WordPress HT Mega plugin < 3.0.7 - Unauthenticated PII Disclosure vulnerability

Unauthenticated PII Disclosure vulnerability discovered by Chiao-Lin Yu Steven Meow in WordPress Plugin HT Mega versions 3.0.7...

WordPress Drag and Drop File Upload for Contact Form 7 plugin <= 1.1.3 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Thomas Sanzey in WordPress Plugin Drag and Drop File Upload for Contact Form 7 versions = 1.1.3...

WordPress WP reCaptcha by WebDesignBy plugin < 2.0 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Mustafa Ahmed in WordPress Plugin reCaptcha by WebDesignBy versions 2.0...

WordPress KiviCare plugin <= 4.2.1 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Jakub Herman in WordPress Plugin KiviCare versions = 4.2.1...

WordPress ITERAS plugin <= 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin ITERAS versions = 1.8.2...

WordPress HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin <= 11.3.32 - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure vulnerability

Forms, Popups, Live Chat plugin = 11.3.32 - Forms, Popups, Live Chat = 11.3.32 - Missing Authorization to Authenticated Contributor+ Installed Plugin Disclosure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin HubSpot versions = 11.3.32...

WordPress Liaison Site Prober plugin <= 1.2.1 - Missing Authorization to Unauthenticated Information Exposure in '/logs' REST API Endpoint vulnerability

Missing Authorization to Unauthenticated Information Exposure in '/logs' REST API Endpoint vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Liaison Site Prober versions = 1.2.1...

WordPress Taqnix plugin <= 1.0.3 - Cross-Site Request Forgery to Account Deletion vulnerability

Cross-Site Request Forgery to Account Deletion vulnerability discovered by theviper17y in WordPress Plugin Taqnix versions = 1.0.3...

WordPress WP Books Gallery – Build Stunning Book Showcases & Libraries in Minutes plugin <= 4.8.0 - Missing Authorization to Unauthenticated Settings Update vulnerability

Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Books Gallery versions = 4.8.0...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin <= 1.7.1056 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Royal Elementor Addons versions = 1.7.1056...

WordPress Booking Calendar Contact Form plugin <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference to Calendar Takeover vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Booking Calendar Contact Form versions = 1.2.63...

WordPress ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval vulnerability

Authenticated Subscriber+ Missing Authorization to Google Ads Access Token Retrieval vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin ExactMetrics versions = 9.1.2...

WordPress BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin <= 4.3.11 - Missing Authorization to Authenticated (Subscriber+) Unauthorized AI API Usage vulnerability

Missing Authorization to Authenticated Subscriber+ Unauthorized AI API Usage vulnerability discovered by h0xilo in WordPress Plugin BetterDocs versions = 4.3.11...

WordPress MaxiBlocks Builder plugin <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion vulnerability

Missing Authorization to Authenticated Author+ Media File Deletion vulnerability discovered by Teerachai Somprasong in WordPress Plugin MaxiBlocks versions = 2.1.8...

WordPress WP Time Slots Booking Form plugin <= 1.2.46 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Daniel Wade in WordPress Plugin WP Time Slots Booking Form versions = 1.2.46...

WordPress Kapee theme < 1.7.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Kapee versions 1.7.1...

WordPress MasterStudy LMS Pro plugin < 4.7.16 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad in WordPress Plugin MasterStudy LMS Pro versions 4.7.16...

WordPress Learnify theme <= 1.15.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Learnify versions = 1.15.0...

WordPress Bookify plugin <= 1.1.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by benzdeus in WordPress Plugin Bookify versions = 1.1.1...

WordPress ProfilePress plugin <= 4.16.13 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Niv Kochan in WordPress Plugin ProfilePress versions = 4.16.13...

WordPress WP SMS plugin <= 7.2.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Jakub Herman in WordPress Plugin WP SMS versions = 7.2.1...

WordPress Rescue Shortcodes plugin <= 3.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin Rescue Shortcodes versions = 3.3...

WordPress ACF Galerie 4 plugin <= 1.4.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin ACF Galerie 4 versions = 1.4.2...

WordPress Taxi Booking Manager for WooCommerce plugin <= 2.0.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Taxi Booking Manager for WooCommerce versions = 2.0.0...

WordPress Roam theme <= 2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Roam versions = 2.1...

WordPress Monki theme <= 2.0.5 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Phat RiO in WordPress Theme Monki versions = 2.0.5...

WordPress Bricks Builder theme <= 2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by w41bu1 in WordPress Theme Bricks Builder versions = 2.2...

WordPress Amelia plugin <= 2.2 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Weerawat Pawanawiwat ErbaZZ in WordPress Plugin Amelia versions = 2.2...

WordPress ChatBot plugin <= 7.9.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mehdi Ouassou in WordPress Plugin ChatBot versions = 7.9.7...

WordPress Quiz And Survey Master plugin <= 11.0.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jakub Herman in WordPress Plugin Quiz And Survey Master versions = 11.0.0...

WordPress AutomatorWP plugin <= 5.6.7 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin AutomatorWP versions = 5.6.7...

WordPress Metro Magazine theme <= 1.4.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Theme Metro Magazine versions = 1.4.1...

WordPress Social Rocket - Social Sharing Plugin plugin <= 1.3.4.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via id vulnerability

WordPress Social Rocket - Social Sharing Plugin plugin = 1.3.4.2 - Authenticated Subscriber+ Stored Cross-Site Scripting via id vulnerability discovered by Tarcísio Luchesi De Almeida Silva Poystick in WordPress Plugin Social Rocket versions = 1.3.4.2...

WordPress Breeze Cache plugin <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote vulnerability

Unauthenticated Arbitrary File Upload via fetchgravatarfromremote vulnerability discovered by Hung Nguyen bashu - VN in WordPress Plugin Breeze versions = 2.4.4...

WordPress WP Store Locator plugin <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'wpsladdress' Post Meta vulnerability discovered by kai63001 in WordPress Plugin WP Store Locator versions = 2.2.261...

WordPress ExactMetrics plugin <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process vulnerability

Authenticated Editor+ Arbitrary Plugin Installation/Activation via exactmetricsconnectprocess vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin ExactMetrics versions = 9.1.2...

WordPress Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor plugin <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML vulnerability

WordPress Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor plugin = 3.5.5 - Authenticated Contributor+ Stored Cross-Site Scripting via Gutentor Block HTML vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Gutentor versions = 3.5.5...

WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by TruongLV1 From FPT Night Wolf in WordPress Plugin Feed KuantoKusta for WooCommerce – Free versions = 5.3...

WordPress FunnelKit Automations plugin <= 3.7.3 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin FunnelKit Automations versions = 3.7.3...

WordPress Essential Addons for Elementor plugin < 6.6.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Que Thanh Tuan in WordPress Plugin Essential Addons for Elementor versions 6.6.0...

WordPress Avada theme < 7.13.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Avada versions 7.13.2...

WordPress Order Minimum/Maximum Amount Limits for WooCommerce plugin <= 4.6.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Order Minimum/Maximum Amount Limits for WooCommerce versions = 4.6.4...

WordPress Maximum Products per User for WooCommerce plugin <= 4.3.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Maximum Products per User for WooCommerce versions = 4.3.6...

WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Blocksy Companion Pro versions = 2.1.37...

WordPress WPAdverts plugin <= 2.3.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by TheNetRunner Security Research in WordPress Plugin WPAdverts versions = 2.3.0...

WordPress ReviewX plugin <= 2.3.6 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin ReviewX versions = 2.3.6...

WordPress BookIt plugin <= 2.5.1 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by davidfdzmorilla in WordPress Plugin BookIt versions = 2.5.1...

WordPress Contact Form to Any API plugin <= 3.0.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by 0xManticore in WordPress Plugin Contact Form to Any API versions = 3.0.3...

WordPress Breaking News WP plugin <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Local File Inclusion/Read vulnerability

Missing Authorization to Authenticated Subscriber+ Local File Inclusion/Read vulnerability discovered by t0ann9uy3n in WordPress Plugin Breaking News WP versions = 1.3...

WordPress Simple Random Posts Shortcode plugin <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by MAJidox in WordPress Plugin Simple Random Posts Shortcode versions = 0.3...