorization to Unauthenticated Limited File Upload vulnerability

Missing Authorization to Unauthenticated Limited File Upload vulnerability discovered by mikemyers in WordPress Plugin Brizy versions = 2.6.20...

WordPress Elementor plugin <= 3.30.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Path Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Text Path Widget vulnerability discovered by Asaf Mozes in WordPress Plugin Elementor Website Builder versions = 3.30.2...

WordPress Bricks Builder plugin <= 1.12.4 - Unauthenticated SQL Injection via `p` Parameter vulnerability

Unauthenticated SQL Injection via p Parameter vulnerability discovered by Jamie Burchell in WordPress Theme Bricks Builder versions = 1.12.4...

WordPress StreamWeasels Twitch Integration plugin <= 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gai Tanaka in WordPress Plugin StreamWeasels Twitch Integration versions = 1.9.3...

WordPress Memory Usage plugin <= 3.98 - Cross-Site Request Forgery to Limited Plugin Installation via wpmemory_install_plugin Function vulnerability

Cross-Site Request Forgery to Limited Plugin Installation via wpmemoryinstallplugin Function vulnerability discovered by wesley wcraft in WordPress Plugin WP memory versions = 3.98...

WordPress PoloPag – Pix Automático para Woocommerce plugin <= 2.0.9 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin PoloPag Pix Automático para Woocommerce versions = 2.0.9...

WordPress MediCenter - Health Medical Clinic <= 15.1 - PHP Object Injection Vulnerability

WordPress MediCenter - Health Medical Clinic = 15.1 - PHP Object Injection Vulnerability discovered by Frank in WordPress Theme MediCenter - Health Medical Clinic versions = 15.1...

WordPress Immocaster WordPress Plugin plugin <= 1.3.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by ArilAprilio in WordPress Plugin Immocaster WordPress Plugin versions = 1.3.6...

WordPress SureDash <= 1.0.3 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by Denver Jackson in WordPress Plugin SureDash versions = 1.0.3...

WordPress News Magazine X <= 1.2.35 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k in WordPress Theme News Magazine X versions = 1.2.37...

WordPress Graphina plugin <= 3.1.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Graphina versions = 3.1.1...

WordPress WP REST Cache <= 2025.1.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k in WordPress Plugin WP REST Cache versions = 2025.1.0...

WordPress Gutenberg Blocks <= 3.3.1 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k Patchstack Alliance in WordPress Plugin Gutenberg Blocks versions = 3.3.1...

WordPress RT-Theme 18 | Extensions plugin <= 2.4 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Bonds in WordPress Plugin RT-Theme 18 | Extensions versions = 2.4...

WordPress Supermalink <= 1.1 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Chu The Anh Blue Rock in WordPress Plugin Supermalink versions = 1.1...

WordPress Advanced Google Universal Analytics plugin <= 1.0.3 - Broken Access Control to Sensitive Data Exposure vulnerability

Broken Access Control to Sensitive Data Exposure vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Advanced Google Universal Analytics versions = 1.0.3...

WordPress Simple File List plugin <= 6.1.14 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Simple File List versions = 6.1.14...

WordPress Custom API for WP <= 4.2.2 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by Hiro Code016Hiro in WordPress Plugin Custom API for WP versions = 4.2.2...

WordPress Premmerce Wishlist for WooCommerce plugin <= 1.1.10 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Premmerce Wishlist for WooCommerce versions = 1.1.10...

WordPress Premmerce Wholesale Pricing for WooCommerce plugin <= 1.1.10 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Premmerce Wholesale Pricing for WooCommerce versions = 1.1.10...

WordPress Premmerce User Roles plugin <= 1.0.13 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Premmerce User Roles versions = 1.0.13...

WordPress Responsive Sidebar plugin <= 1.2.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Responsive Sidebar versions = 1.2.2...