WordPress TreePress – Easy Family Trees & Ancestor Profiles plugin <= 3.0.6 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin TreePress – Easy Family Trees & Ancestor Profiles versions = 3.0.6...

WordPress Ultimeter plugin <= 3.0.5 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Ultimeter versions = 3.0.5...

WordPress Unlimited Elements For Elementor plugin <= 1.5.140 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 1.5.140...

WordPress URL Shortify – Simple and Easy URL Shortener plugin <= 1.10.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin URL Shortify versions = 1.10.4...

WordPress Widgets on Pages plugin <= 1.7 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Widgets on Pages versions = 1.7...

WordPress WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin <= 8.0.7 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto versions = 8.0.7...

WordPress WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms plugin <= 1.7.0 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin CF7 WOW Styler versions = 1.7.0...

WordPress WP Books Gallery – Build Stunning Book Showcases & Libraries in Minutes plugin <= 4.6.8 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Books Gallery versions = 4.6.8...

WordPress WP Coupons and Deals – Coupon Plugin For Affiliate Marketers plugin <= 3.2.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Coupons and Deals versions = 3.2.2...

WordPress WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards plugin <= 5.5.31 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Data Access versions = 5.5.31...

WordPress WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin <= 7.7.0 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to fix Insecure Content versions = 7.7.0...

WordPress WP fail2ban – Advanced Security plugin <= 5.3.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP fail2ban versions = 5.3.4...

WordPress WP Meta and Date Remover plugin <= 2.3.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Meta and Date Remover versions = 2.3.4...

WordPress WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin <= 2.8.6 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Mobile Menu versions = 2.8.6...

WordPress WP Notification Bell plugin <= 1.4.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Notification Bell versions = 1.4.2...

WordPress WP Page Templates plugin <= 1.1.16 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Page Templates versions = 1.1.16...

WordPress WP Post Author – Author Box, Multiple Authors, Guest Authors & Custom Avatars plugin <= 3.8.3 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP Post Author versions = 3.8.3...

WordPress WP Shortcodes Plugin — Shortcodes Ultimate plugin <= 7.3.3 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Shortcodes Ultimate versions = 7.3.3...

WordPress WPBITS Addons For Elementor Page Builder plugin <= 1.7 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WPBITS Addons For Elementor Page Builder versions = 1.7...

WordPress WPIDE – File Manager & Code Editor plugin <= 3.5.1 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WPIDE – File Manager & Code Editor versions = 3.5.1...

WordPress XT Floating Cart for WooCommerce plugin <= 2.8.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin XT Floating Cart for WooCommerce versions = 2.8.4...

WordPress XT Quick View for WooCommerce plugin <= 2.1.5 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin XT Quick View for WooCommerce versions = 2.1.5...

WordPress XT Variation Swatches for WooCommerce plugin <= 1.9.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin XT Variation Swatches for WooCommerce versions = 1.9.4...

WordPress YASR – Yet Another Star Rating Plugin for WordPress plugin <= 3.4.12 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Yet Another Stars Rating versions = 3.4.12...

WordPress Five Star Restaurant Reservations plugin <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter vulnerability

Unauthenticated Payment Bypass via PHP Type Juggling in 'paymentid' Parameter vulnerability discovered by davidfdzmorilla in WordPress Plugin Five Star Restaurant Reservations versions = 2.7.16...

WordPress Otter Blocks plugin <= 3.1.4 - Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie vulnerability

Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Otter - Gutenberg Block versions = 3.1.4...

WordPress Elementor Website Builder plugin <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via REST API vulnerability discovered by Jonah Burgess CryptoCat in WordPress Plugin Elementor Website Builder versions = 4.0.4...

WordPress Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin <= 4.3.1 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint vulnerability

Unauthenticated Information Disclosure in Store Reviews REST API Endpoint vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Dokan versions = 4.3.1...

WordPress WCFM – Frontend Manager for WooCommerce plugin <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion vulnerability

Authenticated Vendor+ Insecure Direct Object Reference to Arbitrary User Deletion vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin WCFM – Frontend Manager for WooCommerce versions = 6.7.25...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin <= 1.7.1057 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Royal Elementor Addons versions = 1.7.1057...

WordPress Call for Price for WooCommerce plugin <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by AndyGuru - AndyGuru in WordPress Plugin Call for Price for WooCommerce versions = 4.2.0...

WordPress NextMove Lite – Thank You Page for WooCommerce plugin <= 2.23.0 - Thank You Page for WooCommerce <= 2.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Thank You Page for WooCommerce plugin = 2.23.0 - Thank You Page for WooCommerce = 2.23.0 - Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin NextMove Lite versions = 2.23.0...

WordPress My Social Feeds – Social Feeds Embedder Plugin for WP plugin <= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by Teerachai Somprasong in WordPress Plugin My Social Feeds – Social Feeds Embedder Plugin for WordPress versions = 1.0.4...

WordPress JetEngine plugin <= 3.8.8.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin JetEngine versions = 3.8.8.1...

WordPress Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin <= 1.17.1 - Missing Authorization to Unauthenticated Rollback Cancellation vulnerability

Missing Authorization to Unauthenticated Rollback Cancellation vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Total Upkeep versions = 1.17.1...

WordPress Ultimate Dashboard – Custom WordPress Dashboard plugin <= 3.8.14 - Cross-Site Request Forgery to Module Activation/Deactivation vulnerability

Cross-Site Request Forgery to Module Activation/Deactivation vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Ultimate Dashboard versions = 3.8.14...

WordPress WP Editor plugin <= 1.2.9.2 - Cross-Site Request Forgery to Remote Code Execution vulnerability

Cross-Site Request Forgery to Remote Code Execution vulnerability discovered by Jack Pas Dark. - Black Lantern Security in WordPress Plugin WP Editor versions = 1.2.9.2...

NPM: Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer

NPM: Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer vulnerability discovered by ? in WordPress Npm marked versions = 18.0.0, = 18.0.1...

NPM: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

NPM: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.20...

WordPress Contest Gallery plugin <= 28.1.7 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Jakub Herman in WordPress Plugin Contest Gallery versions = 28.1.7...

WordPress Advanced Form Integration plugin <= 1.126.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Idan Vaknin in WordPress Plugin Advanced Form Integration versions = 1.126.12...

WordPress Classified Listing plugin <= 5.3.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by endy in WordPress Plugin Classified Listing versions = 5.3.8...

WordPress Contest Gallery plugin <= 28.1.7 - Other Vulnerability Type vulnerability

Other Vulnerability Type vulnerability discovered by endy in WordPress Plugin Contest Gallery versions = 28.1.7...

WordPress Contest Gallery plugin <= 28.1.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by endy in WordPress Plugin Contest Gallery versions = 28.1.6...

WordPress Best Payments Plugin for WP plugin <= 4.6.19 - Payment Bypass vulnerability

Payment Bypass vulnerability discovered by Weerawat Pawanawiwat ErbaZZ in WordPress Plugin Best Payments Plugin for WP versions = 4.6.19...

WordPress Wallet System for WooCommerce plugin <= 2.7.5 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin Wallet System for WooCommerce versions = 2.7.5...

WordPress Classified Listing plugin <= 5.3.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin Classified Listing versions = 5.3.9...

WordPress AutomatorWP plugin <= 5.6.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin AutomatorWP versions = 5.6.7...

WordPress Favicon Rotator plugin <= 1.2.11 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by timomangcut in WordPress Plugin Favicon Rotator versions = 1.2.11...

WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin JoomSport versions = 5.7.7...