WordPress Formidable Forms plugin <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter vulnerability

Unauthenticated Payment Amount Manipulation via 'itemmeta' Parameter vulnerability discovered by Michael Iden Mickhat - Hack The Box in WordPress Plugin Formidable Forms versions = 6.28...

WordPress Formidable Forms plugin <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse vulnerability

Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse vulnerability discovered by Andres Cruciani in WordPress Plugin Formidable Forms versions = 6.28...

WordPress Appointment Booking Calendar plugin <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint vulnerability discovered by Muhammad Sharief in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.29...

WordPress Pix for WooCommerce plugin <= 1.5.0 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Alexis Lafontaine in WordPress Plugin Pix for WooCommerce versions = 1.5.0...

WordPress Calculated Fields Form plugin <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Form Settings vulnerability discovered by Hunter Jensen skid in WordPress Plugin Calculated Fields Form versions = 5.4.5.0...

WordPress Social Icons Widget & Block plugin <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Sharing Configuration Creation vulnerability discovered by darkmode in WordPress Plugin Social Icons Widget & Block by WPZOOM versions = 4.5.8...

WordPress GetGenie plugin <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API vulnerability

Insecure Direct Object Reference to Authenticated Author+ Stored Cross-Site Scripting via REST API vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin GetGenie versions = 4.3.2...

WordPress GetGenie plugin <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion vulnerability

Insecure Direct Object Reference to Authenticated Author+ Arbitrary Post Overwrite/Deletion vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin GetGenie versions = 4.3.2...

WordPress Appointment Booking Calendar plugin <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Authenticated Staff+ Sensitive Information Exposure vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.29...

WordPress Reading progressbar plugin < 1.3.1 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Krugov Artyom in WordPress Plugin Reading progressbar versions 1.3.1...

WordPress Timetics plugin < 1.0.52 - Unauthenticated Payment/Booking Status Update vulnerability

Unauthenticated Payment/Booking Status Update vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Timetics versions 1.0.52...

WordPress Golo theme <= 1.7.0 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Golo versions = 1.7.0...

WordPress Energox theme <= 1.2 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Theme Energox versions = 1.2...

WordPress MetForm Pro plugin <= 3.9.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin MetForm Pro versions = 3.9.1...

WordPress Instant VA theme <= 1.0.1 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Theme Instant VA versions = 1.0.1...

WordPress Xagio SEO plugin <= 7.1.0.30 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by daroo in WordPress Plugin Xagio SEO versions = 7.1.0.30...

WordPress Penci Soledad Data Migrator plugin <= 1.3.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Penci Soledad Data Migrator versions = 1.3.1...

WordPress BuilderPress plugin <= 2.0.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin BuilderPress versions = 2.0.1...

WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by NumeX in WordPress Plugin Mobile App Editor versions = 1.3.1...

WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by benzdeus in WordPress Plugin Website LLMs.txt versions = 8.2.6...

WordPress WOLF plugin <= 1.0.8.7 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WOLF versions = 1.0.8.7...

WordPress RegistrationMagic plugin <= 6.0.7.1 - Account Takeover vulnerability

Account Takeover vulnerability discovered by 0xd4rk5id3 in WordPress Plugin RegistrationMagic versions = 6.0.7.1...

WordPress Everest Forms Pro plugin <= 1.9.10 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Kishan Vyas in WordPress Plugin Everest Forms Pro versions = 1.9.10...

WordPress WPCafe plugin <= 3.0.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin WPCafe versions = 3.0.7...

WordPress Simple Ajax Chat plugin <= 20260217 - Unauthenticated Stored Cross-Site Scripting via 'c' vulnerability

Unauthenticated Stored Cross-Site Scripting via 'c' vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Simple Ajax Chat versions = 20260217...

WordPress PixelYourSite PRO plugin <= 12.4.0.2 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin PixelYourSite PRO versions = 12.4.0.2...

WordPress PixelYourSite plugin <= 11.2.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin PixelYourSite – Your smart PIXEL TAG Manager versions = 11.2.0...

WordPress DukaPress plugin <= 3.2.4 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Vuln Seeker Cyber Security Team in WordPress Plugin DukaPress versions = 3.2.4...

WordPress WP Front User Submit plugin < 5.0.6 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Mike Gozdiskowski in WordPress Plugin WP Front User Submit / Front Editor versions 5.0.6...

WordPress ExactMetrics plugin 7.1.0-9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update vulnerability

Authenticated Custom Improper Privilege Management to Role Privilege Escalation via Settings Update vulnerability discovered by Ali Sünbül in WordPress Plugin ExactMetrics versions 7.1.0-9.0.2...

WordPress Name Directory plugin <= 1.32.1 - Unauthenticated Stored Cross-Site Scripting via 'name_directory_name' vulnerability

Unauthenticated Stored Cross-Site Scripting via 'namedirectoryname' vulnerability discovered by Youssef Elouaer in WordPress Plugin Name Directory versions = 1.32.1...

WordPress Checkout Field Editor (Checkout Manager) for WooCommerce plugin <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field vulnerability

Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Checkout Field Editor Checkout Manager for WooCommerce versions = 2.1.7...

WordPress Responsive Contact Form Builder & Lead Generation Plugin plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Youssef Elouaer in WordPress Plugin Contact Form & Lead Form Elementor Builder versions = 2.0.1...

WordPress Gravity Forms plugin <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Form Title vulnerability discovered by hoshino in WordPress Plugin Gravity Forms versions = 2.9.28...

WordPress My Sticky Bar plugin <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action vulnerability

Unauthenticated SQL Injection via 'stickymenucontactleadform' Action vulnerability discovered by Dimas Maulana in WordPress Plugin My Sticky Bar versions = 2.8.6...

WordPress Datalogics Ecommerce Delivery plugin < 2.6.60 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Datalogics Ecommerce Delivery versions 2.6.60...

WordPress Divi Booster plugin < 5.0.2 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by Saif Team 51 in WordPress Plugin Divi Booster versions 5.0.2...

WordPress RegistrationMagic plugin <= 6.0.7.2 - Subscriber+ Sensitive Data Disclosure vulnerability

Subscriber+ Sensitive Data Disclosure vulnerability discovered by bRpsd in WordPress Plugin RegistrationMagic versions = 6.0.7.2...

WordPress LearnPress plugin <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Email Notification Triggering vulnerability discovered by Jack Pas Dark. - Black Lantern Security in WordPress Plugin LearnPress versions = 4.3.2.8...

WordPress Gutena Forms plugin < 1.6.1 - Contributor+ Arbitrary Limited Options Update vulnerability

Contributor+ Arbitrary Limited Options Update vulnerability discovered by yiğit ibrahim sağlam in WordPress Plugin Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder versions 1.6.1...

WordPress ExactMetrics plugin 8.6.0-9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation

Authenticated Custom Insecure Direct Object Reference to Arbitrary Plugin Installation vulnerability discovered by Ali Sünbül in WordPress Plugin ExactMetrics versions 8.6.0-9.0.2...

WordPress Advanced Product Fields (Product Addons) for WooCommerce plugin <= 1.6.18 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by timomangcut in WordPress Plugin Advanced Product Fields Product Addons for WooCommerce versions = 1.6.18...

WordPress Responsive Blocks plugin <= 2.2.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Silver Asu in WordPress Plugin Responsive Blocks versions = 2.2.0...

WordPress weForms plugin <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Hidden Field Value via REST API vulnerability discovered by Muhammad Sharief in WordPress Plugin weForms versions = 1.6.27...

WordPress Royal Addons for Elementor plugin <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass vulnerability

Authenticated Author+ Arbitrary File Upload via main.php Upload Bypass vulnerability discovered by mikemyers in WordPress Plugin Royal Elementor Addons versions = 1.7.1049...

WordPress MC4WP: Mailchimp for WordPress plugin <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Subscription Deletion vulnerability discovered by Sarawut Poolkhet MisterHelloz in WordPress Plugin MC4WP versions = 4.11.1...

WordPress RTMKit plugin <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter vulnerability

Reflected Cross-Site Scripting via 'themebuilder' Parameter vulnerability discovered by LionTree in WordPress Plugin RTMKit versions = 1.6.8...

WordPress LatePoint - Calendar Booking Plugin for Appointments and Events plugin <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting vulnerability

WordPress LatePoint - Calendar Booking Plugin for Appointments and Events plugin = 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting vulnerability discovered by lucsob in WordPress Plugin LatePoint versions = 5.2.7...

WordPress Unlimited Elements For Elementor plugin <= 2.0.5 - Unauthenticated Stored Cross-Site Scripting via Form Entry Fields vulnerability

Unauthenticated Stored Cross-Site Scripting via Form Entry Fields vulnerability discovered by WordFence in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 2.0.5...

WordPress MetForm Pro plugin <= 3.9.6 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by andrea bocchetti in WordPress Plugin MetForm Pro versions = 3.9.6...