WordPress Enter Addons plugin <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Events Card Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Events Card Widget vulnerability discovered by lowol in WordPress Plugin Enter Addons versions = 2.1.8...

WordPress Ultimate Addons for WPBakery Page Builder plugin <= 3.19.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by haidv35 - VCS in WordPress Plugin Ultimate Addons for WPBakery Page Builder versions = 3.19.20...

WordPress Community by PeepSo plugin <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Tieu Pham Trong Nhan - TechlabCorp in WordPress Plugin Community by PeepSo versions = 6.4.5.0...

WordPress WPBakery Page Builder plugin <= 7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via VC Single Image link attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via VC Single Image link attribute vulnerability discovered by wesley wcraft in WordPress Plugin WPBakery Page Builder versions = 7.6...

WordPress Bit Form plugin 2.0 - 2.13.9 - Authenticated (Administrator+) SQL Injection vulnerability

WordPress Bit Form plugin 2.0 - 2.13.9 - Authenticated Administrator+ SQL Injection vulnerability discovered by TANG Cheuk Hei siunam in WordPress Plugin Bit Form versions 2.0-2.13.9...

WordPress Post Grid Gutenberg Blocks and WordPress Blog Plugin - PostX plugin <= 4.1.2 - Missing Authorization to Arbitrary Options Update vulnerability

WordPress Post Grid Gutenberg Blocks and WordPress Blog Plugin - PostX plugin = 4.1.2 - Missing Authorization to Arbitrary Options Update vulnerability discovered by 1337Wannabe - home in WordPress Plugin PostX versions = 4.1.2...

WordPress LA-Studio Element Kit for Elementor plugin <= 1.3.8.1 - Authenticated (Contributor+) Local File Inclusion vulnerability

Authenticated Contributor+ Local File Inclusion vulnerability discovered by stealthcopter in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.3.8.1...

WordPress Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin <= 5.6.11 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by wesley wcraft in WordPress Plugin Element Pack Elementor Addons versions = 5.6.11...

WordPress Tutor LMS Elementor Addons plugin <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Course Carousel Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Course Carousel Widget vulnerability discovered by wesley wcraft in WordPress Plugin Tutor LMS Elementor Addons versions = 2.1.4...

WordPress The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin <= 5.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings vulnerability

WordPress The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin = 5.6.2 - Authenticated Contributor+ Stored Cross-Site Scripting via Testimonials Widget Settings vulnerability discovered by Ngô Thiên An ancorn in WordPress Plugin The Plus Addons...

WordPress WP Affiliate Platform plugin < 6.5.1 - Reflected XSS via Affiliate Editing vulnerability

Reflected XSS via Affiliate Editing vulnerability discovered by Bob Matyas in WordPress Plugin Affiliate Manager versions 6.5.1...

WordPress WP Affiliate Platform plugin < 6.5.1 - Reflected XSS via Registration Form vulnerability

Reflected XSS via Registration Form vulnerability discovered by Bob Matyas in WordPress Plugin Affiliate Manager versions 6.5.1...

WordPress ARMember Premium plugin <= 6.7 - Cross-Site Request Forgery via multiple functions vulnerability

Cross-Site Request Forgery via multiple functions vulnerability discovered by István Márton - Wordfence in WordPress Plugin ARMember Premium versions = 6.7...

WordPress WP Affiliate Platform plugin < 6.5.1 - Reflected XSS via Lead Editing vulnerability

Reflected XSS via Lead Editing vulnerability discovered by Bob Matyas in WordPress Plugin Affiliate Manager versions 6.5.1...

WordPress WP Affiliate Platform plugin < 6.5.1 - Reflected XSS via Banner Editing vulnerability

Reflected XSS via Banner Editing vulnerability discovered by Bob Matyas in WordPress Plugin Affiliate Manager versions 6.5.1...

WordPress GiveWP - Donation Plugin and Fundraising Platform plugin <= 3.14.1 - Unauthenticated PHP Object Injection to Remote Code Execution vulnerability

WordPress GiveWP - Donation Plugin and Fundraising Platform plugin = 3.14.1 - Unauthenticated PHP Object Injection to Remote Code Execution vulnerability discovered by villu164 in WordPress Plugin GiveWP versions = 3.14.1...

WordPress WP eStore plugin < 8.5.5 - Reflected XSS in Discount Editing vulnerability

Reflected XSS in Discount Editing vulnerability discovered by Bob Matyas in WordPress Plugin WP eStore versions 8.5.5...

WordPress WP eStore plugin < 8.5.5 - Reflected XSS in Customer Editing vulnerability

Reflected XSS in Customer Editing vulnerability discovered by Bob Matyas in WordPress Plugin WP eStore versions 8.5.5...

WordPress WP eStore plugin < 8.5.5 - Reflected XSS in Category Editing vulnerability

Reflected XSS in Category Editing vulnerability discovered by Bob Matyas in WordPress Plugin WP eStore versions 8.5.5...

WordPress WP eStore plugin < 8.5.6 - Reflected XSS in Product Editing vulnerability

Reflected XSS in Product Editing vulnerability discovered by Bob Matyas in WordPress Plugin WP eStore versions 8.5.6...

WordPress WP eMember plugin < 10.6.6 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Bob Matyas in WordPress Plugin WP eMember versions 10.6.6...

WordPress Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor - Funnelforms Free plugin <= 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Deletion vulnerability

WordPress Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor - Funnelforms Free plugin = 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Deletion vulnerability discovered by Lucio Sá in WordPress Plugin Funnelforms Free versions = 3.7.3.2...

WordPress SP Project & Document Manager plugin <= 4.71 - Subscriber+ File Download via IDOR vulnerability

Subscriber+ File Download via IDOR vulnerability discovered by fewwords in WordPress Plugin SP Project & Document Manager versions = 4.71...

WordPress Newsletter Popup plugin <= 1.2 - Unauthenticated Stored XSS vulnerability

Unauthenticated Stored XSS vulnerability discovered by Bob Matyas in WordPress Plugin Newsletter Popup versions = 1.2...

WordPress Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin <= 1.5.112 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'email' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'email' vulnerability discovered by shaman0x01 - Shaman Red Team in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 1.5.112...

WordPress SupportCandy - Helpdesk & Customer Support Ticket System plugin <= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter vulnerability

WordPress SupportCandy - Helpdesk & Customer Support Ticket System plugin = 3.4.4 - Authenticated Subscriber+ SQL Injection via Number Field Filter vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin SupportCandy versions = 3.4.4...

WordPress PDF Generator Addon for Elementor Page Builder plugin <= 2.0.0 - Unauthenticated Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download vulnerability discovered by stealthcopter in WordPress Plugin PDF Generator Addon for Elementor Page Builder versions = 2.0.0...

WordPress Blockspare plugin <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Francesco Carlucci in WordPress Plugin Blockspare versions = 3.2.4...

WordPress Simple Popup Plugin plugin <= 4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Krzysztof Zając - CERT PL in WordPress Plugin Simple Popup versions = 4.5...

WordPress Essential Addons for Elementor plugin <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Filterable Gallery Widget vulnerability discovered by zer0gh0st in WordPress Plugin Essential Addons for Elementor versions = 6.0.3...

WordPress Confetti Fall Animation plugin <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via confetti-fall-animation Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via confetti-fall-animation Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin Confetti Fall Animation versions = 1.3.1...

WordPress Royal Elementor Addons and Template plugin <= 1.7.1001 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Google Maps Widget vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting via Google Maps Widget vulnerability discovered by zer0gh0st in WordPress Plugin Royal Elementor Addons versions = 1.7.1001...

WordPress WP-WebAuthn plugin <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wwa_login_form Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wwaloginform Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin WP-WebAuthn versions = 1.3.3...

WordPress Bridge Core plugin <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by István Márton - Wordfence in WordPress Plugin Bridge Core versions = 3.2.0...

WordPress Shortcodes and extra features for Phlox theme plugin <= 2.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via auxcontactbox and auxgmaps Shortcodes vulnerability discovered by David Gallagher BatFeats - Adept Digital in WordPress Plugin Shortcodes and extra features for Phlox theme versions = 2.17.0...

WordPress Royal Elementor Addons and Templates plugin <= 1.7.1001 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Countdown Widget vulnerability discovered by zer0gh0st in WordPress Plugin Royal Elementor Addons versions = 1.7.1001...

WordPress Ultimate Coming Soon & Maintenance plugin <= 1.0.9 - Missing Authorization to Unauthenticated Template Activation vulnerability

Missing Authorization to Unauthenticated Template Activation vulnerability discovered by Tieu Pham Trong Nhan - TechlabCorp in WordPress Plugin Ultimate Coming Soon & Maintenance versions = 1.0.9...

WordPress Ultimate Coming Soon & Maintenance plugin <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Template Name Update vulnerability

Missing Authorization to Authenticated Subscriber+ Template Name Update vulnerability discovered by Tieu Pham Trong Nhan - TechlabCorp in WordPress Plugin Ultimate Coming Soon & Maintenance versions = 1.0.9...

WordPress Element Pack Elementor Addons plugin <= 5.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Map Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Open Map Widget vulnerability discovered by zer0gh0st in WordPress Plugin Element Pack Elementor Addons versions = 5.10.2...

WordPress CubeWP plugin <= 1.1.27 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin CubeWP versions = 1.1.27...

WordPress Shortcodes and extra features for Phlox theme plugin <= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Modern Heading Widget vulnerability discovered by Abu Hurayra HurayraIIT in WordPress Plugin Shortcodes and extra features for Phlox theme versions = 2.17.13...

WordPress SurveyJS plugin <= 1.12.20 - Cross-Site Request Forgery to Survey Creation vulnerability

Cross-Site Request Forgery to Survey Creation vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin SurveyJS versions = 1.12.20...

WordPress SurveyJS plugin <= 1.12.20 - Cross-Site Request Forgery to Survey Renaming vulnerability

Cross-Site Request Forgery to Survey Renaming vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin SurveyJS versions = 1.12.20...

WordPress SurveyJS plugin <= 1.12.20 - Cross-Site Request Forgery to Survey Cloning vulnerability

Cross-Site Request Forgery to Survey Cloning vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin SurveyJS versions = 1.12.20...

WordPress Shortcodes and extra features for Phlox theme plugin <= 2.17.13 - Unauthenticated Draft Posts Information Exposure vulnerability

Unauthenticated Draft Posts Information Exposure vulnerability discovered by Nguyen C in WordPress Plugin Shortcodes and extra features for Phlox theme versions = 2.17.13...

WordPress Featured Image from URL (FIFU) plugin <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url' vulnerability

Authenticated Contributor+ Server-Side Request Forgery via 'fifuinputurl' vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Featured Image from URL versions = 5.3.1...

WordPress Himer theme < 2.1.1 - Arbitrary Group Joining via CSRF vulnerability

Arbitrary Group Joining via CSRF vulnerability discovered by Sushmita Poudel in WordPress Theme Himer versions 2.1.1...

WordPress Himer theme < 2.1.1 - Subscriber+ Private Group Joining via IDOR vulnerability

Subscriber+ Private Group Joining via IDOR vulnerability discovered by Sushmita Poudel in WordPress Theme Himer versions 2.1.1...

WordPress Gyan Elements plugin <= 2.2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Gyan Elements versions = 2.2.1...

WordPress KiviCare plugin <= 3.6.16 - SQL Injection vulnerability

SQL Injection vulnerability discovered by alakinnn in WordPress Plugin KiviCare versions = 3.6.16...