WordPress Attendance Manager plugin <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'attmgr_off' Parameter vulnerability

Authenticated Subscriber+ SQL Injection via 'attmgroff' Parameter vulnerability discovered by Maurice Fielenbach Hexastrike - Hexastrike Cybersecurity UG haftungsbeschränkt in WordPress Plugin Attendance Manager versions = 0.6.2...

WordPress SQL Chart Builder plugin < 2.3.8 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by dangnosuy in WordPress Plugin SQL Chart Builder versions 2.3.8...

WordPress DSGVO Google Web Fonts GDPR plugin <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter vulnerability

Unauthenticated Arbitrary File Upload via 'fonturl' Parameter vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin DSGVO Google Web Fonts GDPR versions = 1.1...

WordPress Users manager - PN plugin <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action vulnerability

WordPress Users manager - PN plugin = 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspnformsave' AJAX Action vulnerability discovered by BaroHaf - fpt in WordPress Plugin Users manager – PN versions = 1.1.15...

WordPress Everest Forms plugin <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata vulnerability

Unauthenticated PHP Object Injection via Form Entry Metadata vulnerability discovered by 0xsabre - Mobikwik in WordPress Plugin Everest Forms versions = 3.4.3...

WordPress Smart Slider 3 plugin 3.5.1.35 - Backdoor vulnerability

Backdoor vulnerability discovered by ? in WordPress Plugin Smart Slider 3 PRO versions 3.5.1.35...

WordPress WP Visitor Statistics (Real Time Traffic) plugin <= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'height' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP Visitor Statistics Real Time Traffic versions = 8.4...

WordPress Magic Conversation For Gravity Forms plugin <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zaim in WordPress Plugin Magic Conversation For Gravity Forms versions = 3.0.97...

WordPress Element Pack Addons for Elementor plugin <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via SVG Image Widget vulnerability discovered by Webbernaut in WordPress Plugin Element Pack Elementor Addons versions = 8.4.2...

WordPress Whole Enquiry Cart for WooCommerce plugin <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'woowholesuccessmsg' Parameter vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Whole Enquiry Cart for WooCommerce versions = 1.2.1...

WordPress PZ Frontend Manager plugin <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter vulnerability

Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter vulnerability discovered by theviper17y in WordPress Plugin pz-frontend-manager versions = 1.0.6...

WordPress AM LottiePlayer plugin <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG vulnerability

Authenticated Author+ Stored Cross-Site Scripting via SVG vulnerability discovered by Alex Thomas - Wordfence in WordPress Plugin AM LottiePlayer versions = 3.6.0...

WordPress Sports Club Management plugin <= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'before' Attribute vulnerability discovered by zaim in WordPress Plugin Sports Club Management versions = 1.12.9...

WordPress Columns by BestWebSoft plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Columns by BestWebSoft versions = 1.0.3...

WordPress Quran Translations plugin <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form vulnerability

Cross-Site Request Forgery to Playlist Settings Form vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Quran Translations versions = 1.7...

WordPress Riaxe Product Customizer plugin <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint vulnerability

Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint vulnerability discovered by Kai Aizen in WordPress Plugin Riaxe Product Customizer versions = 2.4...

WordPress Gerador de Certificados - DevApps plugin <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

WordPress Gerador de Certificados - DevApps plugin = 1.3.6 - Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by Legion Hunter in WordPress Plugin Gerador de Certificados – DevApps versions = 1.3.6...

WordPress Wavr plugin <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zakaria in WordPress Plugin Wavr versions = 0.2.6...

WordPress WowPress plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zakaria in WordPress Plugin WowPress versions = 1.0.0...

WordPress Inquiry form to posts or pages plugin <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Form Header Field vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Inquiry form to posts or pages versions = 1.0...

WordPress Backup Migration plugin <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage vulnerability

Missing Authorization to Unauthenticated Backup Upload to Offline Storage vulnerability discovered by 0N0ise - cert.pl in WordPress Plugin Backup Migration versions = 2.0.0...

WordPress The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar vulnerability

WordPress The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin = 6.4.9 - Authenticated Contributor+ Stored Cross-Site Scripting via Progress Bar vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in...

WordPress Investi plugin <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Investi versions = 1.0.26...

WordPress Strong Testimonials plugin <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via testimonialview Shortcode vulnerability discovered by Ronnachai Sretawat Na Ayutaya Simonhaskelly - Reconix Co., Ltd. in WordPress Plugin Strong Testimonials versions = 3.2.21...

WordPress TableOn - WordPress Posts Table Filterable plugin <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability

WordPress TableOn - WordPress Posts Table Filterable plugin = 1.0.4.4 - Authenticated Contributor+ Stored Cross-Site Scripting via 'class' Shortcode Attribute vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin TableOn versions = 1.0.4.4...

WordPress LTL Freight Quotes - R+L Carriers Edition plugin <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update vulnerability

WordPress LTL Freight Quotes - R+L Carriers Edition plugin = 3.3.13 - Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Poli - CMC Global in WordPress Plugin LTL Freight Quotes – R+L Carriers Edition versions = 3.3.13...

WordPress MainWP Child Reports plugin <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API vulnerability

Missing Authorization to Authenticated Subscriber+ Information Disclosure via Heartbeat API vulnerability discovered by Hunter Jensen skid in WordPress Plugin MainWP Child Reports versions = 2.2.6...

WordPress Prime Slider plugin <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'followustext' Parameter vulnerability discovered by WordFence in WordPress Plugin Prime Slider – Addons For Elementor versions = 4.1.10...

WordPress LearnPress plugin <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'skin' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin LearnPress versions = 4.3.3...

WordPress LatePoint plugin <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zaim in WordPress Plugin LatePoint versions = 5.3.0...

WordPress LightPress Lightbox plugin <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'group' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP jQuery Lightbox versions = 2.3.4...

WordPress Blubrry PowerPress plugin <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via powerpress and podcast Shortcodes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin PowerPress Podcasting versions = 11.15.15...

WordPress Elementor Website Builder plugin <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via REST API vulnerability discovered by andrea bocchetti in WordPress Plugin Elementor Website Builder versions = 3.35.5...

WordPress Product Feed PRO for WooCommerce plugin 13.4.6-13.5.2.1 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by luckybuddy in WordPress Plugin Product Feed PRO for WooCommerce versions 13.4.6-13.5.2.1...

WordPress Download Monitor plugin <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling vulnerability

Cross-Site Request Forgery to Download Path Deletion and Disabling vulnerability discovered by Kirasec in WordPress Plugin Download Monitor versions = 5.1.10...

WordPress Hustle - Email Marketing, Lead Generation, Optins, Popups plugin <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation vulnerability

WordPress Hustle - Email Marketing, Lead Generation, Optins, Popups plugin = 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation vulnerability discovered by Nguyen C in WordPress Plugin Hustle versions = 7.8.10.2...

WordPress Smart Slider 3 plugin <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation vulnerability

Missing Authorization to Authenticated Contributor+ Slider Data Read and Image Record Manipulation vulnerability discovered by darkmode in WordPress Plugin Smart Slider 3 versions = 3.5.1.33...

WordPress Charitable plugin <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook vulnerability

Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook vulnerability discovered by Andrés Cruciani in WordPress Plugin Charitable versions = 1.8.9.7...

WordPress Link Whisper Free plugin < 0.9.1 - Unauthenticated Settings and User Meta Update vulnerability

Unauthenticated Settings and User Meta Update vulnerability discovered by yiğit ibrahim sağlam in WordPress Plugin Link Whisper Free versions 0.9.1...

WordPress CTX Feed plugin <= 6.6.26 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin CTX Feed versions = 6.6.26...

WordPress WPAMS plugin < 49.5.3 - Arbitrary Content Deletion vulnerability

Arbitrary Content Deletion vulnerability discovered by Denver Jackson in WordPress Plugin WPAMS versions 49.5.3...

WordPress Timetics plugin <= 1.0.53 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Simone Maion in WordPress Plugin Timetics versions = 1.0.53...

WordPress WooCommerce Product Table Lite plugin <= 4.6.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin WooCommerce Product Table Lite versions = 4.6.3...

WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin iControlWP versions = 5.5.3...

WordPress Softlab Core plugin < 1.2.11 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Softlab Core versions 1.2.11...

WordPress Integrio Core plugin < 1.2.8 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Integrio Core versions 1.2.8...

WordPress Thegov Core plugin < 2.0.23 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Thegov Core versions 2.0.23...

WordPress Event Tickets Manager for WooCommerce plugin <= 1.5.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Event Tickets Manager for WooCommerce versions = 1.5.3...

WordPress Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields vulnerability

WordPress Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin = 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPres...

WordPress Visitor Traffic Real Time Statistics plugin <= 8.4 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Visitors Traffic Real Time Statistics versions = 8.4...