WordPress Zorka theme <= 1.5.7 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Zorka versions = 1.5.7...

WordPress Legacy Admin plugin <= 9.5 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Legacy Admin versions = 9.5...

WordPress Ultra WordPress Admin plugin <= 11.7 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Ultra WordPress Admin versions = 11.7...

WordPress Primer MyData for Woocommerce plugin <= 4.2.1 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by vgo0 in WordPress Plugin Primer MyData for Woocommerce versions = 4.2.1...

WordPress Core <= 6.9.1 - Stored Cross-Site Scripting

Stored Cross-Site Scripting vulnerability discovered by Phill Savage in WordPress core versions 6.9-6.9.1...

WordPress Active Products Tables for WooCommerce plugin <= 1.0.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim in WordPress Plugin Active Products Tables for WooCommerce versions = 1.0.7...

WordPress WooCommerce plugin < 10.5.3 - Arbitrary Admin User Creation via CSRF vulnerability

Arbitrary Admin User Creation via CSRF vulnerability discovered by oolongeya in WordPress Plugin WooCommerce versions 10.5.3...

WordPress Handmade Framework plugin <= 3.9 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Handmade Framework versions = 3.9...

WordPress Melody theme <= 1.6.3 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Melody versions = 1.6.3...

WordPress Beelove theme <= 1.2.6 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Beelove versions = 1.2.6...

WordPress Meta Box plugin <= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion vulnerability

Authenticated Contributor+ Arbitrary File Deletion vulnerability discovered by JongHwan Shin zzzsleep in WordPress Plugin Meta Box – WordPress Custom Fields Framework versions = 5.11.1...

WordPress RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage vulnerability

WordPress RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin = 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - cyberdogzmarketing.com | krei.dev | ogbuilders.io in WordPress...

WordPress WP App Bar plugin <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'app-bar-features' Parameter vulnerability

Unauthenticated Stored Cross-Site Scripting via 'app-bar-features' Parameter vulnerability discovered by 0x34rth in WordPress Plugin WP App Bar versions = 1.5...

WordPress Paid Videochat Turnkey Site - HTML5 PPV Live Webcams plugin <= 7.3.20 - Authenticated (Author+) Privilege Escalation vulnerability

WordPress Paid Videochat Turnkey Site - HTML5 PPV Live Webcams plugin = 7.3.20 - Authenticated Author+ Privilege Escalation vulnerability discovered by Peter Thaleikis in WordPress Plugin Paid Videochat Turnkey Site versions = 7.3.20...

WordPress JS Archive List plugin <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute vulnerability

Authenticated Contributor+ PHP Object Injection via 'included' Shortcode Attribute vulnerability discovered by WordFence in WordPress Plugin JS Archive List versions = 6.1.7...

WordPress CM Custom Reports plugin <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters vulnerability

Reflected Cross-Site Scripting via 'datefrom' and 'dateto' Parameters vulnerability discovered by san6051 - PWC in WordPress Plugin CM Custom WordPress Reports and Analytics versions = 1.2.7...

WordPress ZIP Code Based Content Protection plugin <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' Parameter vulnerability

Unauthenticated SQL Injection via 'zipcode' Parameter vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ZIP Code Based Content Protection versions = 1.0.2...

WordPress Themify Event Post plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim in WordPress Plugin Themify Event Post versions = 1.3.4...

WordPress Podlove Podcast Publisher plugin <= 4.3.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim in WordPress Plugin Podlove Podcast Publisher versions = 4.3.3...

WordPress Atarim plugin <= 4.3.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Atarim versions = 4.3.2...

WordPress Contact Form by WPForms plugin <= 1.9.9.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by davidfdzmorilla in WordPress Plugin Contact Form by WPForms versions = 1.9.9.3...

WordPress Elementor Website Builder plugin <= 3.35.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by davidfdzmorilla in WordPress Plugin Elementor Website Builder versions = 3.35.5...

WordPress LotekMedia Popup Form plugin <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Hieus in WordPress Plugin LotekMedia Popup Form versions = 1.0.6...

WordPress Carta Online plugin <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by 0x34rth in WordPress Plugin Carta Online versions = 2.13.0...

WordPress True Ranker plugin <= 2.2.9 - Cross-Site Request Forgery to Unauthorized True Ranker Disconnection vulnerability

Cross-Site Request Forgery to Unauthorized True Ranker Disconnection vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin True Ranker versions = 2.2.9...

WordPress Infomaniak Connect for OpenID plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Infomaniak Connect for OpenID versions = 1.0.2...

WordPress Font Pairing Preview For Landing Pages plugin <= 1.3 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Font Pairing Preview For Landing Pages versions = 1.3...

WordPress Show YouTube video plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'id' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Show YouTube video versions = 1.1...

WordPress Purchase Button For Affiliate Link plugin <= 1.0.2 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Purchase Button For Affiliate Link versions = 1.0.2...

WordPress DA Media GigList plugin <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'listtitle' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin DA Media GigList versions = 1.9.0...

WordPress Consensus Embed plugin <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'src' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Consensus Embed versions = 1.6...

WordPress Media Library Alt Text Editor plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'postid' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Media Library Alt Text Editor versions = 1.0.0...

WordPress The Guardian News Feed plugin <= 1.2 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin The Guardian News Feed versions = 1.2...

WordPress MyQtip - easy qTip2 plugin <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

WordPress MyQtip - easy qTip2 plugin = 2.0.5 - Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zaim in WordPress Plugin MyQtip – easy qTip2 versions = 2.0.5...

WordPress Wueen plugin <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via plugin's Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via plugin's Shortcode vulnerability discovered by zaim in WordPress Plugin Wueen versions = 0.2.0...

WordPress MDJM Event Management plugin <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Mobile DJ Manager versions = 1.7.8.1...

WordPress MailArchiver plugin <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Settings vulnerability discovered by Ronnachai Chaipha rxnr - Reconix Co., Ltd. in WordPress Plugin MailArchiver versions = 4.4.0...

WordPress Community Events plugin <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field vulnerability

Authenticated Administrator+ SQL Injection via 'cevenuename' CSV Field vulnerability discovered by Bee - FPT University in WordPress Plugin Community Events versions = 1.5.8...

WordPress ProfileGrid plugin <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Message Deletion vulnerability discovered by WordFence in WordPress Plugin ProfileGrid versions = 5.9.8.1...

WordPress ProfileGrid plugin <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial vulnerability

Cross-Site Request Forgery to Group Membership Request Approval/Denial vulnerability discovered by WordFence in WordPress Plugin ProfileGrid versions = 5.9.8.2...

WordPress Stock Ticker plugin <= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Template vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Template vulnerability discovered by WordFence in WordPress Plugin Stock Ticker versions = 3.26.1...

WordPress Easy PHP Settings plugin <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_memory_limit' Setting vulnerability

Authenticated Administrator+ PHP Code Injection via 'wpmemorylimit' Setting vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin Easy PHP Settings versions = 1.0.4...

WordPress Hammas Calendar plugin <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'apix' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Hammas Calendar versions = 1.5.11...

WordPress WP Frontend Profile plugin <= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Approval or Rejection vulnerability

Cross-Site Request Forgery to Unauthorized User Account Approval or Rejection vulnerability discovered by johska in WordPress Plugin WP Frontend Profile versions = 1.3.8...

WordPress Greenshift plugin <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load' vulnerability

Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspbelreusableload' vulnerability discovered by Lucas Montes NiRoX in WordPress Plugin Greenshift versions = 12.8.3...

WordPress Winston AI plugin <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin HUMN-1 AI Website Scanner & Human Certification by Winston AI versions = 0.0.3...

WordPress Wizor's theme <= 2.12 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Wizor's versions = 2.12...

WordPress VegaDays theme <= 1.2.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme VegaDays versions = 1.2.0...

WordPress Unica theme <= 1.4.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Unica versions = 1.4.1...

WordPress Roisin theme <= 1.2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Roisin versions = 1.2.1...