WordPress The Events Calendar plugin <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import vulnerability

Authenticated Author+ Arbitrary File Read via ajaxcreateimport vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin The Events Calendar versions = 6.15.17...

WordPress Appointment Booking Calendar plugin <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter vulnerability

Unauthenticated SQL Injection via 'appendwheresql' Parameter vulnerability discovered by d.v4ns3c in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.27...

WordPress JetBooking plugin <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter vulnerability

Unauthenticated SQL Injection via 'checkindate' Parameter vulnerability discovered by hoshino in WordPress Plugin JetBooking versions = 4.0.3...

WordPress WP Maps plugin <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter vulnerability

Unauthenticated SQL Injection via 'locationid' Parameter vulnerability discovered by johska in WordPress Plugin WP Maps versions = 4.9.1...

WordPress Ally - Web Accessibility & Usability plugin <= 4.0.3 - Unauthenticated SQL Injection via URL Path vulnerability

WordPress Ally - Web Accessibility & Usability plugin = 4.0.3 - Unauthenticated SQL Injection via URL Path vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Ally versions = 4.0.3...

WordPress ProfilePress plugin <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Subscription Cancellation/Expiration vulnerability discovered by kai63001 in WordPress Plugin ProfilePress versions = 4.16.11...

WordPress Tutor LMS Pro plugin <= 3.9.5 - Authentication Bypass via Social Login vulnerability

Authentication Bypass via Social Login vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Tutor LMS Pro versions = 3.9.5...

WordPress Core <= 6.9.3 - XML External Entity (XXE) vulnerability

XML External Entity XXE vulnerability discovered by Youssef Achtatal in WordPress core versions = 6.9.3...

WordPress 6.9-6.9.3 - Broken Access Control in Notes vulnerability

Broken Access Control in Notes vulnerability discovered by kaminuma in WordPress core versions 6.9-6.9.3...

WordPress Core <= 6.9.1 - Missing Authorization to Authenticated (Author+) Sensitive Information Disclosure vulnerability

Missing Authorization to Authenticated Author+ Sensitive Information Disclosure vulnerability discovered by Vitaly Simonovich in WordPress core versions = 6.9.1...

WordPress Happy Addons for Elementor plugin <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Post Duplication via 'postid' Parameter vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Happy Addons for Elementor versions = 3.21.0...

WordPress Happy Addons for Elementor plugin <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Stored Cross-Site Scripting via Template Conditions vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Happy Addons for Elementor versions = 3.21.0...

WordPress Modular Connector plugin <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth vulnerability

Cross-Site Request Forgery via postConfirmOauth vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Modular DS versions = 2.5.1...

WordPress Court Reservation plugin < 1.10.9 - Event Deletion via CSRF vulnerability

Event Deletion via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin Court Reservation versions 1.10.9...

WordPress Astra theme <= 4.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Meta vulnerability discovered by at1as - Self-Employed in WordPress Theme Astra WordPress Theme versions = 4.12.3...

WordPress WP ULike plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attribute vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin WP ULike versions = 5.0.1...

WordPress Dear Flipbook plugin <= 2.4.20 - Authenticated (Author+) Stored Cross-Site Scripting via PDF Page Labels vulnerability

Authenticated Author+ Stored Cross-Site Scripting via PDF Page Labels vulnerability discovered by Drew Webber mcdruid in WordPress Plugin DearFlip versions = 2.4.20...

WordPress NextScripts: Social Networks Auto-Poster plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'nxs_fbembed' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'nxsfbembed' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin NextScripts versions = 4.4.6...

WordPress Booktics plugin <= 1.0.16 - Missing Authorization to Get Items via REST API endpoints vulnerability

Missing Authorization to Get Items via REST API endpoints vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Booktics versions = 1.0.16...

WordPress Booktics plugin <= 1.0.16 - Missing Authorization to Addon Plugin Installation vulnerability

Missing Authorization to Addon Plugin Installation vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Booktics versions = 1.0.16...

WordPress Core <= 6.9.1 - Server-Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery SSRF vulnerability discovered by sibwtf in WordPress core versions 6.9-6.9.1...

WordPress Admin Menu Editor plugin <= 1.14.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by timomangcut in WordPress Plugin Admin Menu Editor versions = 1.14.1...

WordPress MDTF plugin <= 1.3.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim in WordPress Plugin MDTF versions = 1.3.5...

WordPress News Magazine X theme <= 1.2.50 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by John P in WordPress Theme News Magazine X versions = 1.2.50...

WordPress EventPrime plugin <= 4.2.6.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin EventPrime versions = 4.2.6.0...

WordPress Addi – Cuotas que se adaptan a ti plugin <= 2.0.4 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Addi Cuotas que se adaptan a ti versions = 2.0.4...

WordPress Love Story theme <= 1.3.12 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Love Story versions = 1.3.12...

WordPress Work & Travel Company theme <= 1.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Work & Travel Company versions = 1.2...

WordPress Buisson theme <= 1.1.11 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Buisson versions = 1.1.11...

WordPress tagDiv Composer plugin <= 5.4.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin tagDiv Composer versions = 5.4.2...

WordPress WP User Frontend plugin <= 4.2.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin WP User Frontend versions = 4.2.5...

WordPress Wolverine Framework plugin <= 1.9 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Wolverine Framework versions = 1.9...

WordPress Darna Framework plugin <= 2.9 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Darna Framework versions = 2.9...

WordPress Contest Gallery plugin <= 28.1.2.1 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by lilmingwa13 in WordPress Plugin Contest Gallery versions = 28.1.2.1...

WordPress TotalContest Lite plugin <= 2.9.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by hhhai in WordPress Plugin TotalContest Lite versions = 2.9.1...

WordPress Belfort theme <= 1.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Belfort versions = 1.0...

WordPress LuxeDrive theme <= 1.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme LuxeDrive versions = 1.0...

WordPress MultiOffice theme <= 1.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme MultiOffice versions = 1.2...

WordPress Amfissa theme <= 1.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Amfissa versions = 1.1...

WordPress Deston theme <= 1.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Deston versions = 1.0...

WordPress Emaurri theme <= 1.0.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Emaurri versions = 1.0.1...

WordPress Rosebud theme <= 1.4 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Rosebud versions = 1.4...

WordPress PitchPrint plugin <= 11.1.2 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by NumeX in WordPress Plugin PitchPrint versions = 11.1.2...

WordPress Core <= 6.9.1 - Cross-Site Scripting vulnerability

Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress core versions 6.9-6.9.1...

WordPress UiPress lite plugin <= 3.5.09 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by w41bu1 in WordPress Plugin UiPress lite versions = 3.5.09...

WordPress Avada Core plugin < 5.15.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin Avada Core versions 5.15.0...

WordPress Avada Core plugin < 5.15.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bonds in WordPress Plugin Avada Core versions 5.15.0...

WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bonds in WordPress Plugin Fusion Builder versions 3.15.0...

WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bonds in WordPress Plugin Fusion Builder versions 3.15.0...

WordPress Jobs for WordPress plugin <= 2.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Krissaphat Jankaew in WordPress Plugin Jobs for WordPress versions = 2.8...