WordPress JetPopup plugin <= 2.0.15 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by stealthcopter in WordPress Plugin JetPopup versions = 2.0.15...

WordPress JetTricks <= 1.5.4.1 - Sensitive Data Exposure Vulnerability

Sensitive Data Exposure Vulnerability discovered by stealthcopter in WordPress Plugin JetTricks versions = 1.5.4.1...

WordPress JetBlocks For Elementor <= 1.3.18 - Sensitive Data Exposure Vulnerability

Sensitive Data Exposure Vulnerability discovered by stealthcopter in WordPress Plugin JetBlocks For Elementor versions = 1.3.18...

WordPress JetTabs <= 2.2.9 - Sensitive Data Exposure Vulnerability

Sensitive Data Exposure Vulnerability discovered by stealthcopter in WordPress Plugin JetTabs versions = 2.2.9...

WordPress JetEngine <= 3.7.0 - Sensitive Data Exposure Vulnerability

Sensitive Data Exposure Vulnerability discovered by stealthcopter in WordPress Plugin JetEngine versions = 3.7.0...

WordPress JetElements For Elementor <= 2.7.7 - Sensitive Data Exposure Vulnerability

Sensitive Data Exposure Vulnerability discovered by stealthcopter in WordPress Plugin JetElements For Elementor versions = 2.7.7...

WordPress Counter live visitors for WooCommerce plugin <= 1.3.6 - Unauthenticated Arbitrary File Deletion in wcvisitor_get_block vulnerability

Unauthenticated Arbitrary File Deletion in wcvisitorgetblock vulnerability discovered by mikemyers in WordPress Plugin Counter live visitors for WooCommerce versions = 1.3.6...

WordPress Affiliate Reviews plugin <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via numColumns Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via numColumns Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Affiliate Reviews versions = 1.0.6...

WordPress Master Addons for Elementor plugin <= 2.0.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Master Addons for Elementor versions = 2.0.8.2...

WordPress Ultimate WP Mail plugin 1.0.17 - 1.3.6 - Missing Authorization to Authenticated (Contributor+) Privilege Escalation via get_email_log_details Function vulnerability

WordPress Ultimate WP Mail plugin 1.0.17 - 1.3.6 - Missing Authorization to Authenticated Contributor+ Privilege Escalation via getemaillogdetails Function vulnerability discovered by kr0d in WordPress Plugin Ultimate WP Mail versions 1.0.17 - 1.3.6...

WordPress Media Library Assistant plugin <= 3.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via mla_tag_cloud and mla_term_list Shortcodes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via mlatagcloud and mlatermlist Shortcodes vulnerability discovered by muhammad yudha in WordPress Plugin Media LIbrary Assistant versions = 3.26...

WordPress Malcure Malware Scanner plugin <= 17.0 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin Malcure Malware Scanner versions = 17.0...

WordPress Brandfolder plugin <= 5.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via id Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Brandfolder versions = 5.0.19...

WordPress Fusion Builder plugin <= 3.12.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by stealthcopter in WordPress Plugin Fusion Builder versions = 3.12.1...

WordPress WP Event Manager plugin <= 3.1.49 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin WP Event Manager versions = 3.1.49...

WordPress WP Event Manager plugin <= 3.1.50 - Unauthenticated Stored Cross-Site Scripting via 'organizer_name' vulnerability

Unauthenticated Stored Cross-Site Scripting via 'organizername' vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin WP Event Manager versions = 3.1.50...

WordPress ProfileGrid plugin <= 5.9.5.4 - Reflected Cross-Site Scripting via 'pm_get_messenger_notification' function vulnerability

Reflected Cross-Site Scripting via 'pmgetmessengernotification' function vulnerability discovered by Kenneth Billones Kenziy in WordPress Plugin ProfileGrid versions = 5.9.5.4...

WordPress Hestia Theme <= 3.2.10 is vulnerable to Broken Access Control

Software Hestia Type Theme Vulnerable versions = 3.2.10 Fixed in 3.2.11 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-53986 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 41f2dbfe1ff2 Credits Martino Spagnuolo r3verii Required...

WordPress Houzez Theme <= 4.0.4 is vulnerable to Broken Access Control

Software Houzez Type Theme Vulnerable versions = 4.0.4 Fixed in 4.1.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-53997 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID d8d88cb889a1 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

Drupal File Download module < 1.9.0,2.0.0 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Willem Drupal enthousiast willempje2 in WordPress Module File Download versions 1.9.0,2.0.0...

Drupal Block Attributes module < 1.1.0,2.0.0 - Unauthenticated Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Block Attributes versions 1.1.0,2.0.0...

Drupal Real-time SEO for Drupal module 2.0.0-2.1.0 - Unauthenticated Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Real-time SEO for Drupal versions 2.0.0-2.1.0...

WordPress KBx Pro Ultimate plugin <= 8.0.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin KBx Pro Ultimate versions = 8.0.5...

WordPress Mediabay - WordPress Media Library Folders <= 1.4 - SQL Injection Vulnerability

WordPress Mediabay - WordPress Media Library Folders = 1.4 - SQL Injection Vulnerability discovered by Tran Nguyen Bao KhanhVCI - VNPT in WordPress Plugin Mediabay - WordPress Media Library Folders versions = 1.4...

WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin <= 1.4.9 - Subscriber+ SQL Injection vulnerability

Subscriber+ SQL Injection vulnerability discovered by astra.r3verii in WordPress Plugin ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes versions = 1.4.9...

WordPress URL Shortener <= 3.0.7 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by ch4r0n in WordPress Plugin URL Shortener versions = 3.0.7...

WordPress Visual Art | Gallery WordPress Theme <= 2.4 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Visual Art | Gallery WordPress Theme versions = 2.4...

WordPress Restrict File Access plugin <= 1.1.2 - Cross-Site Request Forgery to Arbitrary File Deletion vulnerability

Cross-Site Request Forgery to Arbitrary File Deletion vulnerability discovered by johska in WordPress Plugin Restrict File Access versions = 1.1.2...

WordPress Store Exporter plugin <= 2.7.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin Store Exporter versions = 2.7.6...

WordPress WooCommerce Store Toolkit plugin <= 2.4.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by LVT-tholv2k in WordPress Plugin WooCommerce Store Toolkit versions = 2.4.3...

WordPress Robokassa payment gateway for Woocommerce plugin <= 1.8.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Robokassa payment gateway for Woocommerce versions = 1.8.4...

WordPress hpb seo plugin for WordPress plugin <= 3.0.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin hpb seo plugin for WordPress versions = 3.0.1...

WordPress Visual Art | Gallery WordPress Theme Theme <= 2.4 is vulnerable to PHP Object Injection

Software Visual Art | Gallery WordPress Theme Type Theme Vulnerable versions = 2.4 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-31422 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID f75a5b9fac9b Credits Tran Nguyen Bao Khanh VC...

WordPress Companion Auto Update plugin <= 3.9.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via update_delay_days parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via updatedelaydays parameter vulnerability discovered by Nabil Irawan in WordPress Plugin Companion Auto Update versions = 3.9.2...

WordPress Strong Testimonials plugin <= 3.2.11 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Fields vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Custom Fields vulnerability discovered by ISMAILSHADOW in WordPress Plugin Strong Testimonials versions = 3.2.11...

WordPress HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin <= 2.2.1 - Directory Traversal to Arbitrary File Move vulnerability

Directory Traversal to Arbitrary File Move vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin HT Contact Form 7 versions = 2.2.1...

WordPress HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin <= 2.2.1 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by vgo0 in WordPress Plugin HT Contact Form 7 versions = 2.2.1...

WordPress HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin <= 2.2.1 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability discovered by vgo0 in WordPress Plugin HT Contact Form 7 versions = 2.2.1...

WordPress Alone theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation vulnerability

Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation vulnerability discovered by Thái An in WordPress Theme Alone versions = 7.8.3...

WordPress Alone theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary File Deletion vulnerability discovered by Thái An in WordPress Theme Alone versions = 7.8.2...

WordPress Modern Events Calendar Lite plugin <= 6.3.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by WordFence in WordPress Plugin Modern Events Calendar Lite versions = 6.3.0...

WordPress Email Attachment by Order Status & Products Plugin <= 1.0.1 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin Email Attachment by Order Status & Products versions = 1.0.1...

WordPress Custom User Registration Fields for WooCommerce plugin <= 2.1.2 - Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Custom User Registration Fields for WooCommerce versions = 2.1.2...

WordPress Fade Slider Plugin <= 2.5 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Fade Slider versions = 2.5...

WordPress WP Smart Flexslider Plugin <= 2.5 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WP Smart Flexslider versions = 2.5...

WordPress WP-Click-Tracker Plugin <= 0.7.3 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WP-Click-Tracker versions = 0.7.3...

WordPress CoSchool LMS plugin <= 1.4.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin CoSchool LMS versions = 1.4.3...

WordPress Alone Theme <= 7.8.3 is vulnerable to Arbitrary File Upload

Software Alone Type Theme Vulnerable versions = 7.8.3 Fixed in 7.8.5 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-5394 Patch priority High CVSS severity High 10 Developer Claim ownership PSID 6abf738d57a0 Credits Thái An Required privilege Unauthenticated Published...

WordPress Alone Theme <= 7.8.2 is vulnerable to Arbitrary File Deletion

Software Alone Type Theme Vulnerable versions = 7.8.2 Fixed in 7.8.5 OWASP Top 10 A1: Injection Classification Arbitrary File Deletion CVE CVE-2025-5393 Patch priority High CVSS severity High 8.6 Developer Claim ownership PSID 5aa08c886c4e Credits Thái An Required privilege Unauthenticated...

WordPress JetEngine <= 3.7.0 - Remote Code Execution (RCE) Vulnerability

Remote Code Execution RCE Vulnerability discovered by stealthcopter in WordPress Plugin JetEngine versions = 3.7.0...