WordPress Easy Contact Form Lite plugin <= 1.1.28 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Krugov Artyom in WordPress Plugin Easy Contact Form Lite versions = 1.1.28...

WordPress WP File Download plugin < 6.2.6 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Kevin Camus in WordPress Plugin WP File Download versions 6.2.6...

WordPress Custom Post Carousels with Owl plugin < 1.4.12 - Contributor+ Stored XSS vulnerability

Contributor+ Stored XSS vulnerability discovered by Pierre Rudloff in WordPress Plugin Custom Post Carousels with Owl versions 1.4.12...

WordPress Newsletter plugin < 8.8.5 - Admin+ Stored XSS via Form vulnerability

Admin+ Stored XSS via Form vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Newsletter versions 8.8.5...

WordPress Short URL plugin <= 1.6.8 - Subscriber+ SQLi vulnerability

Subscriber+ SQLi vulnerability discovered by Dao Xuan Hieu in WordPress Plugin Short URL versions = 1.6.8...

WordPress Gwolle Guestbook plugin <= 4.9.2 - Unauthenticated Stored Cross-Site Scripting via `gwolle_gb_content` Parameter vulnerability

Unauthenticated Stored Cross-Site Scripting via gwollegbcontent Parameter vulnerability discovered by zer0gh0st in WordPress Plugin Gwolle Guestbook versions = 4.9.2...

WordPress Event Manager plugin <= 7.0.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by muhammad yudha in WordPress Plugin Events Manager versions = 6.6.4.4...

WordPress Event Manager plugin <= 7.0.3 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by mikemyers in WordPress Plugin Events Manager versions = 6.6.4.4...

WordPress Event Manager plugin <= 7.0.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by mikemyers in WordPress Plugin Events Manager versions = 6.6.4.4...

WordPress Templazee plugin <= 1.0.2 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin Templazee versions = 1.0.2...

WordPress WP Super Edit plugin <= 2.5.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WP Super Edit versions = 2.5.4...

WordPress wpForo Forum plugin <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Profile Avatar vulnerability discovered by Muhan Luo in WordPress Plugin wpForo Forum versions = 2.4.5...

WordPress Anotte theme <= 1.8 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Anotte versions = 1.8...

Drupal Cookies Addons module < - Authenticated Cross Site Scripting (XSS) vulnerability

Authenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Cookies Addons versions...

Drupal Mail Login module < 3.2.0,4.0.0-4.1.0 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Ryugo Kinoshita dc-kinoshita in WordPress Module Mail Login versions 3.2.0,4.0.0-4.1.0...

WordPress SureForms Plugin <= 1.7.3 is vulnerable to Arbitrary File Deletion

Software SureForms Type Plugin Vulnerable versions = 1.7.3 Fixed in 1.7.4 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2025-6691 Patch priority High CVSS severity High 8.1 Developer Brainstorm Force PSID d93b2c396300 Credits Phat RiO - BlueRock Required privilege...

WordPress Simple Featured Image plugin <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via slideshow Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via slideshow Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Simple Featured Image versions = 1.3.1...

WordPress Sala theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover vulnerability

Unauthenticated Privilege Escalation via Password Reset/Account Takeover vulnerability discovered by Thái An in WordPress Theme Sala versions = 1.1.4...

WordPress Gutenberg Blocks by Kadence Blocks plugin <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via `redirectURL` Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via redirectURL Parameter vulnerability discovered by Asaf Mozes in WordPress Plugin Gutenberg Blocks by Kadence Blocks versions = 3.5.10...

WordPress WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification vulnerability

Missing Authorization to Unauthenticated Plugin Settings Modification vulnerability discovered by Brian Sans-Souci liardom in WordPress Plugin WCFM – Frontend Manager for WooCommerce versions = 6.7.16...

WordPress Support Board plugin <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key vulnerability

Unauthenticated Authorization Bypass due to Use of Default Secret Key vulnerability discovered by Foxyyy in WordPress Plugin Support Board versions = 3.8.0...

WordPress Support Board plugin <= 3.8.0 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability discovered by Foxyyy in WordPress Plugin Support Board versions = 3.8.0...

WordPress SureForms plugin <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) vulnerability

Unauthenticated PHP Object Injection PHAR vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin SureForms versions = 1.7.3...

WordPress Funnel Builder by FunnelKit plugin <= 3.10.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Tom Broucke Patchstack Alliance in WordPress Plugin Funnel Builder by FunnelKit versions = 3.10.2...

WordPress Yogi theme < 2.9.3 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Bonds in WordPress Theme Yogi versions 2.9.3...

WordPress WooCommerce Registration Fields Plugin - Custom Signup Fields plugin <= 3.2.3 - Cross Site Scripting (XSS) vulnerability

WordPress WooCommerce Registration Fields Plugin - Custom Signup Fields plugin = 3.2.3 - Cross Site Scripting XSS vulnerability discovered by 0xd4rk5id3 in WordPress Plugin WooCommerce Registration Fields Plugin - Custom Signup Fields versions = 3.2.3...

WordPress Pakke Envíos plugin <= 1.0.2 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Nguyen Kim Sang in WordPress Plugin Pakke Envíos versions = 1.0.2...

WordPress Premium SEO Pack <= 3.3.2 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Tran Nguyen Bao KhanhVCI - VNPT in WordPress Plugin Premium SEO Pack versions = 3.3.2...

WordPress WPGYM plugin <= 65.0 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jingle Bells in WordPress Plugin WPGYM versions = 65.0...

WordPress Nuss theme <= 1.3.7.1 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Rau má đậu xanh in WordPress Theme Nuss versions = 1.3.7.1...

WordPress Sala theme <= 1.1.3 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Rau má đậu xanh in WordPress Theme Sala versions = 1.1.3...

WordPress Internal Linking of Related Contents plugin <= 1.1.8 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by astra.r3verii Patchstack Alliance in WordPress Plugin Internal Linking of Related Contents versions = 1.1.8...

WordPress WP Pipes plugin <= 1.4.3 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by LVT-tholv2k in WordPress Plugin WP Pipes versions = 1.4.3...

WordPress WooCommerce Registration Fields Plugin - Custom Signup Fields plugin <= 3.2.3 - Privilege Escalation vulnerability

WordPress WooCommerce Registration Fields Plugin - Custom Signup Fields plugin = 3.2.3 - Privilege Escalation vulnerability discovered by 0xd4rk5id3 in WordPress Plugin WooCommerce Registration Fields Plugin - Custom Signup Fields versions = 3.2.3...

WordPress smart SEO plugin <= 4.0 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme smart SEO versions = 4.0...

WordPress Hillter theme <= 3.0.7 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Bonds in WordPress Theme Hillter versions = 3.0.7...

WordPress Noisa theme <= 2.6.0 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Bonds in WordPress Theme Noisa versions = 2.6.0...

WordPress Responsive Coming Soon Landing Page / Holding Page for WordPress plugin <= 3.0 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin Responsive Coming Soon Landing Page / Holding Page for WordPress versions = 3.0...

WordPress Auto Login After Registration plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Auto Login After Registration versions = 1.0.0...

WordPress Shortcode Generator plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Shortcode Generator versions = 1.1...

WordPress Talemy Theme <= 1.2.23 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Bonds in WordPress Theme Talemy versions = 1.2.23...

WordPress Edge CPT plugin <= 1.4 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Plugin Edge CPT versions = 1.4...

WordPress Billey Theme < 2.1.6 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Bonds in WordPress Theme Billey versions 2.1.6...

WordPress Uxper Booking Plugin <= 1.3.3 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Bonds in WordPress Plugin Uxper Booking versions = 1.3.3...

WordPress Nuss Theme <= 1.3.3 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Bonds in WordPress Theme Nuss versions = 1.3.3...

WordPress Learts Addons Plugin < 1.7.5 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Bonds in WordPress Plugin Learts Addons versions 1.7.5...

WordPress Hillter Theme <= 3.0.7 is vulnerable to PHP Object Injection

Software Hillter Type Theme Vulnerable versions = 3.0.7 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-24777 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 8e030521d3a0 Credits Bonds Required privilege Subscriber Published 8 Jul...

WordPress Yogi Theme <= 2.9.0 is vulnerable to PHP Object Injection

Software Yogi Type Theme Vulnerable versions = 2.9.0 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-24779 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 10b2a1712298 Credits Bonds Required privilege Subscriber Published 8 July,...

WordPress Nuss Theme <= 1.3.3 is vulnerable to Broken Access Control

Software Nuss Type Theme Vulnerable versions = 1.3.3 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-52804 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID bd7e0e488ec4 Credits Thái An Required privilege Unauthenticate...

WordPress Sala Theme <= 1.1.3 is vulnerable to Broken Access Control

Software Sala Type Theme Vulnerable versions = 1.1.3 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-52803 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 485a6b36a4e6 Credits Thái An Required privilege Unauthenticate...