WordPress Radio Station plugin <= 2.5.12 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Radio Station versions = 2.5.12...

WordPress WP Visitor Statistics (Real Time Traffic) plugin <= 7.8 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin WP Visitor Statistics Real Time Traffic versions = 7.8...

WordPress Printcart Web to Print Product Designer for WooCommerce plugin <= 2.4.0 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by timomangcut in WordPress Plugin Printcart Web to Print Product Designer for WooCommerce versions = 2.4.0...

WordPress MF Plus WPML plugin <= 1.1 - Settings Change Vulnerability

Settings Change Vulnerability discovered by Mika in WordPress Plugin MF Plus WPML versions = 1.1...

WordPress WP Compress plugin <= 6.30.30 - Broken Authentication Vulnerability

Broken Authentication Vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin WP Compress versions = 6.30.30...

WordPress Melapress File Monitor plugin < 2.2.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mika Patchstack Alliance in WordPress Plugin Melapress File Monitor versions 2.2.0...

WordPress EventON plugin <= 4.9.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyễn Trung Kiên anhchangmutrang in WordPress Plugin EventON versions = 4.9.9...

WordPress Paytiko for WooCommerce plugin <= 1.3.21 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Paytiko for WooCommerce versions = 1.3.21...

WordPress WC Pickup Store plugin <= 1.8.9 - Settings Change Vulnerability

Settings Change Vulnerability discovered by Mika in WordPress Plugin WC Pickup Store versions = 1.8.9...

WordPress Allmart plugin <= 1.0.0 - Server Side Request Forgery (SSRF) Vulnerability

Server Side Request Forgery SSRF Vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Allmart versions = 1.0.0...

WordPress Paid Member Subscriptions plugin <= 2.15.1 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by ChuongVN in WordPress Plugin Paid Member Subscriptions versions = 2.15.1...

WordPress Easy Stripe plugin <= 1.1 - Remote Code Execution (RCE) Vulnerability

Remote Code Execution RCE Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Easy Stripe versions = 1.1...

WordPress Testimonials Showcase plugin <= 1.9.16 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao KhanhVCI - VNPT in WordPress Plugin Testimonials Showcase versions = 1.9.16...

WordPress bSecure – Your Universal Checkout plugin <= 1.7.9 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by ch4r0n in WordPress Plugin bSecure Your Universal Checkout versions = 1.7.9...

WordPress RealHomes theme <= 4.4.0 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Aiden in WordPress Theme RealHomes versions = 4.4.0...

WordPress RealHomes Theme <= 4.4.0 is vulnerable to Privilege Escalation

Software RealHomes Type Theme Vulnerable versions = 4.4.0 Fixed in 4.4.1 OWASP Top 10 A5: Security Misconfiguration Classification Privilege Escalation CVE CVE-2025-49867 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 9303a55298f9 Credits Frank Required privilege...

WordPress PeepSo Core: Groups plugin <= 6.4.6.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Group Description vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Group Description vulnerability discovered by Bikram Kharal in WordPress Plugin PeepSo Core: Groups versions = 6.4.6.0...

WordPress Element Pack Addons for Elementor plugin <= 8.0.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-caption Attribute vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting via data-caption Attribute vulnerability discovered by Webbernaut in WordPress Plugin Element Pack Elementor Addons versions 8.0.0...

WordPress Education Center theme <= 3.6.10 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Lucio Sá in WordPress Theme Education Center versions = 3.6.10...

WordPress Contact Form by Bit Form plugin <= 2.17.5 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Tim Coen in WordPress Plugin Bit Form versions = 2.17.5...

WordPress Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin <= 1.7.1,5.0-5.0.5 - Unauthenticated Arbitrary File Upload vulnerability

WordPress Drag and Drop Multiple File Upload Pro - WooCommerce plugin = 1.7.1,5.0-5.0.5 - Unauthenticated Arbitrary File Upload vulnerability discovered by Foxyyy in WordPress Plugin Drag and Drop Multiple File Upload Pro - WooCommerce versions = 1.7.1,5.0-5.0.5...

WordPress Premmerce plugin <= 1.3.19 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Ryan Novotny in WordPress Plugin Premmerce versions = 1.3.19...

WordPress Everest Forms - Frontend Listing plugin <= 1.0.5 - PHP Object Injection Vulnerability

WordPress Everest Forms - Frontend Listing plugin = 1.0.5 - PHP Object Injection Vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Everest Forms - Frontend Listing versions = 1.0.5...

WordPress Education Center Theme <= 3.6.10 is vulnerable to PHP Object Injection

Software Education Center Type Theme Vulnerable versions = 3.6.10 Fixed in 3.6.11 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-13786 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 511daf731ac0 Credits Lucio Sá Required privilege...

Drupal Config Pages Viewer module < 1.0.4 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Config Pages Viewer versions 1.0.4...

Drupal Two-factor Authentication (TFA) module < 1.11.0 - Authenticated Broken Access Control vulnerability

Authenticated Broken Access Control vulnerability discovered by Conrad Lara cmlara in WordPress Module Two-factor Authentication TFA versions 1.11.0...

WordPress All-in-One Addons for Elementor – WidgetKit plugin <= 2.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via button+modal Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via button+modal Widget vulnerability discovered by Webbernaut in WordPress Plugin WidgetKit versions = 2.5.4...

WordPress Vikinger plugin <= 1.9.32 - Authenticated (Subscriber+) Arbitrary File Deletion via vikinger_delete_activity_media_ajax Function vulnerability

Authenticated Subscriber+ Arbitrary File Deletion via vikingerdeleteactivitymediaajax Function vulnerability discovered by Foxyyy in WordPress Theme Vikinger versions = 1.9.32...

WordPress Forminator plugin <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion vulnerability

Unauthenticated PHP Object Injection PHAR Triggered via Administrator Form Submission Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Forminator versions = 1.44.2...

WordPress Forminator plugin <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion vulnerability

Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Forminator versions = 1.44.2...

WordPress Soumettre.fr plugin <= 2.1.5 - Improper Authorization to Unauthenticated Soumettre Posts Creation/Modification/Deletion vulnerability

Improper Authorization to Unauthenticated Soumettre Posts Creation/Modification/Deletion vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Soumettre.fr versions = 2.1.5...

WordPress Home Villas theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by Thái An in WordPress Theme Home Villas versions = 2.8...

WordPress Amazon Products to WooCommerce plugin <= 1.2.7 - Unauthenticated Server-Side Request Forgery vulnerability

Unauthenticated Server-Side Request Forgery vulnerability discovered by ch4r0n in WordPress Plugin Amazon Products to WooCommerce versions = 1.2.7...

WordPress Magic Buttons for Elementor plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via magic-button Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Magic Buttons for Elementor versions = 1.0...

WordPress Ads Pro plugin <= 4.89 - Unauthenticated SQL Injection via oid vulnerability

Unauthenticated SQL Injection via oid vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ads Pro versions = 4.89...

WordPress Ads Pro plugin <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate vulnerability

Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ads Pro versions = 4.89...

WordPress Booking calendar, Appointment Booking System plugin <= 3.2.17 - Unauthenticated Time-Based SQL Injection via 'wpdevart_id' vulnerability

Unauthenticated Time-Based SQL Injection via 'wpdevartid' vulnerability discovered by shaman0x01 in WordPress Plugin Booking calendar, Appointment Booking System versions = 3.2.17...

WordPress LifterLMS plugin <= 8.0.6 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by ChuongVN in WordPress Plugin LifterLMS versions = 8.0.6...

WordPress CSS3 Vertical Web Pricing Tables plugin <= 1.9 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin CSS3 Vertical Web Pricing Tables versions = 1.9...

WordPress Alone theme <= 7.8.2 - Arbitrary Code Execution Vulnerability

Arbitrary Code Execution Vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Theme Alone versions = 7.8.2...

WordPress eventlist plugin <= 1.9.2 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Bonds in WordPress Plugin eventlist versions = 1.9.2...

WordPress Networker theme <= 1.2.0 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Bonds in WordPress Theme Networker versions = 1.2.0...

WordPress Amwerk theme <= 1.2.0 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Bonds in WordPress Theme Amwerk versions = 1.2.0...

WordPress Classiera theme <= 4.0.34 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Lê Quốc Bảo in WordPress Theme Classiera versions = 4.0.34...

WordPress CouponXxL theme <= 3.0.0 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Bonds in WordPress Theme CouponXxL versions = 3.0.0...

WordPress CouponXxL Custom Post Types plugin <= 3.0 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by Bonds in WordPress Plugin CouponXxL Custom Post Types versions = 3.0...

WordPress Diza theme <= 1.3.9 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Diza versions = 1.3.9...

WordPress Masteriyo LMS PRO plugin <= 2.20.0 - Privilege Escalation Vulnerability

Privilege Escalation Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Masteriyo LMS PRO versions = 2.20.0...

WordPress Houzez theme <= 4.0.4 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Houzez versions = 4.0.4...

WordPress DearFlip plugin <= 2.3.65 - DOM-Based Reflected Cross-Site Scripting via 'pdf-source' vulnerability

DOM-Based Reflected Cross-Site Scripting via 'pdf-source' vulnerability discovered by Martin Herancourt in WordPress Plugin DearFlip versions = 2.3.65...