WordPress Tablesome Table 0.5.4-1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation vulnerability

Missing Authorization to Authenticated Subscriber+ Information Exposure and Privilege Escalation vulnerability discovered by kr0d in WordPress Plugin Tablesome versions 0.5.4-1.2.1...

WordPress Clasifico Listing plugin <= 2.0 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Alyudin Nafiie in WordPress Plugin Clasifico Listing versions = 2.0...

WordPress Nelio AB Testing plugin <= 8.2.4 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Nelio AB Testing versions = 8.2.4...

WordPress Dealia plugin <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutenberg Block Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Gutenberg Block Attributes vulnerability discovered by Ronnachai Sretawat Na Ayutaya Simonhaskelly - Reconix Co., Ltd. in WordPress Plugin Dealia versions = 1.0.6...

WordPress Client Testimonial Slider plugin <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Testimonial Heading' Setting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'Testimonial Heading' Setting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Client Testimonial Slider versions = 2.0...

WordPress MP3 Audio Player 4.0-5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure vulnerability

Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure vulnerability discovered by kr0d in WordPress Plugin MP3 Audio Player for Music, Radio & Podcast by Sonaar versions 4.0-5.10...

WordPress XO Event Calendar plugin <= 3.2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xo_event_field' shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'xoeventfield' shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin XO Event Calendar versions = 3.2.10...

WordPress Groups plugin <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'groups_group_info' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'groupsgroupinfo' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Groups versions = 3.10.0...

WordPress YaMaps for WordPress plugin <= 0.6.40 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Parameters vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Parameters vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin YaMaps for WordPress versions = 0.6.40...

WordPress Advanced Custom Fields: Font Awesome plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by JongHwan Shin zzzsleep in WordPress Plugin Advanced Custom Fields: Font Awesome Field versions = 5.0.1...

WordPress BackWPup plugin <= 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update vulnerability

Authenticated BackWPup Helper+ Privilege Escalation via Arbitrary Options Update vulnerability discovered by 0N0ise - cert.pl in WordPress Plugin BackWPup versions = 5.6.2...

WordPress Virusdie plugin <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) API Key Disclosure vulnerability

Missing Authorization to Authenticated Subscriber+ API Key Disclosure vulnerability discovered by Sushi Com Abacate in WordPress Plugin Virusdie versions = 1.1.7...

WordPress Image Hotspot by DevVN plugin <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Meta vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Custom Field Meta vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Image Hotspot by DevVN versions = 1.2.9...

WordPress SEO Plugin by Squirrly SEO plugin <= 12.4.14 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection vulnerability

Missing Authorization to Authenticated Subscriber+ Cloud Service Disconnection vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin SEO Plugin by Squirrly SEO versions = 12.4.14...

WordPress Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update vulnerability

Missing Authorization to Authenticated Subscriber+ Email MFA Update vulnerability discovered by shark3y in WordPress Plugin Shield Security versions = 21.0.9...

WordPress OneClick Chat to Order plugin <= 1.0.9 - Missing Authorization to Authenticated (Editor+) Plugin Settings Update vulnerability

Missing Authorization to Authenticated Editor+ Plugin Settings Update vulnerability discovered by Mohammad Amin Hajian mamadrce in WordPress Plugin OneClick Chat to Order versions = 1.0.9...

WordPress Tennis Court Bookings plugin <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings and Calendar Parameters vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Admin Settings and Calendar Parameters vulnerability discovered by 0x34rth in WordPress Plugin Tennis Court Bookings versions = 1.2.7...

WordPress salavat counter Plugin plugin <= 0.9.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'image_url' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'imageurl' Parameter vulnerability discovered by 0x34rth in WordPress Plugin salavat counter versions = 0.9.5...

WordPress Remove Post Type Slug plugin <= 1.0.2 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Remove Post Type Slug versions = 1.0.2...

WordPress TalkJS plugin <= 0.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'welcomeMessage' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'welcomeMessage' Parameter vulnerability discovered by 0x34rth in WordPress Plugin TalkJS versions = 0.1.15...

WordPress Dealia - Request a quote plugin <= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset vulnerability

WordPress Dealia - Request a quote plugin = 1.0.6 - Missing Authorization to Authenticated Contributor+ Plugin Configuration Reset vulnerability discovered by Ronnachai Sretawat Na Ayutaya Simonhaskelly - Reconix Co., Ltd. in WordPress Plugin Dealia versions = 1.0.6...

WordPress Slidorion plugin <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Slidorion Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Slidorion Settings vulnerability discovered by san6051 - PWC in WordPress Plugin Slidorion versions = 1.0.2...

WordPress News Element Elementor Blog Magazine plugin <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss vulnerability

Missing Authorization to Authenticated Subscriber+ Data Loss vulnerability discovered by Legion Hunter in WordPress Plugin News Element Elementor Blog Magazine versions = 1.0.8...

WordPress Advance Block Extend plugin <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via TitleColor Block Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via TitleColor Block Attribute vulnerability discovered by WordFence in WordPress Plugin Advance Block Extend versions = 1.0.4...

WordPress Toret Manager plugin <= 1.2.7 - Authenticated (Subscriber+) Arbitrary Options Update via AJAX actions vulnerability

Authenticated Subscriber+ Arbitrary Options Update via AJAX actions vulnerability discovered by vgo0 in WordPress Plugin Toret Manager versions = 1.2.7...

WordPress Whatsiplus Scheduled Notification for Woocommerce plugin <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action vulnerability

Cross-Site Request Forgery to 'wsnfwsaveuserssettings' AJAX Action vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Whatsiplus Scheduled Notification for Woocommerce versions = 1.0.1...

WordPress Razorpay for WooCommerce plugin <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification vulnerability

Missing Authentication to Unauthenticated Order Modification vulnerability discovered by Marcin Dudek dudekmar - CERT.PL in WordPress Plugin Razorpay for WooCommerce versions = 4.7.8...

WordPress Mega Store Woocommerce plugin <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Page Creation and Settings Change vulnerability discovered by bugzy in WordPress Theme Mega Store Woocommerce versions = 5.9...

WordPress Breadcrumb NavXT plugin <= 7.5.0 - Missing Authorization to Sensitive Information Exposure vulnerability

Missing Authorization to Sensitive Information Exposure vulnerability discovered by NosleeP++ in WordPress Plugin Breadcrumb NavXT versions = 7.5.0...

WordPress Country Blocker for AdSense plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Country Blocker for AdSense versions = 1.0...

WordPress Page Title, Description & Open Graph Updater plugin <= 1.02 - Cross-Site Request Forgery to Arbitrary Page Title Modification vulnerability

Cross-Site Request Forgery to Arbitrary Page Title Modification vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Page Title, Description & Open Graph Updater versions = 1.02...

WordPress Easy Table of Contents plugin <= 2.0.78 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Jack Taylor in WordPress Plugin Easy Table of Contents versions = 2.0.78...

WordPress s2Member plugin <= 251005 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin s2Member versions = 251005...

WordPress Album and Image Gallery Plus Lightbox plugin <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Plugin's Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Album and Image Gallery plus Lightbox versions = 2.1.7...

WordPress Apollo13 Framework Extension plugin <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via `a13_alt_link` Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via a13altlink Parameter vulnerability discovered by Webbernaut in WordPress Plugin Apollo13 Framework Extensions versions = 1.9.8...

WordPress Shopire plugin <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Plugin Install vulnerability discovered by Ky0toFu in WordPress Theme Shopire versions = 1.0.57...

WordPress Renden plugin <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Title vulnerability discovered by Peter Thaleikis in WordPress Theme Renden versions = 1.8.1...

WordPress CTX Feed - WooCommerce Product Feed Manager plugin <= 6.6.11 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation vulnerability

WordPress CTX Feed - WooCommerce Product Feed Manager plugin = 6.6.11 - Missing Authorization to Authenticated Shop Manager+ Arbitrary Plugin Installation vulnerability discovered by DityaRA in WordPress Plugin CTX Feed versions = 6.6.11...

WordPress Web Accessibility by accessiBe plugin <= 2.11 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Web Accessibility By accessiBe versions = 2.11...

WordPress Advanced Ads - Ad Manager & AdSense plugin <= 2.0.14 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update vulnerability

WordPress Advanced Ads - Ad Manager & AdSense plugin = 2.0.14 - Missing Authorization to Authenticated Subscriber+ Ad Placements Update vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Advanced Ads versions = 2.0.14...

WordPress Official StatCounter Plugin plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nickname vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Nickname vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin StatCounter versions = 2.1.0...

WordPress NewsBlogger <= 0.2.5.6-0.2.6.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation vulnerability

Cross-Site Request Forgery to Arbitrary Plugin Installation vulnerability discovered by luckybuddy in WordPress Theme NewsBlogger versions 0.2.5.6-0.2.6.1...

WordPress Popup Builder plugin <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens vulnerability

Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Popup Builder versions = 4.4.2...

WordPress Drift plugin <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Title vulnerability discovered by Peter Thaleikis in WordPress Theme Drift versions = 1.5.0...

WordPress Easy SVG Support plugin <= 4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload vulnerability

Authenticated Author+ Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by Sornram9254 in WordPress Plugin Easy SVG Support versions = 4.0...

WordPress Printful Integration for WooCommerce plugin <= 2.2.11 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Adrian Lukita in WordPress Plugin Printful Integration for WooCommerce versions = 2.2.11...

WordPress ACF Photo Gallery Field plugin <= 3.0 - Missing Authorization to Authenticated (Subscriber+) Attachment Metadata Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Attachment Metadata Modification vulnerability discovered by Rafshanzani Suhada in WordPress Plugin ACF Photo Gallery Field versions = 3.0...

WordPress Mesmerize Companion plugin <= 1.6.158 - Missing Authorization Authenticated (Subscriber+) Settings Update vulnerability

Missing Authorization Authenticated Subscriber+ Settings Update vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Mesmerize Companion versions = 1.6.158...

WordPress Mailchimp List Subscribe Form plugin <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change vulnerability

Cross-Site Request Forgery to Mailchimp List Change vulnerability discovered by SHIVAM KUMAR in WordPress Plugin Mailchimp List Subscribe Form versions = 2.0.0...

WordPress Booking Calendar plugin <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary User Settings Modification vulnerability discovered by Tarcísio Luchesi De Almeida Silva Poystick in WordPress Plugin Booking Calendar versions = 10.14.14...