WordPress Rank Math SEO plugin <= 1.0.271 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin Rank Math SEO versions = 1.0.271...

WordPress Geo Mashup plugin <= 1.13.19 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Baikuya in WordPress Plugin Geo Mashup versions = 1.13.19...

WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tiago Ventura @perses in WordPress Plugin Funnel Builder by FunnelKit versions = 3.15.0.2...

WordPress XCloner plugin <= 4.8.6 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by kai63001 in WordPress Plugin XCloner versions = 4.8.6...

WordPress Sunshine Photo Cart plugin <= 3.6.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Dave Jong Patchstack in WordPress Plugin Sunshine Photo Cart versions = 3.6.7...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.6 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Mukhlis Amien in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.6...

WordPress JS Help Desk plugin <= 3.0.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nvz in WordPress Plugin JS Help Desk versions = 3.0.9...

WordPress JS Help Desk plugin <= 3.0.9 - SQL Injection vulnerability

SQL Injection vulnerability discovered by sequenceX0 in WordPress Plugin JS Help Desk versions = 3.0.9...

WordPress HollerBox plugin <= 2.3.10.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by she11f in WordPress Plugin HollerBox versions = 2.3.10.1...

WordPress TrueBooker plugin <= 1.1.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Vincent Sevkli in WordPress Plugin TrueBooker versions = 1.1.9...

WordPress WP Time Slots Booking Form plugin <= 1.2.50 - SQL Injection vulnerability

SQL Injection vulnerability discovered by xwii in WordPress Plugin WP Time Slots Booking Form versions = 1.2.50...

WordPress Amelia plugin <= 2.3 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by dodoh4t in WordPress Plugin Amelia versions = 2.3...

WordPress Elementor Website Builder plugin <= 4.1.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bonds in WordPress Plugin Elementor Website Builder versions = 4.1.0...

WordPress Crew HRM plugin <= 1.2.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by benzdeus in WordPress Plugin Crew HRM versions = 1.2.2...

WordPress Progress Planner plugin <= 1.9.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by hongdo in WordPress Plugin Progress Planner versions = 1.9.0...

WordPress WP Job Portal plugin <= 2.5.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Baikuya in WordPress Plugin WP Job Portal versions = 2.5.2...

WordPress Simple Shopping Cart plugin <= 5.2.9 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Austin Ginder in WordPress Plugin Simple Shopping Cart versions = 5.2.9...

WordPress Visual Link Preview plugin <= 2.4.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Aliefis in WordPress Plugin Visual Link Preview versions = 2.4.1...

WordPress King Addons for Elementor plugin <= 51.1.62 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by thevietronin in WordPress Plugin King Addons for Elementor versions = 51.1.62...

WordPress Montonio for WooCommerce plugin <= 10.1.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Niv Kochan in WordPress Plugin Montonio for WooCommerce versions = 10.1.2...

WordPress GamiPress plugin <= 7.8.7 - SQL Injection vulnerability

SQL Injection vulnerability discovered by kai63001 in WordPress Plugin GamiPress versions = 7.8.7...

WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Austin Ginder in WordPress Plugin JetSmartFilters versions = 3.8.1...

WordPress EmergencyWP – Dead Man's switch & legacy deliverance plugin <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by swat in WordPress Plugin EmergencyWP – Dead Man's switch & legacy deliverance versions = 1.4.2...

WordPress Passeum Ticketing plugin <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by KEVIN LEE crattack - OPCIA in WordPress Plugin Passeum Ticketing versions = 1.0...

WordPress FPW Category Thumbnails plugin <= 1.9.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin FPW Category Thumbnails versions = 1.9.5...

WordPress hiWeb Migration Simple plugin <= 2.0.0.1 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by san6051 - COFFSec in WordPress Plugin hiWeb Migration Simple versions = 2.0.0.1...

WordPress rognone plugin <= 0.6.2 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by san6051 - COFFSec in WordPress Plugin rognone versions = 0.6.2...

WordPress rognone plugin <= 0.6.2 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by san6051 - COFFSec in WordPress Plugin rognone versions = 0.6.2...

WordPress Simple Custom Login Page plugin <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Nguyen Duong in WordPress Plugin Simple Custom Login Page versions = 1.0.3...

WordPress Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin <= 2.19.25 - Authenticated (Contributor+) Remote Code Execution vulnerability

Authenticated Contributor+ Remote Code Execution vulnerability discovered by kai63001 in WordPress Plugin Spectra versions = 2.19.25...

WordPress GEO my WP plugin <= 4.5.5 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Naoya Takahashi nakko in WordPress Plugin GEO my WordPress versions = 4.5.5...

WordPress Simple History – Track, Log, and Audit WordPress Changes plugin <= 5.26.0 - Authenticated (Subscriber+) Account Takeover vulnerability

Authenticated Subscriber+ Account Takeover vulnerability discovered by lhking in WordPress Plugin Simple History versions = 5.26.0...

WordPress SePay Gateway plugin <= 1.1.20 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by ParkHyunWoo in WordPress Plugin SePay Gateway versions = 1.1.20...

WordPress Tiled Gallery Carousel Without JetPack plugin <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Tiled Gallery Carousel Without JetPack versions = 3.1...

WordPress Easy Cart plugin <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Easy Cart versions = 1.8...

WordPress ZeM STL plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin ZeM STL versions = 1.0...

WordPress BirdSeed plugin <= 2.2.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin BirdSeed versions = 2.2.0...

WordPress Word Replacer plugin <= 0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by san6051 - COFFSec in WordPress Plugin Word Replacer versions = 0.4...

WordPress WP Nano AD plugin <= 1.31 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by siyuan shao in WordPress Plugin WP Nano AD versions = 1.31...

WordPress DeMomentSomTres Shortcodes plugin <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin DeMomentSomTres Shortcodes versions = 1.1.1...

WordPress Remove NoFollow Commenter URL plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by swat in WordPress Plugin Remove NoFollow Commenter URL versions = 1.0...

WordPress Google Plus One Bottom plugin <= 0.0.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by swat in WordPress Plugin Google Plus One Bottom versions = 0.0.2...

WordPress Laiser Tag plugin <= 1.2.5 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by swat in WordPress Plugin Laiser Tag versions = 1.2.5...

WordPress JTL-Connector for WooCommerce plugin <= 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Settings Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Modification vulnerability discovered by Muhan Luo - Security Innovation in WordPress Plugin JTL-Connector for WooCommerce versions = 2.4.1...

WordPress Tectite Forms plugin <= 1.3 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Tectite Forms versions = 1.3...

WordPress Remove meta boxes per user role plugin <= 1.01 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin Remove meta boxes per user role versions = 1.01...

WordPress Kirki plugin 6.0.0-6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' vulnerability

Unauthenticated Privilege Escalation via 'handleforgotpassword' vulnerability discovered by CHOIGYEONGMIN in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions 6.0.0-6.0.6...

WordPress WPC Product Bundles for WooCommerce plugin <= 8.5.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin WPC Product Bundles for WooCommerce versions = 8.5.3...

WordPress Stop Spammers plugin <= 2026.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Peleg Nagli ultrared.ai in WordPress Plugin Stop Spammers versions = 2026.3...

WordPress EmbedPress plugin <= 4.5.2 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Mukhlis Amien in WordPress Plugin EmbedPress versions = 4.5.2...