WordPress FuseDesk plugin <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin FuseDesk versions = 6.8...

WordPress Any Post Slider plugin <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'posttype' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Any Post Slider versions = 1.0.4...

WordPress Appmax plugin <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint vulnerability

Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint vulnerability discovered by WordFence in WordPress Plugin Appmax versions = 1.0.3...

WordPress Go Night Pro | WordPress Dark Mode Plugin plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'margin' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'margin' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Go Night Pro versions = 1.1.0...

WordPress Build App Online plugin <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action vulnerability

Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action vulnerability discovered by WordFence in WordPress Plugin Build App Online versions = 1.0.23...

WordPress REST API TO MiniProgram plugin <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'userid' REST API Parameter vulnerability discovered by WordFence in WordPress Plugin REST API TO MiniProgram versions = 5.1.2...

WordPress Sherk Custom Post Type Displays plugin <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'title' Shortcode Attribute vulnerability discovered by theviper17y in WordPress Plugin Sherk Custom Post Type Displays versions = 1.2.1...

WordPress e-shot plugin <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure via API Token via 'eshotformbuildergetaccountdata' AJAX Action vulnerability discovered by Poli - CMC Global in WordPress Plugin e-shot versions = 1.0.2...

WordPress Punnel plugin <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Update via 'punnelsaveconfig' AJAX Action vulnerability discovered by Poli - CMC Global in WordPress Plugin Punnel – Landing Page Builder versions = 1.3.1...

WordPress Smarter Analytics plugin <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter vulnerability

Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter vulnerability discovered by Poli - CMC Global in WordPress Plugin Smarter Analytics versions = 2.0...

WordPress Integration with Hubspot Forms plugin <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Integration with Hubspot Forms versions = 1.2.2...

WordPress Twitter Feeds plugin <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'tweet_title' Shortcode Attribute vulnerability

Authenticated Contributor+ Cross-Site Scripting via 'tweettitle' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Twitter Feeds versions = 1.0.0...

WordPress Simple Football Scoreboard plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Simple Football Scoreboard versions = 1.0...

WordPress Speedup Optimization plugin <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'speedup01_enabled' AJAX Action vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Modification via 'speedup01enabled' AJAX Action vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Speedup Optimization versions = 1.5.9...

WordPress Outgrow plugin <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute vulnerability discovered by theviper17y in WordPress Plugin Outgrow versions = 2.1...

WordPress Neos Connector for Fakturama plugin <= 0.0.14 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Neos Connector for Fakturama versions = 0.0.14...

WordPress Post Snippits plugin <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Post Snippits versions = 1.0...

WordPress WordPress PayPal Donation plugin <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'amount' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin WordPress PayPal Donation versions = 1.01...

WordPress Paypal Shortcodes plugin <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' and 'name' Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'amount' and 'name' Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Paypal Shortcodes versions = 0.3...

WordPress WP Games Embed plugin <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin WP Games Embed versions = 0.1beta...

WordPress Text Toggle plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'title' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Text Toggle versions = 1.1...

WordPress fyyd podcast shortcodes plugin <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'color' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin fyyd podcast shortcodes versions = 0.3.1...

WordPress Sheets2Table plugin <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titles' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'titles' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Sheets2Table versions = 0.4.1...

WordPress Show Posts list plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Show Posts list versions = 1.1.0...

WordPress Ad Short plugin <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'client' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'client' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin Ad Short versions = 2.0.1...

WordPress WP Random Button plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'cat' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin WP Random Button versions = 1.0...

WordPress login_register plugin <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin loginregister versions = 1.2.0...

WordPress Ecover Builder For Dummies plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin Ecover Builder For Dummies versions = 1.0...

WordPress WP REST Cache plugin <= 2026.1.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WP REST Cache versions = 2026.1.0...

WordPress User Registration plugin <= 4.4.9 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by 0xd4rk5id3 in WordPress Plugin User Registration versions = 4.4.9...

WordPress Element Pack Elementor Addons plugin <= 8.4.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Element Pack Elementor Addons versions = 8.4.2...

WordPress WPBookit Pro plugin <= 1.6.18 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Phat RiO in WordPress Plugin WPBookit Pro versions = 1.6.18...

WordPress ProfileGrid plugin <= 5.9.8.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin ProfileGrid versions = 5.9.8.1...

WordPress JetFormBuilder plugin <= 3.5.6.1 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by daroo in WordPress Plugin JetFormBuilder versions = 3.5.6.1...

WordPress WP Courses LMS plugin <= 3.2.26 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Duc Canh canhnguyen26 in WordPress Plugin WP Courses LMS versions = 3.2.26...

WordPress Contact Form Email plugin <= 1.3.63 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by huli07 in WordPress Plugin Contact Form Email versions = 1.3.63...

WordPress PPWP plugin <= 1.9.15 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Doan Dinh Van in WordPress Plugin PPWP versions = 1.9.15...

WordPress WP Cost Estimation & Payment Forms Builder plugin < 10.3.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO in WordPress Plugin WP Cost Estimation & Payment Forms Builder versions 10.3.0...

WordPress Tutor LMS Pro plugin <= 3.9.4 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Phat RiO in WordPress Plugin Tutor LMS Pro versions = 3.9.4...

WordPress Car Dealer theme <= 1.6.7 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Car Dealer versions = 1.6.7...

WordPress The Grid plugin < 2.8.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO in WordPress Plugin The Grid versions 2.8.0...

WordPress Vertex Addons for Elementor plugin <= 1.6.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by theviper17 in WordPress Plugin Vertex Addons for Elementor versions = 1.6.4...

WordPress Commerce Coinbase For WooCommerce plugin <= 1.6.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Commerce Coinbase For WooCommerce versions = 1.6.6...

WordPress User Verification plugin <= 2.0.45 - Email Verification Bypass vulnerability

Email Verification Bypass vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin User Verification versions = 2.0.45...

WordPress weForms plugin <= 1.6.26 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin weForms versions = 1.6.26...

WordPress WP TripAdvisor Review Slider plugin <= 14.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Doan Dinh Van in WordPress Plugin WP TripAdvisor Review Slider versions = 14.1...

WordPress Booking and Rental Manager plugin <= 2.6.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by PPzzAArr in WordPress Plugin Booking and Rental Manager versions = 2.6.0...

WordPress Five Star Restaurant Reservations plugin <= 2.7.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by johska in WordPress Plugin Five Star Restaurant Reservations versions = 2.7.9...

WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin Contact Form & Lead Form Elementor Builder versions = 2.0.1...

WordPress VK All in One Expansion Unit plugin <= 9.113.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by timomangcut in WordPress Plugin VK All in One Expansion Unit versions = 9.113.3...