WordPress Instant Popup Builder plugin <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter vulnerability

Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter vulnerability discovered by theviper17y in WordPress Plugin Instant Popup Builder versions = 1.1.7...

WordPress Add Custom Fields to Media plugin <= 2.0.3 - Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter vulnerability

Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Add Custom Fields to Media versions = 2.0.3...

WordPress Draft List plugin <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'display_name' Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'displayname' Parameter vulnerability discovered by WordFence in WordPress Plugin Draft List versions = 2.6.2...

WordPress Download Manager plugin <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ User Email Enumeration via 'user' Parameter vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin Download Manager versions = 3.3.49...

WordPress Info Cards plugin <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Block Attributes vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Info Cards versions = 2.0.7...

WordPress Photo Gallery, Sliders, Proofing and Themes - NextGEN Gallery plugin <= 4.0.4 - Authenticated (Author+) Local File Inclusion vulnerability

WordPress Photo Gallery, Sliders, Proofing and Themes - NextGEN Gallery plugin = 4.0.4 - Authenticated Author+ Local File Inclusion vulnerability discovered by WordFence in WordPress Plugin NextGEN Gallery versions = 4.0.4...

WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.10 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bao - BlueRock in WordPress Plugin Client Invoicing by Sprout Invoices versions = 20.8.10...

WordPress Nelio Content plugin <= 4.3.1 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by Steven Julian in WordPress Plugin Nelio Content versions = 4.3.1...

WordPress Post SMTP plugin <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite vulnerability

Missing Authorization to Authenticated Subscriber+ Office 365 OAuth Configuration Overwrite vulnerability discovered by Michael Iden Mickhat - Hack The Box in WordPress Plugin Post SMTP versions = 3.8.0...

WordPress Code Embed plugin <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom Fields vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Code Embed versions = 2.5.1...

WordPress Get Use APIs plugin < 2.0.10 - Contributor+ Stored XSS vulnerability

Contributor+ Stored XSS vulnerability discovered by Ahmed Makawi in WordPress Plugin JSON Content Importer versions 2.0.10...

WordPress Ultimate Post Kit plugin <= 4.0.21 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Ultimate Post Kit versions = 4.0.21...

WordPress WPVulnerability plugin <= 4.2.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WPVulnerability versions = 4.2.1...

WordPress Nexa Blocks plugin <= 1.1.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Nabil Irawan in WordPress Plugin Nexa Blocks versions = 1.1.1...

WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.2.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms versions = 1.2.2...

WordPress Print Invoice & Delivery Notes for WooCommerce plugin <= 5.9.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by johska in WordPress Plugin Print Invoice & Delivery Notes for WooCommerce versions = 5.9.0...

WordPress Phox Hosting plugin <= 2.0.8 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Phox Hosting versions = 2.0.8...

WordPress Booking calendar, Appointment Booking System plugin <= 3.2.36 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by dragonzen in WordPress Plugin Booking calendar, Appointment Booking System versions = 3.2.36...

WordPress Gutenberg Blocks – Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Gutenberg Blocks versions = 1.2.8...

WordPress GZSEO plugin <= 2.0.14 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin GZSEO versions = 2.0.14...

WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Que Thanh Tuan in WordPress Plugin Advanced WooCommerce Product Sales Reporting versions = 4.1.3...

WordPress Kentha theme <= 4.7.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Kentha versions = 4.7.2...

WordPress Fraud Prevention For Woocommerce plugin <= 2.3.3 - Arbitrary Content Deletion vulnerability

Arbitrary Content Deletion vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Fraud Prevention For Woocommerce versions = 2.3.3...

WordPress EventPrime plugin <= 4.2.8.3 - Payment Bypass vulnerability

Payment Bypass vulnerability discovered by Zeeshan Haider in WordPress Plugin EventPrime versions = 4.2.8.3...

WordPress Hide My WP Ghost plugin < 7.0.00 - Open Redirection vulnerability

Open Redirection vulnerability discovered by Or Benit in WordPress Plugin Hide My WP Ghost versions 7.0.00...

WordPress Contextual Related Posts plugin < 4.2.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Contextual Related Posts versions 4.2.2...

WordPress User Feedback plugin <= 1.10.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin User Feedback versions = 1.10.1...

WordPress SUMO Affiliates Pro plugin < 11.4.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Phat RiO in WordPress Plugin SUMO Affiliates Pro versions 11.4.0...

WordPress WishList Member X plugin <= 3.29.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by 0xd4rk5id3 in WordPress Plugin WishList Member X versions = 3.29.0...

WordPress WishList Member X plugin <= 3.29.0 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin WishList Member X versions = 3.29.0...

WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by NumeX in WordPress Plugin Widget Wrangler versions = 2.3.9...

WordPress Writeprint Stylometry plugin <= 0.1 - Reflected Cross-Site Scripting via 'p' Parameter vulnerability

Reflected Cross-Site Scripting via 'p' Parameter vulnerability discovered by johska in WordPress Plugin Writeprint Stylometry versions = 0.1...

WordPress [CR]Paid Link Manager plugin <= 0.5 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin CRPaid Link Manager versions = 0.5...

WordPress WP Go Maps (formerly WP Google Maps) plugin <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting via adminpostwpgmzasavesettings vulnerability discovered by Nguyen Ba Hung bashu - KCSC in WordPress Plugin WP Go Maps versions = 10.0.05...

WordPress Yoast Duplicate Post plugin <= 4.5 - Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite vulnerability

Authenticated Contributor+ Missing Authorization to Arbitrary Post Duplication and Overwrite vulnerability discovered by johska in WordPress Plugin Duplicate Post versions = 4.5...

WordPress Subscriptions for WooCommerce plugin <= 1.9.2 - Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation vulnerability

Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation vulnerability discovered by shrikant bhosale in WordPress Plugin Subscriptions for WooCommerce versions = 1.9.2...

WordPress Royal Addons for Elementor - Addons and Templates Kit for Elementor plugin <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure vulnerability

WordPress Royal Addons for Elementor - Addons and Templates Kit for Elementor plugin = 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin Royal Elementor Addons versions = 1.7.1049...

WordPress WP System Log plugin <= 1.2.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin WP System Log versions = 1.2.7...

WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Phat RiO in WordPress Theme Traveler versions 3.2.8.1...

WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan in WordPress Plugin PublishPress Authors versions = 4.10.1...

WordPress The League theme <= 4.4.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme The League versions = 4.4.1...

WordPress Remoji plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Doan Dinh Van in WordPress Plugin Remoji versions = 2.2...

WordPress XStore Core plugin <= 5.6.4 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin XStore Core versions = 5.6.4...

WordPress Product Slider for WooCommerce plugin <= 1.13.61 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by theviper17 in WordPress Plugin Product Slider for WooCommerce versions = 1.13.61...

WordPress Automated FedEx live/manual rates with shipping labels plugin <= 5.1.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by johska in WordPress Plugin Automated FedEx live/manual rates with shipping labels versions = 5.1.8...

WordPress Mixtape theme <= 2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Mixtape versions = 2.1...

WordPress Moments theme <= 2.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Moments versions = 2.2...

WordPress Ave Core plugin <= 2.9.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Plugin Ave Core versions = 2.9.1...

WordPress Education Zone theme <= 1.3.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by John P in WordPress Theme Education Zone versions = 1.3.8...

WordPress avalex plugin <= 3.1.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin avalex versions = 3.1.3...