WordPress WP Hotel Booking plugin < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability

Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability discovered by Sanjorn Keeratirungsan in WordPress Plugin WP Hotel Booking versions 2.3.1...

WordPress WP Go Maps plugin <= 10.1.01 - Unauthenticated Arbitrary Record Creation vulnerability

Unauthenticated Arbitrary Record Creation vulnerability discovered by Thanh Điềm in WordPress Plugin WP Go Maps versions = 10.1.01...

WordPress Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin <= 2.8.7 - Unauthenticated Server-Side Request Forgery vulnerability

Unauthenticated Server-Side Request Forgery vulnerability discovered by Lucius-log in WordPress Plugin Bit Integrations versions = 2.8.7...

WordPress BetterDocs Pro plugin <= 3.8.0 - Unauthenticated Local File Inclusion vulnerability

Unauthenticated Local File Inclusion vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin BetterDocs Pro versions = 3.8.0...

WordPress STRABL – A checkout solution plugin <= 4.5 - Unauthenticated Arbitrary Webhook Creation vulnerability

Unauthenticated Arbitrary Webhook Creation vulnerability discovered by Teerachai Somprasong in WordPress Plugin STRABL – A checkout solution versions = 4.5...

WordPress 2Download Connector for 2DL Hosted Checkout plugin <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure vulnerability discovered by Mohamed Haidar in WordPress Plugin 2Download Connector for 2DL Hosted Checkout versions = 0.1.5...

WordPress Avada (Fusion) Builder plugin <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value vulnerability

Unauthenticated Arbitrary File Deletion via Form Entry Value vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.3...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin 1.7.1058-1.7.1059 - Authenticated (Contributor+) Arbitrary File Read vulnerability

Authenticated Contributor+ Arbitrary File Read vulnerability discovered by Jack Taylor in WordPress Plugin Royal Elementor Addons versions 1.7.1058-1.7.1059...

WordPress Creavi Appointment Booking Calendar plugin <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Creavi Appointment Booking Calendar versions = 1.4.4...

WordPress Woosa – Marktplaats for WooCommerce plugin <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read vulnerability

Authenticated Administrator+ Arbitrary File Read vulnerability discovered by Legion Hunter in WordPress Plugin Woosa – Marktplaats for WooCommerce versions = 2.0.5...

WordPress WP DSGVO Tools (GDPR) plugin <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure vulnerability

Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure vulnerability discovered by kalomba - KAPENTEST in WordPress Plugin WP DSGVO Tools GDPR versions = 3.1.39...

WordPress Bogo plugin <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by Andrew Lacambra in WordPress Plugin Bogo versions = 3.9.1...

WordPress Advanced Import plugin <= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery vulnerability

Authenticated Author+ Server-Side Request Forgery vulnerability discovered by loris4py in WordPress Plugin Advanced Import versions = 1.4.6...

WordPress Blocksy Companion plugin <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting vulnerability

Authenticated Editor+ Stored Cross-Site Scripting vulnerability discovered by Pasindu Dilshan K4PXD - HACK KAP PVT LTD in WordPress Plugin Blocksy Companion versions = 2.1.45...

WordPress BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot plugin <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Craniums in WordPress Plugin BetterDocs versions = 4.5.3...

WordPress Classified Listing – AI-Powered Classified ads & Business Directory plugin <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Feature Modification vulnerability discovered by Ben Tamam Ben Tamam in WordPress Plugin Classified Listing versions = 5.4.2...

WordPress WP EasyPay plugin <= 4.5.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Sajjad Haqi in WordPress Plugin WP EasyPay versions = 4.5.0...

WordPress H5P plugin <= 1.17.6 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Koutrouss Naddara in WordPress Plugin H5P versions = 1.17.6...

WordPress Stylish Cost Calculator plugin <= 8.3.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by ParkHyunWoo in WordPress Plugin Stylish Cost Calculator versions = 8.3.9...

WordPress Premmerce Wishlist for WooCommerce plugin <= 1.1.11 - SQL Injection vulnerability

SQL Injection vulnerability discovered by hhhai in WordPress Plugin Premmerce Wishlist for WooCommerce versions = 1.1.11...

WordPress APIExperts Square for WooCommerce plugin <= 4.7.3 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Peng Zhou in WordPress Plugin APIExperts Square for WooCommerce versions = 4.7.3...

WordPress Syncee Premium Dropshipping & Wholesale plugin <= 1.0.27 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by dodoh4t in WordPress Plugin Syncee Premium Dropshipping & Wholesale versions = 1.0.27...

WordPress MDTF plugin <= 1.3.8 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Ossacip Thanh in WordPress Plugin MDTF versions = 1.3.8...

WordPress Media LIbrary Assistant plugin <= 3.35 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Media LIbrary Assistant versions = 3.35...

WordPress User Admin Simplifier plugin <= 3.0.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by 有馬 龍成 in WordPress Plugin User Admin Simplifier versions = 3.0.0...

WordPress MDTF plugin <= 1.3.7 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Roll in WordPress Plugin MDTF versions = 1.3.7...

WordPress Royal MCP plugin <= 1.4.25 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by dhamdham in WordPress Plugin Royal MCP versions = 1.4.25...

WordPress Vitepos plugin <= 3.4.2 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by qdtad in WordPress Plugin Vitepos versions = 3.4.2...

WordPress Newsletters plugin <= 4.13 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by HieuPenguinnn in WordPress Plugin Newsletters versions = 4.13...

WordPress Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups plugin <= 2.0.9 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by dodoh4t in WordPress Plugin Trinity Backup Backup, Migrate, Restore, Clone & Schedule Backups versions = 2.0.9...

WordPress Intranet & Private Site – All-In-One Intranet plugin <= 1.8.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by dodoh4t in WordPress Plugin Intranet & Private Site All-In-One Intranet versions = 1.8.1...

WordPress Bricksable for Bricks Builder plugin <= 1.6.83 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Bricksable for Bricks Builder versions = 1.6.83...

WordPress WC Vendors Marketplace plugin <= 2.6.8 - SQL Injection vulnerability

SQL Injection vulnerability discovered by hhhai in WordPress Plugin WC Vendors Marketplace versions = 2.6.8...

WordPress Ocean Product Sharing plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Ocean Product Sharing versions = 2.2.2...

WordPress Filter & Grids plugin <= 3.11.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Filter & Grids versions = 3.11.5...

WordPress Five Star Restaurant Menu plugin <= 2.5.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Vincent Sevkli in WordPress Plugin Five Star Restaurant Menu versions = 2.5.2...

WordPress Enable CORS plugin <= 2.0.3 - Backdoor vulnerability

Backdoor vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Enable CORS versions = 2.0.3...

WordPress CF7 to Webhook plugin <= 5.0.0 - Unauthenticated Server-Side Request Forgery vulnerability

Unauthenticated Server-Side Request Forgery vulnerability discovered by Lucius-log in WordPress Plugin CF7 to Webhook versions = 5.0.0...

WordPress SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin <= 4.3.6 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Customize My Account for WooCommerce versions = 4.3.6...

WordPress Offload, AI & Optimize with Cloudflare Images plugin <= 1.10.2 - Authenticated (Author+) Remote Code Execution vulnerability

Authenticated Author+ Remote Code Execution vulnerability discovered by Yat in WordPress Plugin Offload, AI & Optimize with Cloudflare Images versions = 1.10.2...

WordPress Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin <= 30.0.2 - Authenticated (Author+) Privilege Escalation vulnerability

Authenticated Author+ Privilege Escalation vulnerability discovered by ? in WordPress Plugin Contest Gallery versions = 30.0.2...

WordPress Slideshow Gallery LITE plugin <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Slideshow Gallery versions = 1.8.5...

WordPress Fancy Testimonials plugin <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Fancy Testimonials versions = 1.0...

WordPress Appointment Booking Calendar plugin <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by ? in WordPress Plugin Appointment Booking Calendar versions = 1.4.01...

WordPress PowerPress Podcasting plugin by Blubrry plugin <= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Mukhlis Amien in WordPress Plugin PowerPress Podcasting versions = 11.16.8...

WordPress UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset vulnerability

Insecure Direct Object Reference to Authenticated Editor+ Arbitrary User Avatar/Banner Reset vulnerability discovered by Pasindu Dilshan K4PXD - HACK KAP PVT LTD in WordPress Plugin UsersWP versions = 1.2.63...

WordPress SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Customize My Account for WooCommerce versions = 4.3.6...

WordPress Tutor LMS – eLearning and online course solution plugin <= 3.9.11 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by s1kr10s - Nayrox in WordPress Plugin Tutor LMS versions = 3.9.11...

WordPress Simple Membership plugin <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation vulnerability

Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation vulnerability discovered by Nikita Fenko - self in WordPress Plugin Simple Membership versions = 4.7.5...

WordPress Services Section Block – Showcase Service Details in Grid or Columns plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Philipp Doblhofer - codeaware GmbH in WordPress Plugin Services Section block versions = 1.4.4...