WordPress VidoRev theme <= 2.9.9.9.9.9.7 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme VidoRev versions = 2.9.9.9.9.9.7...

WordPress Urna theme <= 2.5.12 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Urna versions = 2.5.12...

WordPress Besa theme <= 2.3.15 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Besa versions = 2.3.15...

WordPress Hara theme <= 1.2.17 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Hara versions = 1.2.17...

WordPress WPForms Google Sheet Connector plugin <= 4.0.1 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by Denver Jackson in WordPress Plugin WPForms Google Sheet Connector versions = 4.0.1...

WordPress Plugin BlueX for WooCommerce plugin <= 3.1.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by NumeX in WordPress Plugin Plugin BlueX for WooCommerce versions = 3.1.6...

WordPress Smart Appointment & Booking plugin <= 1.0.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via saab_save_form_data AJAX Action vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via saabsaveformdata AJAX Action vulnerability discovered by WordFence in WordPress Plugin Smart Appointment & Booking versions = 1.0.7...

WordPress WebPurify Profanity Filter plugin <= 4.0.2 - Missing Authorization to Unauthenticated Plugin Settings Change via webpurify_save_options vulnerability

Missing Authorization to Unauthenticated Plugin Settings Change via webpurifysaveoptions vulnerability discovered by 0x34rth in WordPress Plugin WebPurify Profanity Filter versions = 4.0.2...

WordPress The Events Calendar Shortcode & Block plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by PPzzAArr in WordPress Plugin The Events Calendar Shortcode & Block versions = 3.1.1...

WordPress WP FOFT Loader plugin <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload vulnerability

Authenticated Author+ Arbitrary File Upload vulnerability discovered by Williwollo CybrX in WordPress Plugin WP FOFT Loader versions = 2.1.39...

WordPress افزونه پیامک ووکامرس Persian WooCommerce SMS plugin <= 7.0.5 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Persian Woocommerce SMS versions = 7.0.5...

WordPress Tripetto plugin <= 8.0.11 - Unauthentiated Stored Cross-Site Scripting via Form File Upload vulnerability

Unauthentiated Stored Cross-Site Scripting via Form File Upload vulnerability discovered by Max Boll b0lli - Max Boll - IT Security in WordPress Plugin WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto versions = 8.0.11...

WordPress ForumWP - Forum & Discussion Board plugin <= 2.1.2 - Reflected Cross-Site Scripting via url Parameter vulnerability

WordPress ForumWP - Forum & Discussion Board plugin = 2.1.2 - Reflected Cross-Site Scripting via url Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin ForumWP versions = 2.1.2...

WordPress PDF Builder for WooCommerce. Create invoices,packing slips and more plugin <= 1.2.136 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Colin Xu in WordPress Plugin WooCommerce PDF Invoice Builder versions = 1.2.136...

WordPress Schema App Structured Data plugin <= 2.2.4 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin Schema App Structured Data versions = 2.2.4...

WordPress Ebook Store plugin <= 5.8001 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin Ebook Store versions = 5.8001...

WordPress Infility Global plugin <= 2.14.46 - Unauthenticated SQL Injection via Predictable API Key and IP Whitelist Bypass vulnerability

Unauthenticated SQL Injection via Predictable API Key and IP Whitelist Bypass vulnerability discovered by andrea bocchetti in WordPress Plugin Infility Global versions = 2.14.46...

WordPress SEO Flow by LupsOnline plugin <= 2.2.1 - Unauthenticated Arbitrary Post/Category Modification vulnerability

Unauthenticated Arbitrary Post/Category Modification vulnerability discovered by Tarcísio Luchesi De Almeida Silva Poystick in WordPress Plugin SEO Flow by LupsOnline versions = 2.2.1...

WordPress Vayu Blocks plugin <= 1.1.1 - Missing Authorization to Unauthenticated Arbitrary plugin Installation/Activation vulnerability

Missing Authorization to Unauthenticated Arbitrary plugin Installation/Activation vulnerability discovered by stealthcopter in WordPress Plugin Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce versions = 1.1.1...

WordPress WooCommerce Support Ticket System plugin <= 17.7 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by Tonn in WordPress Plugin WooCommerce Support Ticket System versions = 17.7...

WordPress Unicamp theme <= 2.7.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Unicamp versions = 2.7.1...

WordPress Modula Image Gallery plugin <= 2.13.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by johska in WordPress Plugin Modula Image Gallery versions = 2.13.4...

WordPress SportsPress plugin <= 2.7.26 - Authenticated (Contributor+) Local File Inclusion via Shortcode vulnerability

Authenticated Contributor+ Local File Inclusion via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin SportsPress – Sports Club & League Manager versions = 2.7.26...

WordPress Code Explorer plugin <= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via 'file' Parameter vulnerability

Authenticated Administrator+ Arbitrary File Read via 'file' Parameter vulnerability discovered by 0x34rth in WordPress Plugin Code Explorer versions = 1.4.6...

WordPress Fortis for WooCommerce plugin <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint vulnerability

Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Fortis for WooCommerce versions = 1.2.0...

WordPress All push notification for WP plugin <= 1.5.3 - Authenticated (Administrator+) SQL Injection via 'delete_id' Parameter vulnerability

Authenticated Administrator+ SQL Injection via 'deleteid' Parameter vulnerability discovered by 0x34rth in WordPress Plugin All push notification for WP versions = 1.5.3...

WordPress WP Content Permission plugin <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ohmem-message' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'ohmem-message' Parameter vulnerability discovered by 0x34rth in WordPress Plugin WP Content Permission versions = 1.2...

WordPress Magic Import Document Extractor plugin <= 1.0.4 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Teerachai Somprasong in WordPress Plugin Magic Import Document Extractor versions = 1.0.4...

WordPress Chapa Payment Gateway Plugin for WooCommerce plugin <= 1.0.3 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Chapa Payment Gateway Plugin for WooCommerce versions = 1.0.3...

WordPress Magic Import Document Extractor plugin <= 1.0.4 - Missing Authorization to Unauthenticated Plugin License Status Modification vulnerability

Missing Authorization to Unauthenticated Plugin License Status Modification vulnerability discovered by Teerachai Somprasong in WordPress Plugin Magic Import Document Extractor versions = 1.0.4...

WordPress Xendit Payment plugin <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid vulnerability

Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Xendit Payment versions = 6.0.2...

WordPress SIBS - WooCommerce plugin <= 2.2.0 - Authenticated (Admin+) SQL Injection via 'referencedId' Parameter vulnerability

WordPress SIBS - WooCommerce plugin = 2.2.0 - Authenticated Admin+ SQL Injection via 'referencedId' Parameter vulnerability discovered by whizzu in WordPress Plugin SIBS woocommerce payment gateway versions = 2.2.0...

WordPress Extended Random Number Generator plugin <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Settings vulnerability discovered by 0x34rth in WordPress Plugin Extended Random Number Generator versions = 1.1...

WordPress Menu Icons by ThemeIsle plugin <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by lucsob in WordPress Plugin Menu Icons by ThemeIsle versions = 0.13.20...

WordPress Tutor LMS plugin <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion vulnerability

Insecure Direct Object Reference to Authenticated Instructor+ Arbitrary Course Modification and Deletion vulnerability discovered by WordFence in WordPress Plugin Tutor LMS versions = 3.9.5...

WordPress ACF Quick Edit Fields plugin <= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference vulnerability

Authenticated Contributor+ Insecure Direct Object Reference vulnerability discovered by Chris Grello in WordPress Plugin ACF Quick Edit Fields versions = 3.2.2...

WordPress Paid Memberships Pro plugin <= 2.12.7 - Cross-Site Request Forgery to Level Orders Update vulnerability

Cross-Site Request Forgery to Level Orders Update vulnerability discovered by kodaichodai in WordPress Plugin Paid Memberships Pro versions = 2.12.7...

WordPress Awesome Support - WordPress HelpDesk & Support Plugin plugin <= 6.1.7 - Missing Authorization via editor_html() vulnerability

WordPress Awesome Support - WordPress HelpDesk & Support Plugin plugin = 6.1.7 - Missing Authorization via editorhtml vulnerability discovered by Krzysztof Zając - CERT PL in WordPress Plugin Awesome Support versions = 6.1.7...

WordPress Royal Elementor Addons and Templates plugin <= 1.3.87 - Missing Authorization via wpr_update_form_action_meta vulnerability

Missing Authorization via wprupdateformactionmeta vulnerability discovered by Francesco Carlucci in WordPress Plugin Royal Elementor Addons versions = 1.3.87...

WordPress Royal Elementor Addons and Templates plugin <= 1.3.87 - Cross-Site Request Forgery via add_to_compare vulnerability

Cross-Site Request Forgery via addtocompare vulnerability discovered by Francesco Carlucci in WordPress Plugin Royal Elementor Addons versions = 1.3.87...

WordPress Royal Elementor Addons and Templates plugin <= 1.3.87 - Cross-Site Request Forgery via remove_from_compare vulnerability

Cross-Site Request Forgery via removefromcompare vulnerability discovered by Francesco Carlucci in WordPress Plugin Royal Elementor Addons versions = 1.3.87...

WordPress Royal Elementor Addons and Templates plugin <= 1.3.87 - Cross-Site Request Forgery via remove_from_wishlist vulnerability

Cross-Site Request Forgery via removefromwishlist vulnerability discovered by Francesco Carlucci in WordPress Plugin Royal Elementor Addons versions = 1.3.87...

WordPress AI ChatBot plugin <= 5.3.4 - Missing Authorization via openai_file_delete_callback vulnerability

Missing Authorization via openaifiledeletecallback vulnerability discovered by Francesco Carlucci in WordPress Plugin ChatBot versions = 5.3.4...

WordPress AI ChatBot plugin <= 5.3.4 - Missing Authorization via openai_file_list_callback vulnerability

Missing Authorization via openaifilelistcallback vulnerability discovered by Francesco Carlucci in WordPress Plugin ChatBot versions = 5.3.4...

WordPress The Plus Addons for Elementor plugin <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin The Plus Addons for Elementor Page Builder Lite versions = 5.4.2...

WordPress Gestpay for WooCommerce plugin <= 20221130 - Cross-Site Request Forgery (CSRF) via ajax_unset_default_card vulnerability

Cross-Site Request Forgery CSRF via ajaxunsetdefaultcard vulnerability discovered by Francesco Carlucci in WordPress Plugin Gestpay for WooCommerce versions = 20221130...

WordPress Gestpay for WooCommerce plugin <= 20221130 - Cross-Site Request Forgery (CSRF) via ajax_delete_card vulnerability

Cross-Site Request Forgery CSRF via ajaxdeletecard vulnerability discovered by Francesco Carlucci in WordPress Plugin Gestpay for WooCommerce versions = 20221130...

WordPress Categorify plugin <= 1.0.7.4 - Missing Authorization in categorifyAjaxAddCategory vulnerability

Missing Authorization in categorifyAjaxAddCategory vulnerability discovered by Francesco Carlucci in WordPress Plugin Categorify versions = 1.0.7.4...

WordPress WP Recipe Maker plugin <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group_tag' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'grouptag' vulnerability discovered by wesley wcraft in WordPress Plugin WP Recipe Maker versions = 9.1.0...

WordPress WP Recipe Maker plugin <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'tag' vulnerability discovered by wesley wcraft in WordPress Plugin WP Recipe Maker versions = 9.1.0...