WordPress WPlyr Media Block plugin <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via '_wplyr_accent_color' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'wplyraccentcolor' Parameter vulnerability discovered by 0x34rth in WordPress Plugin WPlyr Media Block versions = 1.3.0...

WordPress Slideshow Wp plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Slideshow Wp versions = 1.1...

WordPress Sudoku Shortcode plugin <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'background' Shortcode Attribute vulnerability

Authenticated Contributor+ Cross-Site Scripting via 'background' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Sudoku Shortcode versions = 1.0.0...

WordPress HTML Shortcodes plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by zakaria in WordPress Plugin HTML Shortcodes versions = 1.1...

WordPress OpenPOS Lite plugin <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin OpenPOS Lite – Point of Sale for WooCommerce versions = 3.0...

WordPress WaMate Confirm plugin <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Phone Number Blocking/Unblocking vulnerability discovered by Legion Hunter in WordPress Plugin WaMate Confirm versions = 2.0.1...

WordPress Category Image plugin <= 2.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'tag-image' Parameter vulnerability

Authenticated Editor+ Stored Cross-Site Scripting via 'tag-image' Parameter vulnerability discovered by 0x34rth in WordPress Plugin Category Image versions = 2.0...

WordPress Microtango plugin <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Microtango versions = 0.9.29...

WordPress Post Slides plugin <= 1.0.1 - Contributor+ Local File Inclusion vulnerability

Contributor+ Local File Inclusion vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Post Slides versions = 1.0.1...

WordPress Orbisius Random Name Generator plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'btnlabel' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin Orbisius Random Name Generator versions = 1.0.2...

WordPress Beaver Builder Page Builder - Drag and Drop Website Builder plugin <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings vulnerability

WordPress Beaver Builder Page Builder - Drag and Drop Website Builder plugin = 2.10.0.5 - Authenticated Custom+ Missing Authorization to Stored Cross-Site Scripting via Global Settings vulnerability discovered by WordFence in WordPress Plugin Beaver Builder versions = 2.10.0.5...

WordPress Gallery by FooGallery plugin <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Gallery Metadata Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Gallery Metadata Exposure vulnerability discovered by s00me00ne in WordPress Plugin FooGallery versions = 3.1.9...

WordPress Lucky Wheel Giveaway plugin <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter vulnerability

Authenticated Administrator+ Remote Code Execution via 'conditionaltags' Parameter vulnerability discovered by Nguyen Truong Roll - FPT IS in WordPress Plugin Lucky Wheel Giveaway versions = 1.0.22...

WordPress WP SMS plugin <= 7.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ali Osman ERBAS 0110m4n in WordPress Plugin WP SMS versions = 7.1...

WordPress Real 3D FlipBook plugin <= 4.16.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Real 3D FlipBook versions = 4.16.4...

WordPress Business Template Blocks for WPBakery (Visual Composer) Page Builder plugin <= 1.3.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin Business Template Blocks for WPBakery Visual Composer Page Builder versions = 1.3.2...

WordPress Visitor Maps Extended Referer Field plugin <= 1.2.6 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin Visitor Maps Extended Referer Field versions = 1.2.6...

WordPress WooCommerce Coming Soon Product with Countdown plugin <= 5.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin WooCommerce Coming Soon Product with Countdown versions = 5.0...

WordPress Tune Library plugin <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting via CSV Import vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Tune Library versions = 1.6.3...

WordPress Name Directory plugin <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form vulnerability

Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form vulnerability discovered by duy.thai in WordPress Plugin Name Directory versions = 1.32.0...

WordPress Fluent Forms plugin <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via AI Form Builder Module vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - cyberdogzmarketing.com | krei.dev | ogbuilders.io in WordPress Plugin FluentForm versions = 6.1.14...

WordPress Ninja Forms plugin <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action vulnerability

Unauthenticated Information Disclosure in nfajaxsubmit AJAX Action vulnerability discovered by johska in WordPress Plugin Ninja Forms versions = 3.14.0...

WordPress Miraculous Elementor plugin <= 2.0.7 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Miraculous Elementor versions = 2.0.7...

WordPress The Events Calendar Shortcode & Block plugin <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin The Events Calendar Shortcode & Block versions = 3.1.2...

WordPress PopupKit plugin <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion vulnerability

Missing Authorization to Sensitive Information Disclosure and Data Deletion vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin PopupKit versions = 2.2.0...

WordPress WCFM Marketplace plugin <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation vulnerability

Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation vulnerability discovered by Gibran Abdillah in WordPress Plugin WCFM Marketplace versions = 3.7.0...

WordPress Fluent Forms Pro Add On Pack plugin <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource' vulnerability

Authenticated Subscriber+ Server-Side Request Forgery via 'saveDataSource' vulnerability discovered by andrea bocchetti in WordPress Plugin Fluent Forms Pro Add On Pack versions = 6.1.12...

WordPress WCFM - WooCommerce Frontend Manager plugin <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update vulnerability

WordPress WCFM - WooCommerce Frontend Manager plugin = 6.7.24 - Authenticated Shop Manager+ Arbitrary Options Update vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - cyberdogzmarketing.com | krei.dev | ogbuilders.io in WordPress Plugin WCFM – Frontend Manager for WooCommerce versions...

WordPress WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment vulnerability

WordPress WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin = 2.11.8 - Insecure Direct Object Reference to Update Membership Payment vulnerability discovered by Jing Xuan Sun in WordPress Plugin WCFM Membership versions = 2.11.8...

WordPress Whizz Plugins plugin <= 1.9 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Whizz Plugins versions = 1.9...

WordPress Cliengo – Chatbot plugin <= 3.0.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Cliengo – Chatbot versions = 3.0.4...

WordPress Travelicious theme < 1.6.7 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Travelicious versions 1.6.7...

WordPress Nestin theme < 1.2.6 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Nestin versions 1.2.6...

WordPress PatioTime theme < 2.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme PatioTime versions 2.1...

WordPress Simple Retail Menus plugin <= 4.2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Skalucy in WordPress Plugin Simple Retail Menus versions = 4.2.1...

WordPress RVCFDI para Woocommerce plugin <= 8.1.8 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin RVCFDI para Woocommerce versions = 8.1.8...

WordPress Booking and Rental Manager plugin <= 2.5.9 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Booking and Rental Manager versions = 2.5.9...

WordPress YayCurrency plugin <= 3.3 - Arbitrary Content Deletion vulnerability

Arbitrary Content Deletion vulnerability discovered by Denver Jackson in WordPress Plugin YayCurrency versions = 3.3...

WordPress Cartify - WooCommerce Gutenberg WordPress Theme theme <= 1.3 - Arbitrary Content Deletion vulnerability

WordPress Cartify - WooCommerce Gutenberg WordPress Theme theme = 1.3 - Arbitrary Content Deletion vulnerability discovered by Denver Jackson in WordPress Theme Cartify - WooCommerce Gutenberg WordPress Theme versions = 1.3...

WordPress Timeline Event History plugin <= 3.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Timeline Event History versions = 3.2...

WordPress Simple File List plugin <= 6.1.15 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by daroo in WordPress Plugin Simple File List versions = 6.1.15...

WordPress Atarim plugin <= 4.2.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Atarim versions = 4.2.1...

WordPress NEX-Forms plugin <= 9.1.7 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin NEX-Forms versions = 9.1.7...

WordPress PatioTime theme < 2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme PatioTime versions 2.1...

WordPress Primer MyData for Woocommerce plugin <= 4.2.8 - Path Traversal vulnerability

Path Traversal vulnerability discovered by Skalucy in WordPress Plugin Primer MyData for Woocommerce versions = 4.2.8...

WordPress WP shop plugin <= 2.6.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Skalucy in WordPress Plugin WP shop versions = 2.6.1...

WordPress Themesflat Elementor plugin <= 1.0.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Themesflat Elementor versions = 1.0.1...

WordPress WooCommerce Bulk Product Editor plugin <= 3.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin WooCommerce Bulk Product Editor versions = 3.0...

WordPress Upload Files Anywhere plugin <= 2.8 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Upload Files Anywhere versions = 2.8...

WordPress Upload Files Anywhere plugin <= 2.8 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Upload Files Anywhere versions = 2.8...