WordPress Sala Theme <= 1.1.4 is vulnerable to Privilege Escalation

Software Sala Type Theme Vulnerable versions = 1.1.4 Fixed in N/A OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2025-4606 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID e358e6b6574a Credits Thái An Required...

WordPress Noisa Theme <= 2.6.0 is vulnerable to PHP Object Injection

Software Noisa Type Theme Vulnerable versions = 2.6.0 Fixed in 2.6.2 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-53560 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 60e4fbd75f25 Credits Bonds Required privilege Subscriber Published 8 Jul...

WordPress Woodmart plugin <= 8.2.3 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by stealthcopter in WordPress Theme WoodMart versions = 8.2.3...

WordPress WoodMart plugin <= 8.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by stealthcopter in WordPress Theme WoodMart versions = 8.2.3...

WordPress WoodMart plugin <= 8.2.3 - Authenticated (Contributor+) Local File Inclusion vulnerability

Authenticated Contributor+ Local File Inclusion vulnerability discovered by stealthcopter in WordPress Theme WoodMart versions = 8.2.3...

WordPress Guest Support plugin <= 1.2.2 - Missing Authorization to Unauthenticated Ticket Deletion vulnerability

Missing Authorization to Unauthenticated Ticket Deletion vulnerability discovered by Amin Beheshti in WordPress Plugin Guest Support versions = 1.2.2...

WordPress Essential Addons for Elementor plugin <= 6.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Calendar` And `Business Reviews` Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Calendar And Business Reviews Widgets vulnerability discovered by Webbernaut in WordPress Plugin Essential Addons for Elementor versions = 6.1.19...

WordPress AI Engine plugin <= 2.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via `mwai_chatbot` Shortcode `id` Parameter vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via mwaichatbot Shortcode id Parameter vulnerability discovered by mikemyers in WordPress Plugin AI Engine versions = 2.8.4...

WordPress GoZen Forms plugin <= 1.1.5 - Unauthenticated SQL Injection via dirGZActiveForm() vulnerability

Unauthenticated SQL Injection via dirGZActiveForm vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin GoZen Forms versions = 1.1.5...

WordPress WP Human Resource Management plugin 2.0.0-2.2.17 - Missing Authorization to Authenticated (Employee+) Privilege Escalation vulnerability

Missing Authorization to Authenticated Employee+ Privilege Escalation vulnerability discovered by kr0d in WordPress Plugin WP Human Resource Management versions 2.0.0-2.2.17...

WordPress WP Firebase Push Notification plugin <= 1.2.0 - Cross-Site Request Forgery to Broadcast Notification vulnerability

Cross-Site Request Forgery to Broadcast Notification vulnerability discovered by Nabil Irawan in WordPress Plugin WP Firebase Push Notification versions = 1.2.0...

WordPress PowerFolio plugin <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom JS vulnerability discovered by Webbernaut in WordPress Plugin PowerFolio versions = 3.2.0...

WordPress Contact Form 7 Database Addon plugin <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting via tmpD Parameter vulnerability

Unauthenticated Stored Cross-Site Scripting via tmpD Parameter vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Contact Form 7 Database Addon – CFDB7 versions = 1.3.1...

WordPress Easy restaurant menu manager plugin <= 2.0.1 - Authenticated (Contributot+) Stored Cross-Site Scripting via `nsc_eprm_menu_link` Shortcode vulnerability

Authenticated Contributot+ Stored Cross-Site Scripting via nsceprmmenulink Shortcode vulnerability discovered by Alex Thomas in WordPress Plugin Easy pdf restaurant menu upload versions = 2.0.1...

WordPress Super Store Finder plugin < 7.8 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Plugin Super Store Finder versions 7.8...

WordPress Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) plugin <= 1.2 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin Amazon Affiliates Addon for WPBakery Page Builder formerly Visual Composer versions = 1.2...

WordPress PW WooCommerce On Sale! plugin <= 1.39 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by theviper17 in WordPress Plugin PW WooCommerce On Sale! versions = 1.39...

WordPress LoginWP - Pro Plugin <= 4.0.8.5 - Broken Access Control vulnerability

WordPress LoginWP - Pro Plugin = 4.0.8.5 - Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin LoginWP - Pro versions = 4.0.8.5...

WordPress Ultimate Push Notifications plugin <= 1.2.0 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by astra.r3verii in WordPress Plugin Ultimate Push Notifications versions = 1.2.0...

WordPress Profiler - What Slowing Down Your WP <= 1.0.0 - Broken Access Control Vulnerability

WordPress Profiler - What Slowing Down Your WP = 1.0.0 - Broken Access Control Vulnerability discovered by ch4r0n Patchstack Alliance in WordPress Plugin Profiler - What Slowing Down Your WP versions = 1.0.0...

WordPress Pay with Contact Form 7 plugin <= 1.0.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Pay with Contact Form 7 versions = 1.0.4...

WordPress CSS3 Compare Pricing Tables for WordPress plugin <= 11.6 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao KhanhVCI - VNPT in WordPress Plugin CSS3 Compare Pricing Tables for WordPress versions = 11.6...

WordPress Wordpress Auto Spinner plugin <= 3.26.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Anhchangmutrang in WordPress Plugin Wordpress Auto Spinner versions = 3.26.0...

WordPress Electrician - Electrical Service WordPress theme <= 1.0 - Cross Site Scripting (XSS) Vulnerability

WordPress Electrician - Electrical Service WordPress theme = 1.0 - Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Electrician - Electrical Service WordPress versions = 1.0...

WordPress Dot html,php,xml etc pages plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Dot html,php,xml etc pages versions = 1.0...

WordPress Tennis Court Bookings plugin <= 1.2.7 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Tennis Court Bookings versions = 1.2.7...

WordPress Invico - WordPress Consulting Business Theme <= 1.9 - Cross Site Scripting (XSS) Vulnerability

WordPress Invico - WordPress Consulting Business Theme = 1.9 - Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Invico - WordPress Consulting Business Theme versions = 1.9...

WordPress Ofiz - Business Consulting Theme plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability

WordPress Ofiz - Business Consulting Theme plugin = 2.0 - Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Ofiz - WordPress Business Consulting Theme versions = 2.0...

WordPress Contact Form 7 Editor Button plugin <= 1.0.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Contact Form 7 Editor Button versions = 1.0.0...

WordPress SMu Manual DoFollow plugin <= 1.8.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin SMu Manual DoFollow versions = 1.8.1...

WordPress Media Folder plugin <= 1.0.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Media Folder versions = 1.0.0...

WordPress Infility Global plugin <= 2.13.4 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by astra.r3verii in WordPress Plugin Infility Global versions = 2.13.4...

WordPress ListingEasy theme <= 1.9.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Theme ListingEasy versions = 1.9.2...

WordPress WPCode Content Ratio plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WPCode Content Ratio versions = 2.0...

WordPress Multi-language Responsive Contact Form plugin <= 2.8 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by ch4r0n in WordPress Plugin Multi-language Responsive Contact Form versions = 2.8...

WordPress Torod plugin <= 2.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin Torod versions = 2.1...

WordPress Easy Video Player Wordpress & WooCommerce plugin <= 10.0 - Arbitrary File Download Vulnerability

Arbitrary File Download Vulnerability discovered by 0xd4rk5id3 in WordPress Theme Easy Video Player Wordpress & WooCommerce versions = 10.0...

WordPress Site Chat on Telegram plugin <= 1.0.4 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Drew / mcdruid in WordPress Plugin Site Chat on Telegram versions = 1.0.4...

WordPress CoSchool LMS plugin <= 1.4.3 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Drew / mcdruid in WordPress Plugin CoSchool LMS versions = 1.4.3...

WordPress Easy Video Player Wordpress & WooCommerce Theme <= 10.0 is vulnerable to Arbitrary File Download

Software Easy Video Player Wordpress & WooCommerce Type Theme Vulnerable versions = 10.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Download CVE CVE-2025-28955 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 646c16d60f12 Credits 0xd4rk5id3...

WordPress ListingEasy Theme <= 1.9.2 is vulnerable to Cross Site Scripting (XSS)

Software ListingEasy Type Theme Vulnerable versions = 1.9.2 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-30955 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 69dabf517a19 Credits Bonds Required privilege Unauthenticate...

WordPress Electrician - Electrical Service WordPress Theme <= 1.0 is vulnerable to Cross Site Scripting (XSS)

Software Electrician - Electrical Service WordPress Type Theme Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31055 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID c51b2442e459 Credits Tran Nguye...

WordPress Ofiz - WordPress Business Consulting Theme Theme <= 2.0 is vulnerable to Cross Site Scripting (XSS)

Software Ofiz - WordPress Business Consulting Theme Type Theme Vulnerable versions = 2.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31072 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 46fba1f0778c Credits Tran Nguye...

WordPress Invico - WordPress Consulting Business Theme Theme <= 1.9 is vulnerable to Cross Site Scripting (XSS)

Software Invico - WordPress Consulting Business Theme Type Theme Vulnerable versions = 1.9 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31427 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 9e4642f9ea67 Credits Tran...

WordPress WoodMart Theme <= 8.2.3 is vulnerable to Content Injection

Software WoodMart Type Theme Vulnerable versions = 8.2.3 Fixed in 8.2.4 OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2025-6744 Patch priority Medium CVSS severity Medium 7.3 Developer Xtemos PSID 56c1aba7e1f2 Credits stealthcopter Required privilege Unauthenticated Publishe...

WordPress WoodMart Theme <= 8.2.3 is vulnerable to Local File Inclusion

Software WoodMart Type Theme Vulnerable versions = 8.2.3 Fixed in 8.2.4 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2025-6746 Patch priority Low CVSS severity Low 7.5 Developer Xtemos PSID fa6d0144ad7f Credits stealthcopter Required privilege Contributor Published 7 Jul...

WordPress WoodMart Theme <= 8.2.3 is vulnerable to Cross Site Scripting (XSS)

Software WoodMart Type Theme Vulnerable versions = 8.2.3 Fixed in 8.2.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-6743 Patch priority Low CVSS severity Low 6.5 Developer Xtemos PSID 119b4b01c8c2 Credits stealthcopter Required privilege...

WordPress UNIVERSAM plugin <= 9.00 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by mcdruid in WordPress Plugin UNIVERSAM versions = 9.00...

WordPress WP Pipes plugin <= 1.4.3 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by LVT-tholv2k in WordPress Plugin WP Pipes versions = 1.4.3...

WordPress Subscribe to Download plugin <= 2.0.9 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Subscribe to Download versions = 2.0.9...