WordPress Essential Addons for Elementor plugin <= 6.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Info Box Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Info Box Widget vulnerability discovered by knani alaaeddine iwd in WordPress Plugin Essential Addons for Elementor versions = 6.5.9...

WordPress MP3 Audio Player 5.3-5.10 - Authenticated (Author+) Server-Side Request Forgery vulnerability

Authenticated Author+ Server-Side Request Forgery vulnerability discovered by kr0d in WordPress Plugin MP3 Audio Player for Music, Radio & Podcast by Sonaar versions 5.3-5.10...

WordPress Mail Mint plugin <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints vulnerability

Authenticated Administrator+ SQL Injection via Multiple API Endpoints vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin Mail Mint versions = 1.19.2...

WordPress Modula Image Gallery - Photo Grid & Video Gallery plugin <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing vulnerability

WordPress Modula Image Gallery - Photo Grid & Video Gallery plugin = 2.13.6 - Missing Authorization to Authenticated Contributor+ Arbitrary Post/Page Editing vulnerability discovered by type5afe in WordPress Plugin Modula Image Gallery versions = 2.13.6...

WordPress myCred plugin <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'mycredloadcoupon' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin myCred versions = 2.9.7.3...

WordPress Link Hopper plugin <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'hopname' Parameter vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin Link Hopper versions = 2.5...

WordPress Ravelry Designs Widget plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sb_ravelry_designs' Shortcode 'layout' Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'sbravelrydesigns' Shortcode 'layout' Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Ravelry Designs Widget versions = 1.0.0...

WordPress UpMenu plugin <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin UpMenu versions = 3.1...

WordPress Chatbot for WordPress by Collect.chat ⚡️ plugin <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Field vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Meta Field vulnerability discovered by Deadbee - NA in WordPress Plugin collectchat versions = 2.4.8...

WordPress Press3D plugin <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block vulnerability discovered by WordFence in WordPress Plugin Press3D versions = 1.0.2...

WordPress Smart Forms plugin <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Campaign Data Exposure vulnerability discovered by lucsob in WordPress Plugin Smart Forms versions = 2.6.99...

WordPress User Language Switch plugin <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'tabcolorpickerlanguageswitch' Parameter vulnerability discovered by 0x34rth in WordPress Plugin User Language Switch versions = 1.6.10...

WordPress User Language Switch plugin <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter vulnerability

Authenticated Administrator+ Server-Side Request Forgery via 'infolanguage' Parameter vulnerability discovered by 0x34rth in WordPress Plugin User Language Switch versions = 1.6.10...

WordPress Payment Page | Payment Form for Stripe plugin <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter vulnerability

Authenticated Author+ Stored Cross-Site Scripting via 'pricingplanselecttextfontfamily' Parameter vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Payment Page versions = 1.4.6...

WordPress MDirector Newsletter plugin <= 4.5.8 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin MDirector Newsletter versions = 4.5.8...

WordPress MailChimp Campaigns plugin <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection vulnerability

Missing Authorization to Authenticated Subscriber+ MailChimp App Disconnection vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin MailChimp Campaigns versions = 3.2.4...

WordPress WP Quick Contact Us plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin WP Quick Contact Us versions = 1.0...

WordPress Best-wp-google-map plugin <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'latitude' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'latitude' Shortcode Attribute vulnerability discovered by theviper17y in WordPress Plugin Best-wp-google-map versions = 2.1...

WordPress Percent to Infograph plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Percent to Infograph versions = 1.0...

WordPress Scheduler Widget plugin <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Event Modification vulnerability discovered by MD. TAREQ AHAMED JONY itztrq - Knight Squad in WordPress Plugin Scheduler Widget versions = 0.1.6...

WordPress QuestionPro Surveys plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin QuestionPro Surveys versions = 1.0...

WordPress Sphere Manager plugin <= 1.0.2 - Authenticated (Contributor+) Cross-Site Scripting via 'width' Shortcode Attribute vulnerability

Authenticated Contributor+ Cross-Site Scripting via 'width' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Sphere Manager versions = 1.0.2...

WordPress CallbackKiller service widget plugin <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update vulnerability

Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin CallbackKiller service widget versions = 1.2...

WordPress LatePoint - Calendar Booking Plugin for Appointments and Events plugin <= 5.2.5 - Cross-Site Request Forgery vulnerability

WordPress LatePoint - Calendar Booking Plugin for Appointments and Events plugin = 5.2.5 - Cross-Site Request Forgery vulnerability discovered by Moose Love - Nagasaki Prefectural University in WordPress Plugin LatePoint versions = 5.2.5...

WordPress MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin <= 3.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'stm_lms_courses_grid_display' Shortcode vulnerability

WordPress MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin = 3.7.11 - Authenticated Contributor+ Stored Cross-Site Scripting via 'stmlmscoursesgriddisplay' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin MasterStudy LMS versions = 3.7.11...

WordPress Accordion and Accordion Slider plugin <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification vulnerability

Missing Authorization to Authenticated Contributor+ Attachment Metadata Modification vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Accordion and Accordion Slider versions = 1.4.5...

WordPress Flexi Product Slider and Grid for WooCommerce plugin <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute vulnerability

Authenticated Contributor+ Local File Inclusion via 'theme' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Flexi Product Slider and Grid for WooCommerce versions = 1.0.5...

WordPress Allow HTML in Category Descriptions plugin <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Category Descriptions vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin Allow HTML in Category Descriptions versions = 1.2.4...

WordPress WP Data Access plugin <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'wpdaapp' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP Data Access versions = 5.5.63...

WordPress ZoomifyWP Free plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'filename' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'filename' Shortcode Attribute vulnerability discovered by theviper17y in WordPress Plugin ZoomifyWP Free versions = 1.1...

WordPress Simple Plyr plugin <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'poster' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'poster' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Simple Plyr versions = 0.0.1...

WordPress Appointment Booking Calendar Plugin plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification vulnerability

Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification vulnerability discovered by MD. TAREQ AHAMED JONY itztrq - Knight Squad in WordPress Plugin Bookr versions = 1.0.2...

WordPress Simple Wp colorfull Accordion plugin <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute vulnerability

Authenticated Contributor+ Cross-Site Scripting via 'title' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Simple Wp colorfull Accordion versions = 1.0...

WordPress AMP Enhancer plugin <= 1.0.49 - Authenticated (Administrator+) Stored Cross-Site Scripting via AMP Custom CSS Setting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via AMP Custom CSS Setting vulnerability discovered by Muqsith Barru - TCC in WordPress Plugin AMP Enhancer Compatibility Layer for Official AMP Plugin versions = 1.0.49...

WordPress Citations tools plugin <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'code' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Citations tools versions = 0.3.2...

WordPress Easy Voice Mail plugin <= 1.2.5 - Unauthenticated Stored Cross-Site Scripting via 'message' vulnerability

Unauthenticated Stored Cross-Site Scripting via 'message' vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Easy Voice Mail versions = 1.2.5...

WordPress SEATT: Simple Event Attendance plugin <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion vulnerability

Cross-Site Request Forgery to Arbitrary Event Deletion vulnerability discovered by MD. TAREQ AHAMED JONY itztrq - Knight Squad in WordPress Plugin SEATT: Simple Event Attendance versions = 1.5.0...

WordPress WP Last Modified Info plugin <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification vulnerability

Insecure Direct Object Reference to Authenticated Author+ Post Metadata Modification vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin WP Last Modified Info versions = 1.9.5...

WordPress Easy Form Builder plugin <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Form Response Data Exposure vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Easy Form Builder versions = 3.9.3...

WordPress StickEasy Protected Contact Form plugin <= 1.0.1 - Unauthenticated Information Disclosure vulnerability

Unauthenticated Information Disclosure vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin StickEasy Protected Contact Form versions = 1.0.1...

WordPress BFG Tools - Extension Zipper plugin <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter vulnerability

WordPress BFG Tools - Extension Zipper plugin = 1.0.7 - Authenticated Administrator+ Path Traversal via 'firstfile' Parameter vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin BFG Tools – Extension Zipper versions = 1.0.7...

WordPress FastDup - Fastest WordPress Migration & Duplicator plugin <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download vulnerability

WordPress FastDup - Fastest WordPress Migration & Duplicator plugin = 2.7.1 - Missing Authorization to Authenticated Contributor+ Backup Creation and Download vulnerability discovered by WordFence in WordPress Plugin FastDup versions = 2.7.1...

WordPress Passster plugin <= 4.2.25 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by johska in WordPress Plugin Passster versions = 4.2.25...

WordPress WP Server Log Viewer <= 1.0 - Stored Cross Site Scripting vulnerability

Stored Cross Site Scripting vulnerability discovered by strider in WordPress Plugin WP Server Log Viewer versions = 1.0...

WordPress Duplicate Post plugin <= 3.2.3 - Stored Cross-Site Scripting vulnerability

Stored Cross-Site Scripting vulnerability discovered by Unk9vvN in WordPress Plugin Duplicate Post versions = 3.2.3...

WordPress OpenPix plugin <= 2.13.3 - Subscriber+ Payment Gateway Settings Reset vulnerability

Subscriber+ Payment Gateway Settings Reset vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan in WordPress Plugin OpenPix versions = 2.13.3...

WordPress LatePoint - Calendar Booking Plugin for Appointments and Events plugin <= 5.2.6 - Missing Authorization to Booking Details Exposure vulnerability

WordPress LatePoint - Calendar Booking Plugin for Appointments and Events plugin = 5.2.6 - Missing Authorization to Booking Details Exposure vulnerability discovered by Chiao-Lin Yu Steven Meow - Trend Micro in WordPress Plugin LatePoint versions = 5.2.6...

WordPress Gutenberg Blocks with AI by Kadence WP plugin <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication vulnerability

Incorrect Authorization to Authenticated Contributor+ Post Publication vulnerability discovered by johska in WordPress Plugin Gutenberg Blocks by Kadence Blocks versions = 3.5.32...

WordPress JS Help Desk plugin <= 3.0.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Bonds in WordPress Plugin JS Help Desk versions = 3.0.1...

WordPress Persian Woocommerce SMS plugin <= 7.1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin Persian Woocommerce SMS versions = 7.1.1...