WordPress StyleBidet plugin <= 1.0.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin StyleBidet versions = 1.0.0...

WordPress WP Maps plugin <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion vulnerability

Authenticated Subscriber+ Limited Local File Inclusion vulnerability discovered by mikemyers in WordPress Plugin WP Maps versions = 4.8.6...

WordPress Super Simple Contact Form plugin <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter vulnerability

Reflected Cross-Site Scripting via 'sscfname' Parameter vulnerability discovered by 0x34rth in WordPress Plugin Super Simple Contact Form versions = 1.6.2...

WordPress Zarinpal Gateway for WooCommerce plugin <= 5.0.16 - Improper Access Control to Payment Status Update vulnerability

Improper Access Control to Payment Status Update vulnerability discovered by shark3y in WordPress Plugin Zarinpal Gateway versions = 5.0.16...

WordPress WowRevenue plugin <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Installation/Activation vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin WowRevenue versions = 2.1.3...

WordPress Build App Online plugin <= 1.0.22 - Account Takeover via Weak Password Reset Mechanism vulnerability

Account Takeover via Weak Password Reset Mechanism vulnerability discovered by Ram - Wordfence in WordPress Plugin Build App Online versions = 1.0.22...

WordPress A-Mart theme <= 1.0.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme A-Mart versions = 1.0.2...

WordPress WP Compress plugin <= 6.60.28 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WP Compress versions = 6.60.28...

WordPress EventPrime plugin <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint vulnerability

Missing Authorization to Unauthenticated Image Upload via 'epuploadfilemedia' AJAX Endpoint vulnerability discovered by Tharadol Suksamran d3kc4rt1 in WordPress Plugin EventPrime versions = 4.2.8.4...

WordPress Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

WordPress Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin = 1.50.2 - Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Tiến Dũng Nguyễn in WordPress Plugin Forminator versions = 1.50.2...

WordPress RegistrationMagic plugin < 6.0.7.2 - Subscriber+ Form Creation vulnerability

Subscriber+ Form Creation vulnerability discovered by bRpsd in WordPress Plugin RegistrationMagic versions 6.0.7.2...

WordPress WP-Members Membership Plugin plugin <= 3.4.8 - Missing Authorization to Sensitive Information Exposure vulnerability

Missing Authorization to Sensitive Information Exposure vulnerability discovered by Francesco Carlucci in WordPress Plugin WP-Members versions = 3.4.8...

WordPress Easy Social Feed plugin <= 6.5.2 - Missing Authorization to Settings Modification vulnerability

Missing Authorization to Settings Modification vulnerability discovered by Lucio Sá in WordPress Plugin Easy Social Feed versions = 6.5.2...

WordPress Backup Migration plugin <= 1.3.9 - Authenticated (Admin+) OS Command Injection via url vulnerability

Authenticated Admin+ OS Command Injection via url vulnerability discovered by Françoa Taffarel in WordPress Plugin Backup Migration versions = 1.3.9...

WordPress Auto Featured Image (Auto Post Thumbnail) plugin <= 4.1.7 - Authenticated (Author+) Server-Side Request Forgery vulnerability

Authenticated Author+ Server-Side Request Forgery vulnerability discovered by Nex Team in WordPress Plugin Auto Featured Image Auto Post Thumbnail versions = 4.1.7...

WordPress Paytium: Mollie payment forms & donations plugin <= 4.3.7 - Missing Authorization in 'pt_cancel_subscription' vulnerability

Missing Authorization in 'ptcancelsubscription' vulnerability discovered by WordFence in WordPress Plugin Paytium versions = 4.3.7...

WordPress Paytium: Mollie payment forms & donations plugin <= 4.3.7 - Missing Authorization in 'update_profile_preference' vulnerability

Missing Authorization in 'updateprofilepreference' vulnerability discovered by WordFence in WordPress Plugin Paytium versions = 4.3.7...

WordPress Paytium: Mollie payment forms & donations plugin <= 4.3.7 - Missing Authorization in 'paytium_sw_save_api_keys' vulnerability

Missing Authorization in 'paytiumswsaveapikeys' vulnerability discovered by WordFence in WordPress Plugin Paytium versions = 4.3.7...

WordPress Paytium: Mollie payment forms & donations plugin <= 4.3.7 - Missing Authorization in 'check_for_verified_profiles' vulnerability

Missing Authorization in 'checkforverifiedprofiles' vulnerability discovered by WordFence in WordPress Plugin Paytium versions = 4.3.7...

WordPress Paytium: Mollie payment forms & donations plugin <= 4.3.7 - Missing Authorization in 'paytium_notice_dismiss' vulnerability

Missing Authorization in 'paytiumnoticedismiss' vulnerability discovered by WordFence in WordPress Plugin Paytium versions = 4.3.7...

WordPress Paytium: Mollie payment forms & donations plugin <= 4.3.7 - Missing Authorization in 'check_mollie_account_details' vulnerability

Missing Authorization in 'checkmollieaccountdetails' vulnerability discovered by WordFence in WordPress Plugin Paytium versions = 4.3.7...

WordPress Calculated Fields Form plugin <= 5.4.4.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by w41bu1 in WordPress Plugin Calculated Fields Form versions = 5.4.4.1...

WordPress CitiLights theme < 3.7.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme CitiLights versions 3.7.2...

WordPress Ippsum theme <= 1.2.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Theme Ippsum versions = 1.2.0...

WordPress Link Whisper Free plugin <= 0.9.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin Link Whisper Free versions = 0.9.1...

WordPress personal-authors-category plugin <= 0.3 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin personal-authors-category versions = 0.3...

WordPress Secure Copy Content Protection and Content Locking plugin <= 4.9.8 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header vulnerability

Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header vulnerability discovered by Deadbee - NA in WordPress Plugin Secure Copy Content Protection and Content Locking versions = 4.9.8...

WordPress Customer Reviews for WooCommerce plugin <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter vulnerability

Unauthenticated Stored Cross-Site Scripting via media.href Parameter vulnerability discovered by type5afe in WordPress Plugin Customer Reviews for WooCommerce versions = 5.97.0...

WordPress Activity Log for WordPress plugin <= 1.2.8 - Missing Authorization to Sensitive Information Exposure via Log File vulnerability

Missing Authorization to Sensitive Information Exposure via Log File vulnerability discovered by WordFence in WordPress Plugin WP System Log versions = 1.2.8...

WordPress Converter for Media - Optimize images | Convert WebP & AVIF plugin <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src vulnerability

WordPress Converter for Media - Optimize images | Convert WebP & AVIF plugin = 6.5.1 - Unauthenticated Server-Side Request Forgery via src vulnerability discovered by Lucas Montes NiRoX in WordPress Plugin Converter for Media versions = 6.5.1...

WordPress Product Options and Price Calculation Formulas for WooCommerce - Uni CPO (Premium) plugin <= 4.9.60 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion vulnerability

WordPress Product Options and Price Calculation Formulas for WooCommerce - Uni CPO Premium plugin = 4.9.60 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion vulnerability discovered by Stefan in WordPress Plugin Uni CPO Premium versions = 4.9.60...

WordPress BlueSnap Payment Gateway for WooCommerce plugin <= 3.3.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation vulnerability

Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin BlueSnap Payment Gateway for WooCommerce versions = 3.3.0...

WordPress Truelysell Core plugin <= 1.8.7 - Unauthenticated Privilege Escalation via Registration vulnerability

Unauthenticated Privilege Escalation via Registration vulnerability discovered by Alyudin Nafiie in WordPress Plugin Truelysell Core versions = 1.8.7...

WordPress wpForo Forum plugin <= 2.4.13 - Authenticated (Subscriber+) PHP Object Injection vulnerability

Authenticated Subscriber+ PHP Object Injection vulnerability discovered by Webbernaut in WordPress Plugin wpForo Forum versions = 2.4.13...

WordPress Jetpack CRM plugin <= 6.7.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Skalucy in WordPress Plugin Jetpack CRM versions = 6.7.0...

WordPress Open User Map plugin <= 1.4.16 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Open User Map versions = 1.4.16...

WordPress Woocommerce Category Banner Management plugin <= 2.5.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Woocommerce Category Banner Management versions = 2.5.1...

WordPress Magic Login Mail or QR Code plugin <= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage vulnerability

Unauthenticated Privilege Escalation via Insecure QR Code File Storage vulnerability discovered by ifoundbug in WordPress Plugin Magic Login Mail or QR Code versions = 2.05...

WordPress midi-Synth plugin <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action vulnerability

Unauthenticated Arbitrary File Upload via 'export' AJAX Action vulnerability discovered by WordFence in WordPress Plugin midi-Synth versions = 1.1.0...

WordPress PhotoStack Gallery plugin <= 0.4.1 - Unauthenticated SQL Injection via 'postid' Parameter vulnerability

Unauthenticated SQL Injection via 'postid' Parameter vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin PhotoStack Gallery versions = 0.4.1...

WordPress SureForms - Drag and Drop Form Builder for WordPress plugin <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation vulnerability

WordPress SureForms - Drag and Drop Form Builder for WordPress plugin = 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation vulnerability discovered by andrea bocchetti in WordPress Plugin SureForms versions = 2.2.1...

WordPress Prime Listing Manager plugin <= 1.1 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Prime Listing Manager versions = 1.1...

WordPress WP eCommerce plugin <= 3.15.1 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by yiğit ibrahim sağlam in WordPress Plugin WP eCommerce versions = 3.15.1...

WordPress AdForest theme <= 6.0.12 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Phat RiO - BlueRock in WordPress Theme AdForest versions = 6.0.12...

WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bao - BlueRock in WordPress Plugin Client Invoicing by Sprout Invoices versions = 20.8.8...

WordPress FooGallery plugin <= 3.1.11 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Steven Julian in WordPress Plugin FooGallery versions = 3.1.11...

WordPress FooGallery plugin <= 3.1.11 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Steven Julian in WordPress Plugin FooGallery versions = 3.1.11...

WordPress Download Alt Text AI plugin <= 1.10.15 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Download Alt Text AI versions = 1.10.15...

WordPress WP Activity Log plugin <= 5.5.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Steven Julian in WordPress Plugin WP Activity Log versions = 5.5.4...

WordPress Media Library Folders plugin <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename vulnerability

Insecure Direct Object Reference to Authenticated Author+ Arbitrary Attachment Deletion and Rename vulnerability discovered by shivanandsnaidu - naidu computers in WordPress Plugin Media Library Folders versions = 8.3.6...