WordPress SlimStat Analytics plugin <= 5.3.3 - Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter vulnerability

Unauthenticated Stored Cross-Site Scripting via 'fh' Parameter vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Slimstat Analytics versions = 5.3.3...

WordPress SlimStat Analytics plugin <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters vulnerability

Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Slimstat Analytics versions = 5.3.4...

WordPress Brevo for WooCommerce plugin <= 4.0.49 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by shark3y in WordPress Plugin Sendinblue for WooCommerce versions = 4.0.49...

WordPress Frontend Admin by DynamiApps plugin <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field vulnerability

Unauthenticated Privilege Escalation to Administrator via Role Form Field vulnerability discovered by andrea bocchetti in WordPress Plugin Frontend Admin by DynamiApps versions = 3.28.25...

WordPress Frontend Admin by DynamiApps plugin <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element vulnerability

Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element vulnerability discovered by andrea bocchetti in WordPress Plugin Frontend Admin by DynamiApps versions = 3.28.25...

WordPress Proxy & VPN Blocker plugin <= 3.5.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Proxy & VPN Blocker versions = 3.5.3...

WordPress The Events Calendar plugin <= 6.15.12.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin The Events Calendar versions = 6.15.12.2...

WordPress WoodMart theme <= 8.3.7 - Arbitrary Shortcode Execution vulnerability

Arbitrary Shortcode Execution vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme WoodMart versions = 8.3.7...

WordPress Client Testimonial Slider plugin <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aft_testimonial_meta_name' Metabox Field vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'afttestimonialmetaname' Metabox Field vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Client Testimonial Slider versions = 2.0...

WordPress Contact Form vCard Generator plugin <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter vulnerability discovered by Sopon Tangpathum SoNaJaa - freelance in WordPress Plugin Contact Form vCard Generator versions = 2.4...

WordPress Debt.com Business in a Box plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Debt.com Business in a Box versions = 4.1.0...

WordPress Entry Views plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Entry Views versions = 1.0.0...

WordPress Menu Card plugin <= 0.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Menu Card versions = 0.8.0...

WordPress Curved Text plugin <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Curved Text versions = 0.1...

WordPress Header and Footer Scripts plugin <= 2.3.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Powpy in WordPress Plugin Header and Footer Scripts versions = 2.3.0...

WordPress The Tooltip plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin The Tooltip versions = 1.0.2...

WordPress WP Popup Magic plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'name' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP Popup Magic versions = 1.0.0...

WordPress Nearby Now Reviews plugin <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Gilang - DJ in WordPress Plugin Nearby Now Reviews versions = 5.2...

WordPress AMP for WP plugin <= 1.1.10 - Authenticated Stored Cross-Site Scripting via SVG File Upload vulnerability

Authenticated Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by andrea bocchetti in WordPress Plugin AMP for WP versions = 1.1.10...

WordPress Booking Calendar plugin <= 10.14.10 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Filippo Decortes - Bitcube Security in WordPress Plugin Booking Calendar versions = 10.14.10...

WordPress Tutor LMS - eLearning and online course solution plugin <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification vulnerability

WordPress Tutor LMS - eLearning and online course solution plugin = 3.9.3 - Missing Authorization to Authenticated Subscriber+ Arbitrary Coupon Modification vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Tutor LMS versions = 3.9.3...

WordPress WP Table Builder plugin <= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation vulnerability

Incorrect Authorization to Authenticated Subscriber+ Arbitrary Table Creation vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WP Table Builder versions = 2.0.19...

WordPress Tutor LMS - eLearning and online course solution plugin <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass vulnerability

WordPress Tutor LMS - eLearning and online course solution plugin = 3.9.3 - Missing Authorization to Authenticated Subscriber+ Course Enrollment Bypass vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Tutor LMS versions = 3.9.3...

WordPress WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpgsv_map' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'wpgsvmap' Shortcode vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin WP Google Street View versions = 1.1.8...

WordPress BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

WordPress BIALTY - Bulk Image Alt Text Alt tag, Alt Attribute with Yoast SEO + WooCommerce plugin = 2.2.1 - Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Bulk Auto Image Alt Text Alt tag, Alt attribute optimization image...

WordPress BetterDocs plugin <= 4.3.3 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin BetterDocs versions = 4.3.3...

WordPress IndieWeb plugin <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter vulnerability

Authenticated Author+ Stored Cross-Site Scripting via 'Telephone' Parameter vulnerability discovered by Tharadol Suksamran in WordPress Plugin IndieWeb versions = 4.0.5...

WordPress Forminator Forms plugin <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export vulnerability

Missing Authorization to Authenticated Forminator User+ CSV Export vulnerability discovered by type5afe in WordPress Plugin Forminator versions = 1.49.1...

WordPress Post Expirator plugin <= 4.9.3 - Missing Authorization to Authenticated (Contributor+) Workflow Manipulation vulnerability

Missing Authorization to Authenticated Contributor+ Workflow Manipulation vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Post Expirator versions = 4.9.3...

WordPress Clearfy plugin <= 2.4.0 - Cross-Site Request Forgery to Update Notification Tampering vulnerability

Cross-Site Request Forgery to Update Notification Tampering vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Clearfy Cache versions = 2.4.0...

WordPress weDocs plugin <= 2.1.15 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by DityaRA in WordPress Plugin weDocs versions = 2.1.15...

WordPress Japanized for WooCommerce plugin <= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification vulnerability

Missing Authorization to Unauthenticated Order Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Japanized For WooCommerce versions = 2.7.17...

WordPress tagDiv Composer plugin <= 5.4.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin tagDiv Composer versions = 5.4.2...

WordPress BA Book Everything plugin <= 1.8.16 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin BA Book Everything versions = 1.8.16...

WordPress User Registration plugin <= 4.4.9 - Arbitrary Shortcode Execution vulnerability

Arbitrary Shortcode Execution vulnerability discovered by Kishan Vyas in WordPress Plugin User Registration versions = 4.4.9...

WordPress GiveWP plugin <= 4.13.1 - Arbitrary Shortocde Execution vulnerability

Arbitrary Shortocde Execution vulnerability discovered by Kishan Vyas in WordPress Plugin GiveWP versions = 4.13.1...

WordPress Zorka theme <= 1.5.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Zorka versions = 1.5.7...

WordPress WP Quick Post Duplicator plugin <= 2.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WP Quick Post Duplicator versions = 2.1...

WordPress NextGEN Download Gallery plugin <= 1.6.2 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Nabil Irawan in WordPress Plugin NextGEN Download Gallery versions = 1.6.2...

WordPress Kenta Companion plugin <= 1.3.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Kenta Companion versions = 1.3.3...

WordPress Campaign Monitor for WordPress plugin <= 2.9.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Campaign Monitor for WordPress versions = 2.9.0...

WordPress WP Lead Capturing Pages plugin <= 2.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin WP Lead Capturing Pages versions = 2.5...

WordPress Super Interactive Maps plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Super Interactive Maps versions = 2.3...

WordPress Magic Responsive Slider and Carousel WordPress plugin <= 1.6 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Magic Responsive Slider and Carousel WordPress versions = 1.6...

WordPress Magic Slider plugin <= 2.2 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Magic Slider versions = 2.2...

WordPress Image&Video FullScreen Background plugin <= 1.6.7 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Image&Video FullScreen Background versions = 1.6.7...

WordPress Anarkali theme <= 1.0.9 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Anarkali versions = 1.0.9...

WordPress Depot theme <= 1.16 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Depot versions = 1.16...

WordPress Amuli theme <= 2.3.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Amuli versions = 2.3.0...

WordPress Athens theme <= 1.1.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Athens versions = 1.1.6...