WordPress LA-Studio Element Kit for Elementor plugin <= 1.5.6.3 - Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter vulnerability

Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakitbkrole parameter vulnerability discovered by WordFence in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.5.6.3...

WordPress WP Docs plugin <= 2.2.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by hhhai in WordPress Plugin WP Docs versions = 2.2.8...

WordPress B Accordion plugin <= 2.0.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by theviper17 in WordPress Plugin B Accordion versions = 2.0.1...

WordPress iNET Webkit plugin <= 1.2.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by theviper17 in WordPress Plugin iNET Webkit versions = 1.2.4...

WordPress Anything Order by Terms plugin <= 1.4.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Anything Order by Terms versions = 1.4.0...

WordPress WP Travel plugin <= 11.1.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WP Travel versions = 11.1.0...

WordPress Real Homes CRM plugin <= 1.0.0 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by wackydawg in WordPress Plugin Real Homes CRM versions = 1.0.0...

WordPress Lawyer Directory plugin <= 1.3.3 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Lawyer Directory versions = 1.3.3...

WordPress Beaver Builder plugin <= 2.9.4.1 - Arbitrary Code Execution vulnerability

Arbitrary Code Execution vulnerability discovered by mcdruid in WordPress Plugin Beaver Builder versions = 2.9.4.1...

WordPress Media Library File Size plugin <= 1.6.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Media Library File Size versions = 1.6.7...

WordPress Edwiser Bridge plugin <= 4.3.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Edwiser Bridge versions = 4.3.2...

WordPress BOX NOW Delivery plugin <= 3.0.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin BOX NOW Delivery versions = 3.0.2...

WordPress Photo Gallery by 10Web plugin <= 1.8.36 - Missing Authorization to Unauthenticated Arbitrary Comment Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Comment Deletion vulnerability discovered by Moose Love - Nagasaki Prefectural University in WordPress Plugin Photo Gallery by 10Web versions = 1.8.36...

WordPress JobWP plugin <= 2.4.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin JobWP versions = 2.4.5...

WordPress Ultra Portfolio plugin <= 6.7 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Ultra Portfolio versions = 6.7...

WordPress Movie Booking plugin <= 1.1.5 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Movie Booking versions = 1.1.5...

WordPress WPO365 plugin <= 40.0 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin WPO365 versions = 40.0...

WordPress WP BackItUp plugin <= 2.1.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin WP BackItUp versions = 2.1.0...

WordPress WorkScout-Core plugin <= 1.7.06 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin WorkScout-Core versions = 1.7.06...

WordPress WorkScout theme <= 4.1.07 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme WorkScout versions = 4.1.07...

WordPress TaxCloud for WooCommerce plugin <= 8.3.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin TaxCloud for WooCommerce versions = 8.3.8...

WordPress User Registration plugin <= 4.4.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mdr in WordPress Plugin User Registration versions = 4.4.6...

WordPress Tabby Checkout plugin <= 5.8.4 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by benzdeus in WordPress Plugin Tabby Checkout versions = 5.8.4...

WordPress Hydra Booking plugin <= 1.1.32 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by daroo in WordPress Plugin Hydra Booking versions = 1.1.32...

WordPress Extend Link plugin <= 2.0.0 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by theviper17 in WordPress Plugin Extend Link versions = 2.0.0...

WordPress EcoBlue theme <= 1.15 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme EcoBlue versions = 1.15...

WordPress Listivo Core plugin <= 2.3.77 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Listivo Core versions = 2.3.77...

WordPress MyHome Core plugin <= 4.1.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin MyHome Core versions = 4.1.0...

WordPress Salon booking system plugin <= 10.30.3 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by daroo in WordPress Plugin Salon booking system versions = 10.30.3...

WordPress Paid Downloads plugin <= 3.15 - SQL Injection vulnerability

SQL Injection vulnerability discovered by 0xVenus in WordPress Plugin Paid Downloads versions = 3.15...

WordPress Nelio Content plugin <= 4.2.0 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Doan Dinh Van in WordPress Plugin Nelio Content versions = 4.2.0...

WordPress Dinatur plugin <= 1.18 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Dinatur versions = 1.18...

WordPress NotificationX plugin <= 3.2.0 - Unauthenticated DOM-Based Cross-Site Scripting via 'nx-preview' vulnerability

Unauthenticated DOM-Based Cross-Site Scripting via 'nx-preview' vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin NotificationX versions = 3.2.0...

WordPress Nexter Extension - Site Enhancements Toolkit plugin <= 4.4.6 - Unauthenticated PHP Object Injection via 'nxt_unserialize_replace' vulnerability

WordPress Nexter Extension - Site Enhancements Toolkit plugin = 4.4.6 - Unauthenticated PHP Object Injection via 'nxtunserializereplace' vulnerability discovered by Webbernaut in WordPress Plugin Nexter Extension versions = 4.4.6...

WordPress Academy LMS plugin <= 3.5.0 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by vgo0 in WordPress Plugin Academy LMS versions = 3.5.0...

WordPress WishList Member X plugin <= 3.29.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by 0xd4rk5id3 in WordPress Plugin WishList Member X versions = 3.29.0...

WordPress Bookingor plugin <= 1.0.12 - Subscriber+ Category Deletion vulnerability

Subscriber+ Category Deletion vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Bookingor versions = 1.0.12...

WordPress FlatPM - Ad Manager, AdSense and Custom Code plugin <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta vulnerability

WordPress FlatPM - Ad Manager, AdSense and Custom Code plugin = 3.2.2 - Authenticated Contributor+ Stored Cross-Site Scripting via Custom Post Meta vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin FlatPM versions = 3.2.2...

WordPress Head Meta Data plugin <= 20251118 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Meta vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Head Meta Data versions = 20251118...

WordPress NotificationX plugin <= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset vulnerability

Missing Authorization to Authenticated Contributor+ Analytics Reset vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin NotificationX versions = 3.1.11...

WordPress Creator LMS - The LMS for Creators, Coaches, and Trainers plugin <= 1.1.12 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update vulnerability

WordPress Creator LMS - The LMS for Creators, Coaches, and Trainers plugin = 1.1.12 - Missing Authorization to Authenticated Contributor+ Arbitrary Options Update vulnerability discovered by Sarawut Poolkhet MisterHelloz in WordPress Plugin Creator LMS versions = 1.1.12...

WordPress The Events Calendar plugin <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control vulnerability

Missing Authorization to Authenticated Subscriber+ Data Migration Control vulnerability discovered by type5afe in WordPress Plugin The Events Calendar versions = 6.15.13...

WordPress Tutor LMS - eLearning and online course solution plugin <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion vulnerability

WordPress Tutor LMS - eLearning and online course solution plugin = 3.9.4 - Missing Authorization to Authenticated Subscriber+ Limited Attachment Deletion vulnerability discovered by type5afe in WordPress Plugin Tutor LMS versions = 3.9.4...

WordPress UX Flat plugin <= 5.4.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by theviper17 in WordPress Plugin UX Flat versions = 5.4.0...

WordPress Pie Register plugin <= 3.8.4.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mdr in WordPress Plugin Pie Register versions = 3.8.4.8...

WordPress Admin login URL Change plugin <= 1.1.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Mohamad Fattyr in WordPress Plugin Admin login URL Change versions = 1.1.5...

WordPress Booking Activities plugin <= 1.16.44 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by daroo in WordPress Plugin Booking Activities versions = 1.16.44...

WordPress Frontis Blocks plugin <= 1.1.5 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Frontis Blocks versions = 1.1.5...

WordPress Craft | Coffee Shop Cafe Restaurant WordPress theme <= 2.3.6 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Craft versions = 2.3.6...

WordPress Grand Tour theme < 5.6.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Grand Tour versions 5.6.2...