WordPress JSM file_get_contents() Shortcode plugin < 2.7.1 - Contributor+ SSRF vulnerability

Contributor+ SSRF vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin JSM filegetcontents Shortcode versions 2.7.1...

WordPress WP All Import plugin < 3.7.3 - Admin+ Arbitrary File Upload to RCE vulnerability

Admin+ Arbitrary File Upload to RCE vulnerability discovered by quangnt in WordPress Plugin WP All Import versions 3.7.3...

WordPress Community by PeepSo plugin < 6.3.1.2 - User Post Creation via CSRF vulnerability

User Post Creation via CSRF vulnerability discovered by Bikram Kharal in WordPress Plugin Community by PeepSo versions 6.3.1.2...

WordPress Hubbub Lite plugin < 1.32.0 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Tycho Niestadt in WordPress Plugin Hubbub Lite versions 1.32.0...

WordPress Relevanssi Premium plugin < 2.25.0 - Unauthenticated Private/Draft Post Disclosure vulnerability

Unauthenticated Private/Draft Post Disclosure vulnerability discovered by Krzysztof Zając CERT PL in WordPress Plugin Relevanssi Premium versions 2.25.0...

WordPress Relevanssi plugin < 4.22.0 - Unauthenticated Private/Draft Post Disclosure vulnerability

Unauthenticated Private/Draft Post Disclosure vulnerability discovered by Krzysztof Zając CERT PL in WordPress Plugin Relevanssi versions 4.22.0...

WordPress Quiz And Survey Master plugin <= 10.3.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by mamadrce in WordPress Plugin Quiz And Survey Master versions = 10.3.4...

WordPress Product Filter for WooCommerce plugin <= 9.1.2 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Product Filter for WooCommerce versions = 9.1.2...

WordPress User Extra Fields plugin <= 17.0 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO in WordPress Plugin User Extra Fields versions = 17.0...

WordPress User Extra Fields plugin <= 17.0 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO in WordPress Plugin User Extra Fields versions = 17.0...

WordPress LottieFiles plugin <= 3.0.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin LottieFiles versions = 3.0.0...

WordPress Woo File Dropzone plugin <= 1.1.7 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Skalucy in WordPress Plugin Woo File Dropzone versions = 1.1.7...

WordPress CozyStay theme < 1.9.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme CozyStay versions 1.9.1...

WordPress GreenShift - Animation and Page Builder Blocks plugin <= 12.5.7 - Authenticated (Subscriber+) Information Disclosure of AI API Keys vulnerability

WordPress GreenShift - Animation and Page Builder Blocks plugin = 12.5.7 - Authenticated Subscriber+ Information Disclosure of AI API Keys vulnerability discovered by ISMAILSHADOW in WordPress Plugin Greenshift versions = 12.5.7...

WordPress GMap Targeting plugin <= 1.1.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin GMap Targeting versions = 1.1.7...

WordPress iContact for Gravity Forms plugin <= 1.3.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin iContact for Gravity Forms versions = 1.3.2...

WordPress Okay Toolkit plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin Okay Toolkit versions = 2.3...

WordPress Court Reservation plugin <= 1.10.9 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin Court Reservation versions = 1.10.9...

WordPress GA4WP: Google Analytics for WordPress plugin <= 2.10.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin GA4WP: Google Analytics for WordPress versions = 2.10.0...

WordPress Checkout Gateway for IRIS plugin <= 1.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Checkout Gateway for IRIS versions = 1.3...

WordPress Portfolio Builder plugin <= 1.2.5 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Portfolio Builder versions = 1.2.5...

WordPress ElementInvader Addons for Elementor plugin <= 1.4.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin ElementInvader Addons for Elementor versions = 1.4.1...

WordPress Eleblog – Elementor Blog And Magazine Addons plugin <= 2.0.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Eleblog – Elementor Blog And Magazine Addons versions = 2.0.3...

WordPress LC Wizard plugin <= 2.1.1 - Settings Change vulnerability

Settings Change vulnerability discovered by Legion Hunter in WordPress Plugin LC Wizard versions = 2.1.1...

WordPress Advanced WC Analytics plugin <= 3.19.0 - Settings Change vulnerability

Settings Change vulnerability discovered by Legion Hunter in WordPress Plugin Advanced WC Analytics versions = 3.19.0...

WordPress Addonify Floating Cart For WooCommerce plugin <= 1.2.17 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Addonify Floating Cart For WooCommerce versions = 1.2.17...

WordPress All In One Image Viewer Block plugin <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint vulnerability

Unauthenticated Server-Side Request Forgery via image-proxy Endpoint vulnerability discovered by WordFence in WordPress Plugin Image Map Block – Gutenberg block to create image map with hyperlink versions = 1.0.2...

WordPress Peter's Date Countdown plugin <= 2.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Peter’s Date Countdown versions = 2.0.0...

WordPress ShortPixel Image Optimizer plugin <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter vulnerability

Authenticated Editor+ Arbitrary File Read via 'loadFile' Parameter vulnerability discovered by 0N0ise - cert.pl in WordPress Plugin ShortPixel Image Optimizer versions = 6.4.2...

WordPress Golo theme < 1.7.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Golo versions 1.7.5...

WordPress Golo theme < 1.7.5 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Golo versions 1.7.5...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Update vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.5...

WordPress ProfileGrid plugin <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary User Profile and Cover Image Modification vulnerability discovered by knani alaaeddine iwd in WordPress Plugin ProfileGrid versions = 5.9.7.2...

WordPress ProfileGrid - User Profiles, Groups and Communities plugin <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension vulnerability

WordPress ProfileGrid - User Profiles, Groups and Communities plugin = 5.9.7.2 - Missing Authorization to Authenticated Subscriber+ Arbitrary User Suspension vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ProfileGrid versions = 5.9.7.2...

WordPress Robin Image Optimizer plugin <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Image Alternative Text Field vulnerability discovered by Vincent Theriault-Laine in WordPress Plugin Robin image optimizer versions = 2.0.2...

WordPress Dynamic Widget Content plugin <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Widget Content Field vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Dynamic Widget Content versions = 1.3.6...

WordPress Essential Widgets plugin <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Shortcodes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Essential Widgets versions = 3.0...

WordPress Popup builder with Gamification plugin <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints vulnerability

Unauthenticated SQL Injection via Multiple REST API Endpoints vulnerability discovered by YCInfosec in WordPress Plugin PopupKit versions = 2.2.0...

WordPress Addonify – WooCommerce Wishlist plugin <= 2.0.15 - Settings Change vulnerability

Settings Change vulnerability discovered by Legion Hunter in WordPress Plugin Addonify – WooCommerce Wishlist versions = 2.0.15...

WordPress Addonify – Compare Products For WooCommerce plugin <= 1.1.17 - Settings Change vulnerability

Settings Change vulnerability discovered by Legion Hunter in WordPress Plugin Addonify Compare Products For WooCommerce versions = 1.1.17...

WordPress Sync Master Sheet – Product Sync with Google Sheet for WooCommerce plugin <= 1.1.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin Sync Master Sheet Product Sync with Google Sheet for WooCommerce versions = 1.1.3...

WordPress Contact Manager plugin <= 9.1.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Skalucy in WordPress Plugin Contact Manager versions = 9.1.1...

WordPress TopperPack – Complete Elementor Addons, theme & CPT Builder plugin <= 1.2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Skalucy in WordPress Plugin TopperPack – Complete Elementor Addons, Theme & CPT Builder versions = 1.2.1...

WordPress UserPlus plugin <= 2.0 - Missing Authorization via Multiple Functions vulnerability

Missing Authorization via Multiple Functions vulnerability discovered by István Márton - Wordfence in WordPress Plugin UserPlus versions = 2.0...

WordPress Sell BTC - Cryptocurrency Selling Calculator plugin <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action vulnerability

WordPress Sell BTC - Cryptocurrency Selling Calculator plugin = 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderformdata' AJAX Action vulnerability discovered by Sarawut Poolkhet MisterHelloz in WordPress Plugin Sell BTC – Cryptocurrency Selling Calculator versions = 1.5...

WordPress School Management plugin <= 91.5.0 - Authenticated (Student+) Arbitrary File Upload vulnerability

Authenticated Student+ Arbitrary File Upload vulnerability discovered by Tonn in WordPress Plugin School Management versions = 91.5.0...

WordPress MyRewards plugin <= 5.6.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Tharadol Suksamran d3kc4rt1 in WordPress Plugin MyRewards versions = 5.6.1...

WordPress Export Media URLs plugin <= 2.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin Export Media URLs versions = 2.2...

WordPress NPS computy plugin <= 2.8.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin NPS computy versions = 2.8.2...

WordPress NEX-Forms plugin <= 9.1.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin NEX-Forms versions = 9.1.7...