WordPress Premmerce Product Search for WooCommerce plugin <= 2.2.4 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Premmerce Product Search for WooCommerce versions = 2.2.4...

WordPress Lazy Load Optimizer plugin <= 1.4.7 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Lazy Load Optimizer versions = 1.4.7...

WordPress Finale Lite Plugin <= 2.20.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by LVT-tholv2k in WordPress Plugin Finale Lite versions = 2.20.0...

WordPress NextMove Lite plugin <= 2.23.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by LVT-tholv2k in WordPress Plugin NextMove Lite versions = 2.23.0...

WordPress MediCenter - Health Medical Clinic Theme <= 15.1 is vulnerable to PHP Object Injection

Software MediCenter - Health Medical Clinic Type Theme Vulnerable versions = 15.1 Fixed in 15.2 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-54014 Patch priority High CVSS severity High 9.8 Developer EPC PSID b489f4cff59c Credits Aiden Required privilege...

WordPress MinimogWP Theme <= 3.9.0 is vulnerable to Content Injection

Software MinimogWP Type Theme Vulnerable versions = 3.9.0 Fixed in 3.9.1 OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2025-8198 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID d80fff95e821 Credits Valatty Required privilege Unauthenticated Published ...

WordPress KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Theme <= 4.21.0 is vulnerable to Arbitrary File Deletion

Software KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Type Theme Vulnerable versions = 4.21.0 Fixed in 4.22.0 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2025-6989 Patch priority Medium CVSS severity Medium 8.1 Developer EPC PSID fbbebe81e3b7 Credits...

WordPress Platform Theme < 1.4.4 is vulnerable to Broken Access Control

Software Platform Type Theme Vulnerable versions 1.4.4 Fixed in 1.4.4 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2015-10143 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 04b827207d59 Credits Marc-Alexandre Montpas Required...

WordPress Bricks Builder Theme <= 1.12.4 is vulnerable to SQL Injection

Software Bricks Builder Type Theme Vulnerable versions = 1.12.4 Fixed in 2.0 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2025-6495 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID a75c4498f744 Credits Jamie Burchell Required privilege Unauthenticated...

WordPress News Magazine X Theme <= 1.2.35 is vulnerable to Local File Inclusion

Software News Magazine X Type Theme Vulnerable versions = 1.2.35 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-24766 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID b88166b6f805 Credits LVT-tholv2k Required privilege...

WordPress Atarim plugin <= 4.2.1 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Denver Jackson in WordPress Plugin Atarim versions = 4.2.1...

WordPress Premium Age Verification / Restriction for WordPress Plugin <= 3.0.2 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by ch4r0n in WordPress Plugin Premium Age Verification / Restriction for WordPress versions = 3.0.2...

WordPress Educenter plugin <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Theme Educenter versions = 1.6.2...

WordPress Kallyas theme <= 4.21.0 - Authenticated (Contributor+) Local File Inclusion vulnerability

Authenticated Contributor+ Local File Inclusion vulnerability discovered by stealthcopter in WordPress Theme KALLYAS versions = 4.21.0...

WordPress WoodMart - Multipurpose WooCommerce Theme plugin <= 8.2.6 - Improper Input Validation Leading to Unauthenticated Cart Manipulation vulnerability

WordPress WoodMart - Multipurpose WooCommerce Theme plugin = 8.2.6 - Improper Input Validation Leading to Unauthenticated Cart Manipulation vulnerability discovered by Samir El Khaouti in WordPress Theme WoodMart versions = 8.2.6...

WordPress Wonder Slider Lite plugin <= 14.4 - Authenticated (Contributor+) Dom-based Stored Cross-Site Scripting

Authenticated Contributor+ Dom-based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Wonder Slider Lite versions = 14.4...

WordPress Wonder Slider plugin <= 14.4 - Authenticated (Contributor+) Dom-based Stored Cross-Site Scripting

Authenticated Contributor+ Dom-based Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Wonder Slider versions = 14.4...

WordPress Advanced iFrame plugin <= 2025.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Advanced iFrame versions = 2025.5...

WordPress Premium SEO Pack Plugin <= 3.3.2 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Premium SEO Pack versions = 3.3.2...

WordPress MelaPress Login Security plugin 2.1.0-2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function

Authentication Bypass to Privilege Escalation via getvaliduserbasedontoken Function vulnerability discovered by kr0d in WordPress Plugin MelaPress Login Security versions 2.1.0-2.1.1...

WordPress WPeMatico RSS Feed Fetcher plugin <= 2.8.7 - Cross-Site Request Forgery to Plugin Deactivation via handle_feedback_submission Function vulnerability

Cross-Site Request Forgery to Plugin Deactivation via handlefeedbacksubmission Function vulnerability discovered by wesley wcraft in WordPress Plugin WPeMatico RSS Feed Fetcher versions = 2.8.7...

WordPress GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin <= 2.8.97 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by mikemyers in WordPress Plugin GeoDirectory versions = 2.8.97...

WordPress SEOPress for MainWP <= 1.4 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by LVT-tholv2k Patchstack Alliance in WordPress Plugin SEOPress for MainWP versions = 1.4...

WordPress Cena Store <= 2.11.26 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao KhanhVCI - VNPT in WordPress Theme Cena Store versions = 2.11.26...

WordPress Geo Mashup plugin <= 1.13.16 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Dimas Maulana in WordPress Plugin Geo Mashup versions = 1.13.16...

WordPress Timber plugin <= 1.23.1 - Use of a Vulnerable Dependency vulnerability

Use of a Vulnerable Dependency vulnerability discovered by WordFence in WordPress Plugin Timber versions = 1.23.1...

WordPress KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Theme <= 4.21.0 is vulnerable to Local File Inclusion

Software KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Type Theme Vulnerable versions = 4.21.0 Fixed in 4.22.0 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2025-6991 Patch priority Low CVSS severity Low 7.5 Developer EPC PSID 34bd1e68ee25 Credits stealthcopt...

WordPress Educenter Theme <= 1.6.2 is vulnerable to Cross Site Scripting (XSS)

Software Educenter Type Theme Vulnerable versions = 1.6.2 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-5529 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8465b696cfd2 Credits Peter Thaleikis Required privileg...

WordPress Cena Store Theme <= 2.11.26 is vulnerable to Local File Inclusion

Software Cena Store Type Theme Vulnerable versions = 2.11.26 Fixed in 2.11.27 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-48171 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 349bfe1912dd Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress WoodMart Theme <= 8.2.6 is vulnerable to Broken Access Control

Software WoodMart Type Theme Vulnerable versions = 8.2.6 Fixed in 8.2.7 OWASP Top 10 A3: Injection Classification Broken Access Control CVE CVE-2025-8097 Patch priority Low CVSS severity Low 5.3 Developer Xtemos PSID edd2e4c45666 Credits Samir El Khaouti Required privilege Unauthenticated Publish...

WordPress Frontend File Manager plugin <= 21.5 - Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability discovered by WordFence in WordPress Plugin Frontend File Manager versions = 21.5...

WordPress Droip plugin < 2.5.2 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Foxyyy in WordPress Plugin Droip versions 2.5.2...

WordPress Droip plugin <= 2.2.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Foxyyy in WordPress Plugin Droip versions = 2.2.6...

WordPress Clearblue® Ovulation Calculator plugin <= 1.2.4 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Clearblue® Ovulation Calculator versions = 1.2.4...

WordPress WooCommerce Point Of Sale (POS) <= 1.4 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Nguyen Kim Sang in WordPress Plugin WooCommerce Point Of Sale POS versions = 1.4...

WordPress ProfileGrid plugin <= 5.9.5.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin ProfileGrid versions = 5.9.5.3...

WordPress Omnishop plugin <= 1.0.9 - Missing Registration Restriction to Unauthenticated Account Creation via /users/register REST Endpoint vulnerability

Missing Registration Restriction to Unauthenticated Account Creation via /users/register REST Endpoint vulnerability discovered by ch4r0n in WordPress Plugin Omnishop versions = 1.0.9...

WordPress Supreme Addons for Beaver Builder plugin <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_qrcodesabb Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via autoqrcodesabb Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Supreme Addons for Beaver Builder versions = 1.0.9...

WordPress hiWeb Export Posts plugin <= 0.9.0.0 - Cross-Site Request Forgery to Arbitrary File Deletion vulnerability

Cross-Site Request Forgery to Arbitrary File Deletion vulnerability discovered by johska in WordPress Plugin hiWeb Export Posts versions = 0.9.0.0...

WordPress Taeggie Feed plugin <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via name Attribute vulnerability discovered by Gilang in WordPress Plugin Taeggie Feed versions = 0.1.10...

WordPress iThoughts Advanced Code Editor plugin <= 1.2.10 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Nabil Irawan in WordPress Plugin iThoughts Advanced Code Editor versions = 1.2.10...

WordPress muse.ai video embedding plugin <= 0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via muse-ai Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via muse-ai Shortcode vulnerability discovered by Gilang in WordPress Plugin muse.ai video embedding versions = 0.4...

WordPress ONLYOFFICE Docs plugin 1.1.0-2.2.0 - Missing Authorization to Unauthenticated Privilege Escalation via callback Function

Missing Authorization to Unauthenticated Privilege Escalation via callback Function vulnerability discovered by kr0d in WordPress Plugin ONLYOFFICE versions 1.1.0-2.2.0...

WordPress WP Applink plugin <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via title Parameter vulnerability discovered by Gilang in WordPress Plugin WP Applink versions = 0.4.1...

WordPress WebinarIgnition plugin <= 4.03.32 - Unauthenticated Login Token Generation to Authentication Bypass vulnerability

Unauthenticated Login Token Generation to Authentication Bypass vulnerability discovered by kr0d in WordPress Plugin WebinarIgnition versions = 4.03.32...

WordPress WP Get The Table plugin <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via url Parameter vulnerability discovered by Gilang in WordPress Plugin WP Get The Table versions = 1.5...

WordPress Get Youtube Subs plugin <= 3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via subscribe_link_att Function vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via subscribelinkatt Function vulnerability discovered by Peter Thaleikis in WordPress Plugin Get Youtube Subs versions = 3.5...

WordPress WP Wallcreeper plugin <= 1.6.1 - Missing Authorization to Authenticated (Susbcriber+) Cache Enable/Disable vulnerability

Missing Authorization to Authenticated Susbcriber+ Cache Enable/Disable vulnerability discovered by ch4r0n in WordPress Plugin WP Wallcreeper versions = 1.6.1...

WordPress Station Pro plugin <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via width and height Parameters vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via width and height Parameters vulnerability discovered by Peter Thaleikis in WordPress Plugin Station Pro versions = 2.4.2...

WordPress Voltax Video Player plugin <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via id Parameter vulnerability discovered by Gilang in WordPress Plugin Voltax Video Player versions = 1.6.5...