WordPress WPMasterToolKit plugin <= 2.14.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WPMasterToolKit versions = 2.14.0...

WordPress NotificationX plugin <= 3.2.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by PPzzAArr in WordPress Plugin NotificationX versions = 3.2.1...

WordPress NextMove Lite plugin <= 2.23.0 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by PPzzAArr in WordPress Plugin NextMove Lite versions = 2.23.0...

WordPress Drag and Drop Multiple File Upload for Contact Form 7 plugin <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion vulnerability

Missing Authorization to Unauthenticated File Deletion vulnerability discovered by shark3y in WordPress Plugin Drag and Drop Multiple File Upload – Contact Form 7 versions = 1.3.9.2...

WordPress Penci Review plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Penci Review versions = 3.5...

WordPress Penci Pay Writer plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Penci Pay Writer versions = 1.5...

WordPress Alma plugin <= 5.16.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan in WordPress Plugin Alma versions = 5.16.1...

WordPress List Site Contributors plugin <= 1.1.8 - Reflected Cross-Site Scripting via alpha vulnerability

Reflected Cross-Site Scripting via alpha vulnerability discovered by 0x34rth in WordPress Plugin List Site Contributors versions = 1.1.8...

WordPress AJS Footnotes plugin <= 1.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by 0x34rth in WordPress Plugin AJS Footnotes versions = 1.0...

WordPress Name Directory plugin <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters vulnerability

Unauthenticated Stored Cross-Site Scripting via Multiple Parameters vulnerability discovered by zer0gh0st in WordPress Plugin Name Directory versions = 1.30.3...

WordPress GeekyBot plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zer0gh0st in WordPress Plugin GeekyBot versions = 1.1.8...

WordPress Gotham Block Extra Light plugin <= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode vulnerability

Authenticated Contributor+ Arbitrary File Read via 'ghostban' Shortcode vulnerability discovered by 0x34rth in WordPress Plugin Gotham Block Extra Light versions = 1.5.0...

WordPress Shipping Rate By Cities plugin <= 2.0.0 - Unauthenticated SQL Injection via 'city' Parameter vulnerability

Unauthenticated SQL Injection via 'city' Parameter vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Shipping Rate By Cities versions = 2.0.0...

WordPress News and Blog Designer Bundle plugin <= 1.1 - Unauthenticated Local File Inclusion vulnerability

Unauthenticated Local File Inclusion vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin News and Blog Designer Bundle versions = 1.1...

WordPress Dreamer Blog theme <= 1.2 - Subscriber+ Arbitrary Plugin Installation vulnerability

Subscriber+ Arbitrary Plugin Installation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Theme Dreamer Blog versions = 1.2...

WordPress Integration Opvius AI for WooCommerce plugin <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal vulnerability

Unauthenticated Arbitrary File Deletion/Read via Path Traversal vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Integration Opvius AI for WooCommerce versions = 1.3.0...

WordPress Raptive Ads plugin <= 3.10.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Raptive Ads versions = 3.10.0...

WordPress Universal Google Adsense and Ads manager plugin <= 1.1.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Universal Google Adsense and Ads manager versions = 1.1.8...

WordPress Modular DS plugin <= 2.5.1 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Teemu Saarentaus in WordPress Plugin Modular DS versions = 2.5.1...

WordPress Simple GDPR Cookie Compliance plugin <= 2.0.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Simple GDPR Cookie Compliance versions = 2.0.0...

WordPress X Addons for Elementor plugin <= 1.0.23 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Abu Hurayra in WordPress Plugin X Addons for Elementor versions = 1.0.23...

WordPress DASHBOARD BUILDER plugin <= 1.5.7 - Cross-Site Request Forgery to SQL Injection vulnerability

Cross-Site Request Forgery to SQL Injection vulnerability discovered by omer yeshayahu in WordPress Plugin DASHBOARD BUILDER versions = 1.5.7...

WordPress WMF Mobile Redirector plugin <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Settings Parameters vulnerability discovered by 0x34rth in WordPress Plugin WMF Mobile Redirector versions = 1.2...

WordPress Short Link plugin <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Administration Settings Page vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Administration Settings Page vulnerability discovered by 0x34rth in WordPress Plugin Short Link versions = 1.0...

WordPress Aplazo Payment Gateway plugin <= 1.4.2 - Missing Authorization to Unauthenticated Order Status Manipulation vulnerability

Missing Authorization to Unauthenticated Order Status Manipulation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Aplazo Payment Gateway versions = 1.4.2...

WordPress PayHere Payment Gateway plugin for WooCommerce plugin <= 2.3.9 - Missing Authorization to Unauthenticated Order Status Modification vulnerability

Missing Authorization to Unauthenticated Order Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin PayHere Payment Gateway Plugin for WooCommerce versions = 2.3.9...

WordPress Float Payment Gateway plugin <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation vulnerability

Improper Authorization to Unauthenticated Order Status Manipulation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Float Payment Gateway versions = 1.1.9...

WordPress WP Allowed Hosts plugin <= 1.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'allowed-hosts' Parameter vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'allowed-hosts' Parameter vulnerability discovered by 0x34rth in WordPress Plugin WP Allowed Hosts versions = 1.0.8...

WordPress LinkedIn SC plugin <= 1.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Page vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Settings Page vulnerability discovered by 0x34rth in WordPress Plugin LinkedIn SC versions = 1.1.9...

WordPress Stopwords for comments plugin <= 1.1 - Missing Authorization to Cross-Site Request Forgery vulnerability

Missing Authorization to Cross-Site Request Forgery vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Stopwords for comments versions = 1.1...

WordPress SocialChamp with WordPress plugin <= 1.3.3 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin SocialChamp with WordPress versions = 1.3.3...

WordPress Electric Studio Download Counter plugin <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Settings Parameters vulnerability discovered by 0x34rth in WordPress Plugin Electric Studio Download Counter versions = 2.4...

WordPress Perfit WooCommerce plugin <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Perfit WooCommerce versions = 1.0.1...

WordPress Sosh Share Buttons plugin <= 1.1.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Sosh Share Buttons versions = 1.1.0...

WordPress GetContentFromURL plugin <= 1.0 - Authenticated (Contributor+) Server-Side Request Forgery via 'url' Shortcode Attribute vulnerability

Authenticated Contributor+ Server-Side Request Forgery via 'url' Shortcode Attribute vulnerability discovered by Ivan Cese in WordPress Plugin GetContentFromURL versions = 1.0...

WordPress Gotham Block Extra Light plugin <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via plugin Settings vulnerability discovered by 0x34rth in WordPress Plugin Gotham Block Extra Light versions = 1.5.0...

WordPress Netcash WooCommerce Payment Gateway plugin <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification vulnerability

Missing Authorization to Unauthenticated Order Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Netcash WooCommerce Payment Gateway versions = 4.1.3...

WordPress WPBlogSyn plugin <= 1.0 - Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update vulnerability

Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin WPBlogSyn versions = 1.0...

WordPress Shipping Rates by City for WooCommerce plugin <= 1.0.3 - Authenticated (Shop Manager+) SQL Injection via 'cities' Parameter vulnerability

Authenticated Shop Manager+ SQL Injection via 'cities' Parameter vulnerability discovered by Nguyen Truong Roll - FPT IS in WordPress Plugin Shipping Rates by City for WooCommerce versions = 1.0.3...

WordPress SpiceForms Form Builder plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin SpiceForms Form Builder versions = 1.0...

WordPress Crush.pics Image Optimizer plugin <= 1.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Settings Update vulnerability discovered by ChamlaVic in WordPress Plugin Crush.pics Image Optimizer versions = 1.8.7...

WordPress Real Post Slider Lite plugin <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Settings vulnerability discovered by 0x34rth in WordPress Plugin Real Post Slider Lite versions = 2.4...

WordPress Makesweat plugin <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid' Setting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'makesweatclubid' Setting vulnerability discovered by ChamlaVic in WordPress Plugin Makesweat versions = 0.1...

WordPress PDF Resume Parser plugin <= 1.0 - Unauthenticated Sensitive Information Disclosure in SMTP Credentials vulnerability

Unauthenticated Sensitive Information Disclosure in SMTP Credentials vulnerability discovered by Ivan Cese in WordPress Plugin PDF Resume Parser versions = 1.0...

WordPress Testimonials Creator plugin 1.6 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Jochem Boender in WordPress Plugin Testimonials Creator versions 1.6...

WordPress Responsive Accordion Slider plugin <= 1.2.2 - Missing Authorization to Authenticated (Contributor+) Slider Update via 'resp_accordion_silder_save_images' vulnerability

Missing Authorization to Authenticated Contributor+ Slider Update via 'respaccordionsildersaveimages' vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Responsive Accordion Slider versions = 1.2.2...

WordPress SearchWiz plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Title vulnerability discovered by WordFence in WordPress Plugin SearchWiz versions = 1.0.0...

WordPress Kunze Law plugin <= 2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin Kunze Law versions = 2.1...

WordPress CP Image Store with Slideshow plugin <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Product Import vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin CP Image Store with Slideshow versions = 1.1.9...

WordPress WP Duplicate Page plugin <= 1.8 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Post Duplication vulnerability discovered by Sarawut Poolkhet MisterHelloz in WordPress Plugin WP Duplicate Page versions = 1.8...