WordPress Turn Yoast SEO FAQ Block to Accordion plugin <= 1.0.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin Turn Yoast SEO FAQ Block to Accordion versions = 1.0.6...

WordPress Tickera plugin <= 3.5.6.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by daroo in WordPress Plugin Tickera versions = 3.5.6.2...

WordPress Eli's WordCents adSense Widget with Analytics plugin <= 1.3.03.27 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin Elis WordCents adSense Widget with Analytics versions = 1.3.03.27...

WordPress onepay Payment Gateway For WooCommerce plugin <= 1.1.2 - Other Vulnerability Type vulnerability

Other Vulnerability Type vulnerability discovered by NumeX in WordPress Plugin onepay Payment Gateway For WooCommerce versions = 1.1.2...

WordPress Element Invader – Template Kits for Elementor plugin <= 1.2.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Element Invader Template Kits for Elementor versions = 1.2.4...

WordPress RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin <= 5.0.10 - Reflected Cross-Site Scripting via className vulnerability

WordPress RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin = 5.0.10 - Reflected Cross-Site Scripting via className vulnerability discovered by Deadbee - NA in WordPress Plugin WP RSS Aggregator versions = 5.0.10...

WordPress Client Portal plugin <= 1.2.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Client Portal versions = 1.2.1...

WordPress Awesome Support - WordPress HelpDesk & Support Plugin plugin <= 6.3.6 - Missing Authorization to Unauthenticated Role Demotion vulnerability

WordPress Awesome Support - WordPress HelpDesk & Support Plugin plugin = 6.3.6 - Missing Authorization to Unauthenticated Role Demotion vulnerability discovered by shark3y in WordPress Plugin Awesome Support versions = 6.3.6...

WordPress Supreme Modules Lite plugin <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass vulnerability

Authenticated Author+ Arbitrary File Upload via JSON Upload Bypass vulnerability discovered by mikemyers in WordPress Plugin Supreme Modules Lite versions = 2.5.62...

WordPress AffiliateX plugin 1.0.0-1.3.9.3 - Authenticated (Subscriber+) Missing Authorization to Stored Cross-Site Scripting

Authenticated Subscriber+ Missing Authorization to Stored Cross-Site Scripting vulnerability discovered by kr0d in WordPress Plugin AffiliateX versions 1.0.0-1.3.9.3...

WordPress Membership Plugin - Restrict Content plugin <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure vulnerability

WordPress Membership Plugin - Restrict Content plugin = 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure vulnerability discovered by andrea bocchetti in WordPress Plugin Restrict Content versions = 3.2.16...

WordPress AWP Classifieds plugin <= 4.4.3 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Phat RiO in WordPress Plugin AWP Classifieds versions = 4.4.3...

WordPress Cost Calculator Builder plugin <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass vulnerability

Missing Authorization to Unauthenticated Payment Status Bypass vulnerability discovered by andrea bocchetti in WordPress Plugin Cost Calculator Builder versions = 3.6.9...

WordPress User Submitted Posts plugin <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'uspaccess' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin User Submitted Posts versions = 20260110...

WordPress LEAV Last Email Address Validator plugin <= 1.7.1 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin LEAV Last Email Address Validator versions = 1.7.1...

WordPress Related Posts by Taxonomy plugin <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'related_posts_by_tax' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'relatedpostsbytax' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Related Posts by Taxonomy versions = 2.7.6...

WordPress DK PDF - WordPress PDF Generator plugin <= 2.3.0 - Authenticated (Author+) Server-Side Request Forgery vulnerability

WordPress DK PDF - WordPress PDF Generator plugin = 2.3.0 - Authenticated Author+ Server-Side Request Forgery vulnerability discovered by WordFence in WordPress Plugin DK PDF – WordPress PDF Generator versions = 2.3.0...

WordPress Rede Itaú for WooCommerce - Payment PIX, Credit Card and Debit plugin <= 5.1.2 - Unauthenticated Order Status Manipulation vulnerability

WordPress Rede Itaú for WooCommerce - Payment PIX, Credit Card and Debit plugin = 5.1.2 - Unauthenticated Order Status Manipulation vulnerability discovered by Os in WordPress Plugin Rede Itaú for WooCommerce versions = 5.1.2...

WordPress Rede Itaú for WooCommerce plugin <= 5.1.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Os in WordPress Plugin Rede Itaú for WooCommerce versions = 5.1.5...

WordPress All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure vulnerability

WordPress All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin = 4.9.2 - Missing Authorization to Authenticated Contributor+ AI Access Token and Credit Disclosure vulnerability discovered by NosleeP++ in WordPress Plugin All In One SEO Pack versions = 4.9.2...

WordPress Booking Calendar plugin <= 10.14.11 - Missing Authorization to Sensitive Information Exposure vulnerability

Missing Authorization to Sensitive Information Exposure vulnerability discovered by shark3y in WordPress Plugin Booking Calendar versions = 10.14.11...

WordPress Shield Security plugin <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference to Disable Google Authenticator vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Shield Security versions = 21.0.9...

WordPress Kalium plugin <= 3.29 - Missing Authorization to Unauthenticated Mail Relay via kalium_vc_contact_form_request vulnerability

Missing Authorization to Unauthenticated Mail Relay via kaliumvccontactformrequest vulnerability discovered by Ahmed Rayen Ayari in WordPress Theme Kalium versions = 3.29...

WordPress Livemesh Addons for WPBakery Page Builder plugin <= 3.9.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by ZadWon in WordPress Plugin Livemesh Addons for WPBakery Page Builder versions = 3.9.4...

WordPress Fusion Builder plugin <= 3.14.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Fusion Builder versions = 3.14.1...

WordPress Zoho CRM Lead Magnet plugin <= 1.8.1.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Zoho CRM Lead Magnet versions = 1.8.1.9...

WordPress Related Posts Thumbnails Plugin for WordPress plugin <= 4.3.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Carlos Ferreira in WordPress Plugin Related Posts Thumbnails Plugin for WordPress versions = 4.3.2...

WordPress WZone plugin <= 14.0.31 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin WZone versions = 14.0.31...

WordPress Event Tickets with Ticket Scanner plugin <= 2.8.5 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by daroo in WordPress Plugin Event Tickets with Ticket Scanner versions = 2.8.5...

WordPress LearnPress – Course Review plugin <= 4.1.9 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Arif Shaikh in WordPress Plugin LearnPress Course Review versions = 4.1.9...

WordPress Event Espresso 4 Decaf plugin <= 5.0.37.decaf - Settings Change vulnerability

Settings Change vulnerability discovered by Legion Hunter in WordPress Plugin Event Espresso 4 Decaf versions = 5.0.37.decaf...

WordPress Biagiotti theme < 3.5.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Biagiotti versions 3.5.2...

WordPress WDV One Page Docs plugin <= 1.2.4 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Muhammad Nur Ibnu Hubab in WordPress Plugin WDV One Page Docs versions = 1.2.4...

WordPress Shown Connector plugin <= 1.2.10 - Settings Change vulnerability

Settings Change vulnerability discovered by Legion Hunter in WordPress Plugin Shown Connector versions = 1.2.10...

WordPress WP Simple Redirect plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin WP Simple Redirect versions = 1.1...

WordPress Synergy Project Manager plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by mcdruid in WordPress Plugin Synergy Project Manager versions = 1.5...

WordPress Infility Global plugin <= 2.14.51 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by mcdruid in WordPress Plugin Infility Global versions = 2.14.51...

WordPress Omnichannel for WooCommerce plugin <= 1.3.65 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by guardimo in WordPress Plugin Omnichannel for WooCommerce versions = 1.3.65...

WordPress WP Test Email plugin <= 1.1.7 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Ryan Novotny in WordPress Plugin WP Test Email versions = 1.1.7...

WordPress CleverReach® WP plugin <= 1.5.21 - SQL Injection vulnerability

SQL Injection vulnerability discovered by 0xd4rk5id3 in WordPress Plugin CleverReach® WP versions = 1.5.21...

WordPress g-FFL Checkout plugin <= 2.1.0 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Denver Jackson in WordPress Plugin g-FFL Checkout versions = 2.1.0...

WordPress WooCommerce Frontend Manager – Ultimate plugin < 6.7.7 - SQL Injection vulnerability

SQL Injection vulnerability discovered by 0xd4rk5id3 in WordPress Plugin WooCommerce Frontend Manager – Ultimate versions 6.7.7...

WordPress Workreap Core plugin <= 3.4.1 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by NAWardRox in WordPress Plugin Workreap Core versions = 3.4.1...

WordPress North theme <= 5.7.5 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme North versions = 5.7.5...

WordPress North theme <= 5.7.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme North versions = 5.7.5...

WordPress Woocommerce Book Price plugin <= 1.3 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Woocommerce Book Price versions = 1.3...

WordPress WP-Members Membership plugin plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields vulnerability discovered by shark3y in WordPress Plugin WP-Members versions = 3.5.4.3...

WordPress Simply Schedule Appointments plugin <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters vulnerability

Unauthenticated SQL Injection via order and appendwheresql Parameters vulnerability discovered by shark3y in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.9...

WordPress Wheel of Life plugin <= 1.2.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Wheel of Life versions = 1.2.0...

WordPress Multilanguage by BestWebSoft plugin <= 1.5.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Multilanguage by BestWebSoft versions = 1.5.2...