WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by wackydawg in WordPress Plugin LoginPress Pro versions = 6.2.2...

WordPress Accordions plugin <= 2.3.23 - Authenticated (Custom+) Stored Cross-Site Scripting vulnerability

Authenticated Custom+ Stored Cross-Site Scripting vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Accordion versions = 2.3.23...

WordPress Hippoo Mobile App for WooCommerce plugin <= 1.9.4 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by ParkHyunWoo in WordPress Plugin Hippoo Mobile App for WooCommerce versions = 1.9.4...

WordPress WooCommerce Anti-Fraud plugin <= 7.2.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Austin Ginder in WordPress Plugin WooCommerce Anti-Fraud versions = 7.2.6...

WordPress WooCommerce Dropshipping plugin <= 5.2.4 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WooCommerce Dropshipping versions = 5.2.4...

WordPress Knit Pay plugin <= 9.4.0.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Averon Averenkov in WordPress Plugin Knit Pay versions = 9.4.0.0...

WordPress WPZOOM Portfolio plugin <= 1.4.21 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Kent Apostol in WordPress Plugin WPZOOM Portfolio versions = 1.4.21...

WordPress Email Encoder Premium plugin < 0.3.12 - Unauthenticated Stored XSS vulnerability

Unauthenticated Stored XSS vulnerability discovered by Matthew Rollings in WordPress Plugin Email Encoder Premium versions 0.3.12...

WordPress Email Address Encoder plugin < 1.0.25 - Unauthenticated Stored XSS vulnerability

Unauthenticated Stored XSS vulnerability discovered by Matthew Rollings in WordPress Plugin Email Address Encoder versions 1.0.25...

WordPress JetEngine plugin <= 3.8.9.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin JetEngine versions = 3.8.9.1...

WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin JetEngine versions = 3.8.9.1...

WordPress JetEngine plugin <= 3.8.9.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin JetEngine versions = 3.8.9.1...

WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by vtim in WordPress Plugin The Events Calendar versions 6.15.12-6.16.2...

WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Bonds in WordPress Plugin wpDataTables versions = 7.3.6...

WordPress Masteriyo - LMS plugin <= 2.2.0 - Privilege Escalation vulnerability

WordPress Masteriyo - LMS plugin = 2.2.0 - Privilege Escalation vulnerability discovered by daroo in WordPress Plugin Masteriyo - LMS versions = 2.2.0...

WordPress JetEngine plugin < 3.8.9.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Bonds in WordPress Plugin JetEngine versions 3.8.9.1...

WordPress Recipe Card Blocks Lite plugin <= 3.4.13 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Recipe Card Blocks for Gutenberg & Elementor versions = 3.4.13...

WordPress WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Yousef Alraddadi - none in WordPress Plugin WP Maps versions = 4.9.4...

WordPress MapPress Maps for WordPress plugin <= 2.96.6 - Unauthenticated Insecure Direct Object Reference vulnerability

Unauthenticated Insecure Direct Object Reference vulnerability discovered by Kitch - KitchGlobal in WordPress Plugin MapPress Maps for WordPress versions = 2.96.6...

WordPress SEO Plugin by Squirrly SEO plugin <= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations vulnerability

Missing Authorization to Authenticated Contributor+ Privileged Cloud API Operations vulnerability discovered by Abi Wiranata in WordPress Plugin SEO Plugin by Squirrly SEO versions = 12.4.16...

WordPress Klamra Paycal for Aspaclaria plugin <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by KEVIN LEE crattack - OPCIA in WordPress Plugin Klamra Paycal for Aspaclaria versions = 1.1.4...

WordPress Smart Slider 3 plugin <= 3.5.1.36 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read vulnerability

Authenticated Administrator+ Path Traversal to Arbitrary File Read vulnerability discovered by Nguyen Khanh Hao in WordPress Plugin Smart Slider 3 versions = 3.5.1.36...

WordPress Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure vulnerability

Missing Authorization to Unauthenticated Information Exposure vulnerability discovered by Anirudh Makkar in WordPress Plugin Essential Addons for Elementor versions = 6.6.4...

WordPress LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin <= 4.3.6 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Jamshed Yergashvoyev CVE Guy - Turan Security in WordPress Plugin LearnPress versions = 4.3.6...

WordPress Quick Playground plugin <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read vulnerability

Authenticated Administrator+ Arbitrary File Read vulnerability discovered by Pablo Santiago in WordPress Plugin Quick Playground versions = 1.3.4...

WordPress MDJM Event Management plugin <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by Ryan Kozak in WordPress Plugin Mobile DJ Manager versions = 1.7.8.3...

WordPress LearnPress – Backup & Migration Tool plugin <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read vulnerability

Authenticated Administrator+ Path Traversal to Arbitrary File Read vulnerability discovered by Wannes Verwimp in WordPress Plugin LearnPress Export Import versions = 4.1.4...

WordPress EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by UKO - Korea univ. in WordPress Plugin EmbedPress versions = 4.5.3...

WordPress Drag and Drop Multiple File Upload for Contact Form 7 plugin <= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Bao Luu Gia Nguyen in WordPress Plugin Drag and Drop Multiple File Upload – Contact Form 7 versions = 1.3.9.7...

WordPress WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity vulnerability

Unauthenticated Insufficient Verification of Data Authenticity vulnerability discovered by Valatty in WordPress Plugin Contact Form by WPForms versions = 1.10.0.4...

WordPress OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin <= 1.2.0 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by Yousef Alraddadi - none in WordPress Plugin OptinCraft – Drag & Drop Optins & Popup Builder for WordPress versions = 1.2.0...

WordPress Click to Chat – HoliThemes plugin <= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Valatty in WordPress Plugin Click to Chat versions = 4.39...

WordPress LearnPress – Backup & Migration Tool plugin <= 4.1.4 - Authenticated (Administrator+) PHP Object Injection vulnerability

Authenticated Administrator+ PHP Object Injection vulnerability discovered by Wannes Verwimp in WordPress Plugin LearnPress Export Import versions = 4.1.4...

WordPress Page-list plugin <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure vulnerability

Missing Authorization to Authenticated Contributor+ Sensitive Information Disclosure vulnerability discovered by darkmode in WordPress Plugin Page-list versions = 6.2...

WordPress Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Master Addons for Elementor versions = 3.1.0...

WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.6.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Kirasec in WordPress Plugin LatePoint versions = 5.6.0...

WordPress Simple SEO Slideshow plugin <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Simple SEO Slideshow versions = 1.2.8...

WordPress RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure vulnerability

Missing Authorization to Authenticated Contributor+ Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure vulnerability discovered by Jack Pas Dark. - Black Lantern Security in WordPress Plugin Feedzy versions = 5.1.7...

WordPress Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin <= 11.1.2 - Authenticated (Admin+) SQL Injection vulnerability

Authenticated Admin+ SQL Injection vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Quiz And Survey Master versions = 11.1.2...

WordPress WPvivid — Backup, Migration & Staging plugin <= 0.9.128 - Authenticated (Admin+) Arbitrary Directory Deletion vulnerability

Authenticated Admin+ Arbitrary Directory Deletion vulnerability discovered by blue0x1 in WordPress Plugin WPvivid Backup and Migration versions = 0.9.128...

WordPress Shared Files plugin <= 1.7.64 - Path Traversal vulnerability

Path Traversal vulnerability discovered by kai63001 in WordPress Plugin Shared Files versions = 1.7.64...

WordPress Frontend User Notes plugin <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification vulnerability

Cross-Site Request Forgery to Note Content Modification vulnerability discovered by Mohamed Wajih Hichri Assaults - TEK-UP in WordPress Plugin Frontend User Notes versions = 2.1.1...

WordPress Express Payment For Stripe plugin <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Stripe Express versions = 1.28.0...

WordPress Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference to Arbitrary Attachment Deletion vulnerability discovered by Khanh Nguyen - BlueRock in WordPress Plugin Charitable versions = 1.8.11.1...

WordPress Alba Board plugin <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Disclosure vulnerability discovered by Teerachai Somprasong in WordPress Plugin Alba Board versions = 2.1.3...

WordPress JetSearch plugin <= 3.5.17 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Bonds in WordPress Plugin JetSearch versions = 3.5.17...

WordPress WP User Manager plugin <= 2.9.16 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by endy in WordPress Plugin WP User Manager versions = 2.9.16...

WordPress WP Travel Engine plugin <= 6.7.10 - Other Vulnerability Type vulnerability

Other Vulnerability Type vulnerability discovered by dodoh4t in WordPress Plugin WP Travel Engine versions = 6.7.10...

WordPress Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons plugin <= 1.4.8 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by dodoh4t in WordPress Plugin Chatway Live Chat AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons versions = 1.4.8...

WordPress User Registration Stripe plugin <= 1.3.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by 0xd4rk5id3 in WordPress Plugin User Registration Stripe versions = 1.3.12...