WordPress Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read vulnerability

Authenticated Administrator+ Arbitrary File Read vulnerability discovered by Niv Kochan in WordPress Plugin FluentForm versions = 6.2.1...

WordPress Affiliate Program Suite — SliceWP Affiliates plugin <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin SliceWP versions = 1.2.7...

NPM: VM2 Has a WASM Sandbox Escape (Node 25 only)

NPM: VM2 Has a WASM Sandbox Escape Node 25 only vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.4...

NPM: VM2 Has a Sandbox Escape Issue via SuppressedError

NPM: VM2 Has a Sandbox Escape Issue via SuppressedError vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.4...

NPM: VM2 Has Sandbox Breakout Through Inspect Function

NPM: VM2 Has Sandbox Breakout Through Inspect Function vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.3...

NPM: VM2 Has Sandbox Breakout Through Promise Species

NPM: VM2 Has Sandbox Breakout Through Promise Species vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.3...

WordPress Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption vulnerability

Missing Authorization to Authenticated Subscriber+ Stripe Webhook Deletion and Payment Processing Disruption vulnerability discovered by Jared Reyes in WordPress Plugin Paid Memberships Pro versions = 3.6.5...

WordPress Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin <= 1.15.42 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by type5afe in WordPress Plugin Form Maker by 10Web versions = 1.15.42...

WordPress Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin <= 1.52.1 - Unauthenticated Arbitrary File Read vulnerability

Unauthenticated Arbitrary File Read vulnerability discovered by daroo in WordPress Plugin Forminator versions = 1.52.1...

WordPress WeePie Cookie Allow plugin <= 3.4.11 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Ren Voza in WordPress Plugin WeePie Cookie Allow versions = 3.4.11...

WordPress GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content plugin <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary plugin Installation vulnerability

Missing Authorization to Unauthenticated Arbitrary plugin Installation vulnerability discovered by kiemtiendinhau in WordPress Plugin GeekyBot versions = 1.2.2...

WordPress GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content plugin <= 1.2.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin GeekyBot versions = 1.2.0...

WordPress Ninja Tables – Easy Data Table Builder plugin <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Table Creation vulnerability discovered by nquangit - Techlab Corporation in WordPress Plugin Ninja Tables versions = 5.2.6...

WordPress Subscribe To Comments Reloaded plugin <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management vulnerability

Improper Authorization to Unauthenticated Arbitrary Subscription Management vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Subscribe To Comments Reloaded versions = 240119...

WordPress AWP Classifieds plugin < 4.4.6.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Hunter Jensen skid in WordPress Plugin AWP Classifieds versions 4.4.6.1...

WordPress Mercado Pago payments for WooCommerce plugin <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure vulnerability

Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure vulnerability discovered by Muhammad Sharief in WordPress Plugin Mercado Pago payments for WooCommerce versions = 8.7.11...

WordPress WP Business Intelligence Lite plugin <= 3.2.0 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation vulnerability

Authenticated Subscriber+ Missing Authorization to Privilege Escalation vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Business Intelligence Lite versions = 3.2.0...

WordPress Salon Booking System – Free Version plugin <= 10.30.25 - Unauthenticated Arbitrary File Read vulnerability

Unauthenticated Arbitrary File Read vulnerability discovered by daroo in WordPress Plugin Salon booking system versions = 10.30.25...

WordPress Profile Builder Pro plugin <= 3.14.5 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by 0xbro in WordPress Plugin Profile Builder Pro versions = 3.14.5...

WordPress Geo Mashup plugin <= 1.13.19 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by Leonid Semenenko lsemenenko in WordPress Plugin Geo Mashup versions = 1.13.19...

WordPress Gravity Forms plugin <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by tadokun in WordPress Plugin Gravity Forms versions = 2.10.0...

WordPress Gravity Forms plugin <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by tadokun in WordPress Plugin Gravity Forms versions = 2.10.0...

WordPress Gravity Forms plugin <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by tadokun in WordPress Plugin Gravity Forms versions = 2.10.0...

WordPress Gravity Forms plugin <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by tadokun in WordPress Plugin Gravity Forms versions = 2.10.0...

WordPress Gravity Forms plugin <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by tadokun in WordPress Plugin Gravity Forms versions = 2.10.0...

WordPress ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin <= 4.0.60 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Yuvraj Tomar in WordPress Plugin ARMember versions = 4.0.60...

WordPress User Verification by PickPlugins plugin <= 2.0.46 - Unauthenticated Authentication Bypass vulnerability

Unauthenticated Authentication Bypass vulnerability discovered by kai63001 in WordPress Plugin User Verification versions = 2.0.46...

WordPress Geo Mashup plugin <= 1.13.18 - Unauthenticated Time-Based SQL Injection vulnerability

Unauthenticated Time-Based SQL Injection vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Geo Mashup versions = 1.13.18...

WordPress WP Mail Gateway plugin <= 1.8 - Missing Authorization to Authenticated (Subscriber+) SMTP Configuration Modification vulnerability

Missing Authorization to Authenticated Subscriber+ SMTP Configuration Modification vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin WP Mail Gateway versions = 1.8...

WordPress Geo Mashup plugin <= 1.13.18 - Unauthenticated Time-Based SQL Injection vulnerability

Unauthenticated Time-Based SQL Injection vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Geo Mashup versions = 1.13.18...

WordPress Geo Mashup plugin <= 1.13.18 - Unauthenticated Time-Based SQL Injection vulnerability

Unauthenticated Time-Based SQL Injection vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin Geo Mashup versions = 1.13.18...

WordPress Temporary Login plugin <= 1.0.0 - Authentication Bypass to Account Takeover vulnerability

Authentication Bypass to Account Takeover vulnerability discovered by TANG Cheuk Hei siunam in WordPress Plugin Temporary Login versions = 1.0.0...

WordPress Mentoring plugin <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration vulnerability

Unauthenticated Privilege Escalation in mentoringprocessregistration vulnerability discovered by シルAsuna in WordPress Plugin Mentoring versions = 1.2.8...

WordPress MoreConvert Pro plugin <= 1.9.14 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin MoreConvert Pro versions = 1.9.14...

WordPress Import and export users and customers plugin <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation vulnerability

Authenticated Subscriber+ Privilege Escalation vulnerability discovered by kiemtiendinhau in WordPress Plugin Import and export users and customers versions = 2.0.8...

WordPress User Registration Advanced Fields plugin <= 1.6.20 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by 0xd4rk5id3 - EnvoraSec in WordPress Plugin User Registration Advanced Fields versions = 1.6.20...

NPM: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

NPM: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream vulnerability discovered by ? in WordPress Npm axios versions = 1.0.0, 1.15.1...

NPM: Axios: no_proxy bypass via IP alias allows SSRF

NPM: Axios: noproxy bypass via IP alias allows SSRF vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

NPM: Axios: unbounded recursion in toFormData causes DoS via deeply nested request data vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

NPM: Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: HTTP adapter streamed responses bypass maxContentLength

NPM: Axios: HTTP adapter streamed responses bypass maxContentLength vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Response Tampering, Data Exfiltration, and Request Hijacking vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Header Injection via Prototype Pollution

NPM: Axios: Header Injection via Prototype Pollution vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

NPM: Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

NPM: Axios: Incomplete Fix for CVE-2025-62718 — NOPROXY Protection Bypassed via RFC 1122 Loopback Subnet 127.0.0.0/8 in Axios 1.15.0 vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

NPM: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

NPM: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver vulnerability discovered by ? in WordPress Npm axios versions = 1.0.0, 1.15.2...

NPM: Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

NPM: Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

WordPress Betheme theme <= 28.4 - Authenticated (Contributor+) Arbitrary File Deletion vulnerability

Authenticated Contributor+ Arbitrary File Deletion vulnerability discovered by ? in WordPress Theme Betheme versions = 28.4...

NPM: OpenClaw's Gateway Control UI bootstrap config required Gateway auth

NPM: OpenClaw's Gateway Control UI bootstrap config required Gateway auth vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.21...