WordPress Poll, Survey, Form & Quiz Maker by OpinionStage plugin < 19.6.25 - Unauthenticated Cross-Site Scripting (XSS) vulnerability

Unauthenticated Cross-Site Scripting XSS vulnerability discovered by WPscan in WordPress Plugin Poll, Survey & Quiz Maker Plugin by Opinion Stage versions 19.6.25...

WordPress Demo Importer Plus plugin <= 2.0.9 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload vulnerability

Authenticated Author+ Blind XML External Entity Injection via SVG File Upload vulnerability discovered by bosz in WordPress Plugin Demo Importer Plus versions = 2.0.9...

WordPress Gutenberg Thim Blocks plugin <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter vulnerability

Authenticated Contributor+ Arbitrary File Read via 'iconSVG' Parameter vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Thim Blocks versions = 1.0.1...

WordPress Wallet System for WooCommerce plugin <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Wallet Balance Manipulation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Wallet System for WooCommerce versions = 2.7.2...

WordPress Advanced iFrame plugin <= 2025.10 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by johska in WordPress Plugin Advanced iFrame versions = 2025.10...

WordPress Quick Contact Form plugin <= 8.2.6 - Unauthenticated Open Mail Relay vulnerability

Unauthenticated Open Mail Relay vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Quick Contact Form versions = 8.2.6...

WordPress Feeds for YouTube Pro plugin <= 2.6.0 - Unauthenticated Arbitrary File Read via Path Traversal vulnerability

Unauthenticated Arbitrary File Read via Path Traversal vulnerability discovered by LionTree in WordPress Plugin YouTube Feed Pro versions = 2.6.0...

WordPress RegistrationMagic plugin <= 6.0.7.1 - Privilege Escalation via admin_order vulnerability

Privilege Escalation via adminorder vulnerability discovered by Os in WordPress Plugin RegistrationMagic versions = 6.0.7.1...

WordPress SumUp Payment Gateway For WooCommerce plugin <= 2.7.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin SumUp Payment Gateway For WooCommerce versions = 2.7.9...

WordPress WP Forms Signature Contract Add-On plugin <= 1.8.2 - Broken Access Control to Notice Dismissal vulnerability

Broken Access Control to Notice Dismissal vulnerability discovered by Nabil Irawan in WordPress Plugin WP Forms Signature Contract Add-On versions = 1.8.2...

WordPress Tutor LMS BunnyNet Integration plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin Tutor LMS BunnyNet Integration versions = 1.0.0...

WordPress XStore Core plugin < 5.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin XStore Core versions 5.7...

WordPress Visual Link Preview plugin <= 2.2.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by theviper17 in WordPress Plugin Visual Link Preview versions = 2.2.9...

WordPress Hyyan WooCommerce Polylang Integration plugin <= 1.5.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by theviper17 in WordPress Plugin Hyyan WooCommerce Polylang Integration versions = 1.5.0...

WordPress XStore theme <= 9.6.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme XStore versions = 9.6.4...

WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme Sober versions = 3.5.12...

WordPress AJAX Hits Counter + Popular Posts Widget plugin <= 0.10.210305 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin AJAX Hits Counter + Popular Posts Widget versions = 0.10.210305...

WordPress Ninja Tables plugin <= 5.2.5 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by theviper17 in WordPress Plugin Ninja Tables versions = 5.2.5...

WordPress Smart Product Viewer plugin <= 1.5.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Smart Product Viewer versions = 1.5.4...

WordPress XStore theme <= 9.6.4 - Arbitrary Shortcode Execution vulnerability

Arbitrary Shortcode Execution vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme XStore versions = 9.6.4...

WordPress Houzez Theme - Functionality plugin <= 4.2.6 - Cross Site Scripting (XSS) vulnerability

WordPress Houzez Theme - Functionality plugin = 4.2.6 - Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Houzez Theme - Functionality versions = 4.2.6...

WordPress Cargus plugin <= 1.5.8 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Legion Hunter in WordPress Plugin Cargus versions = 1.5.8...

WordPress Wpresidence Core plugin <= 5.4.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Wpresidence Core versions = 5.4.0...

WordPress Premium Addons for Elementor plugin <= 4.11.63 - Settings Change vulnerability

Settings Change vulnerability discovered by Phat RiO in WordPress Plugin Premium Addons for Elementor versions = 4.11.63...

WordPress Spectra plugin <= 2.19.17 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Bao - BlueRock in WordPress Plugin Spectra versions = 2.19.17...

WordPress PAYGENT for WooCommerce plugin <= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation vulnerability

Missing Authorization to Unauthenticated Payment Callback Manipulation vulnerability discovered by WordFence in WordPress Plugin PAYGENT for WooCommerce versions = 2.4.6...

WordPress Integrate Dynamics 365 CRM plugin <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Field Mapping Configuration vulnerability discovered by Teerachai Somprasong in WordPress Plugin Integrate Dynamics 365 CRM versions = 1.1.1...

WordPress Advanced Ads - Ad Manager & AdSense plugin <= 2.0.15 - Authenticated (Admin+) SQL Injection vulnerability

WordPress Advanced Ads - Ad Manager & AdSense plugin = 2.0.15 - Authenticated Admin+ SQL Injection vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Advanced Ads versions = 2.0.15...

WordPress Spin Wheel plugin <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter vulnerability

Unauthenticated Client-Side Prize Manipulation via 'prizeindex' Parameter vulnerability discovered by jsonc in WordPress Plugin Spin Wheel versions = 2.1.0...

WordPress CM E-Mail Blacklist plugin <= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'blackemail' Parameter vulnerability discovered by Phap Nguyen Anh - FIS in WordPress Plugin CM Email Registration Blacklist and Whitelist versions = 1.6.2...

WordPress Team Section Block plugin <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Social Network Link vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Team Section Block versions = 2.0.0...

WordPress Phrase TMS Integration for WordPress plugin <= 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Log Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Log Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Phrase TMS Integration for WordPress versions = 4.7.5...

WordPress Community Events plugin <= 1.5.6 - Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter vulnerability

Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Community Events versions = 1.5.6...

WordPress User Registration Using Contact Form 7 plugin <= 2.5 - Authenticated (Subscriber+) Information Exposure vulnerability

Authenticated Subscriber+ Information Exposure vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin User Registration Using Contact Form 7 versions = 2.5...

WordPress Church Admin plugin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter vulnerability

Authenticated Administrator+ Blind Server-Side Request Forgery via 'audiourl' Parameter vulnerability discovered by Phap Nguyen Anh - FIS in WordPress Plugin Church Admin versions = 5.0.28...

WordPress RepairBuddy plugin <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Signature Upload to Orders vulnerability discovered by Teerachai Somprasong in WordPress Plugin RepairBuddy versions = 4.1116...

WordPress Filr - Secure document library plugin <= 1.2.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via HTML Upload vulnerability

WordPress Filr - Secure document library plugin = 1.2.11 - Authenticated Administrator+ Stored Cross-Site Scripting via HTML Upload vulnerability discovered by Phap Nguyen Anh - FIS in WordPress Plugin Filr versions = 1.2.11...

WordPress Modular DS plugin <= 2.5.2 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Dave Jong Patchstack in WordPress Plugin Modular DS versions 2.5.2...

WordPress Frontend File Manager plugin <= 23.5 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Mdr in WordPress Plugin Frontend File Manager versions = 23.5...

WordPress CM Business Directory plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Arif Shaikh in WordPress Plugin CM Business Directory versions = 1.5.3...

WordPress Element Pack Elementor Addons plugin <= 8.3.13 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Arif Shaikh in WordPress Plugin Element Pack Elementor Addons versions = 8.3.13...

WordPress Peach Payments Gateway plugin <= 3.3.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Peach Payments Gateway versions = 3.3.6...

WordPress The Aisle theme < 2.9.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme The Aisle versions 2.9.1...

WordPress Powerlift theme < 3.2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Powerlift versions 3.2.1...

WordPress bidorbuy Store Integrator plugin <= 2.12.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin bidorbuy Store Integrator versions = 2.12.0...

WordPress WP Mail plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin WP Mail versions = 1.3...

WordPress Dooodl plugin <= 2.3.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin Dooodl versions = 2.3.0...

WordPress Syntax Highlighter Compress plugin <= 3.0.83.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by 0xVenus in WordPress Plugin Syntax Highlighter Compress versions = 3.0.83.3...

WordPress Quote Master plugin <= 7.1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by 0xVenus in WordPress Plugin Quote Master versions = 7.1.1...

WordPress Antideo Email Validator plugin <= 1.0.10 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Antideo Email Validator versions = 1.0.10...