WordPress Slideshow Gallery LITE plugin <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Slideshow Gallery versions = 1.8.5...

WordPress Fancy Testimonials plugin <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Fancy Testimonials versions = 1.0...

WordPress Appointment Booking Calendar plugin <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by ? in WordPress Plugin Appointment Booking Calendar versions = 1.4.01...

WordPress PowerPress Podcasting plugin by Blubrry plugin <= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Mukhlis Amien in WordPress Plugin PowerPress Podcasting versions = 11.16.8...

WordPress UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset vulnerability

Insecure Direct Object Reference to Authenticated Editor+ Arbitrary User Avatar/Banner Reset vulnerability discovered by Pasindu Dilshan K4PXD - HACK KAP PVT LTD in WordPress Plugin UsersWP versions = 1.2.63...

WordPress SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Customize My Account for WooCommerce versions = 4.3.6...

WordPress Tutor LMS – eLearning and online course solution plugin <= 3.9.11 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by s1kr10s - Nayrox in WordPress Plugin Tutor LMS versions = 3.9.11...

WordPress Simple Membership plugin <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation vulnerability

Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation vulnerability discovered by Nikita Fenko - self in WordPress Plugin Simple Membership versions = 4.7.5...

WordPress Services Section Block – Showcase Service Details in Grid or Columns plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Philipp Doblhofer - codeaware GmbH in WordPress Plugin Services Section block versions = 1.4.4...

WordPress PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification vulnerability

Insecure Direct Object Reference to Authenticated Custom+ Arbitrary Modification vulnerability discovered by Truong Tran in WordPress Plugin PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin versions = 2.3.0...

WordPress Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Meher Sudhakar Abbireddi in WordPress Plugin Orbit Fox by ThemeIsle versions = 3.0.6...

WordPress Advanced Order Export For WooCommerce plugin <= 4.0.10 - Authenticated (Shop Manager+) SQL Injection vulnerability

Authenticated Shop Manager+ SQL Injection vulnerability discovered by Yaswanth Reddy Sunkara in WordPress Plugin Advanced Order Export For WooCommerce versions = 4.0.10...

WordPress Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by se1en in WordPress Plugin Gutenberg Blocks by Kadence Blocks versions = 3.7.5...

WordPress Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection vulnerability

Authenticated Adminsitrator+ SQL Injection vulnerability discovered by Muhammad Arsalan Diponegoro tripoloski in WordPress Plugin Form Maker by 10Web versions = 1.15.43...

WordPress Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin <= 1.15.43 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by Muhammad Arsalan Diponegoro tripoloski in WordPress Plugin Form Maker by 10Web versions = 1.15.43...

WordPress Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin <= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by Umut Can Yurdayardım in WordPress Plugin Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets versions = 1.3.13.1...

WordPress Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin <= 1.42.1 - Missing Authorization to Authenticated (Author+) Arbitrary Accessibility Issue Modification vulnerability

Missing Authorization to Authenticated Author+ Arbitrary Accessibility Issue Modification vulnerability discovered by g0wthr in WordPress Plugin Accessibility Checker by Equalize Digital versions = 1.42.1...

WordPress E2Pdf – Export Pdf Tool for WordPress plugin <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation vulnerability

Missing Authorization to Authenticated Custom+ Arbitrary Option Update / Privilege Escalation vulnerability discovered by endy in WordPress Plugin e2pdf versions = 1.32.26...

WordPress Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification vulnerability

Insecure Direct Object Reference to Authenticated Custom+ Arbitrary Order Modification vulnerability discovered by Kirasec in WordPress Plugin Dokan versions = 5.0.3...

WordPress Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin <= 4.2.6 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Alexandru Bucur in WordPress Plugin Optimole versions = 4.2.6...

WordPress FireBox Popups – Increase Sales and Grow Your Email List plugin <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Parameter vulnerability

Unauthenticated Sensitive Information Exposure in 'formid' Parameter vulnerability discovered by Duc Manh in WordPress Plugin FireBox versions = 3.1.7...

WordPress Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Romain Deperne ang3L in WordPress Plugin myCred versions = 3.1...

WordPress Permalink Manager Lite plugin <= 2.5.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Ahmad Marzouk in WordPress Plugin Permalink Manager Lite versions = 2.5.3.3...

WordPress WooCommerce Stripe Payment Gateway plugin <= 10.7.0 - Missing Authorization to Unauthenticated Order Status Manipulation vulnerability

Missing Authorization to Unauthenticated Order Status Manipulation vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WooCommerce Stripe Payment Gateway versions = 10.7.0...

WordPress Secure Client Portal and Private File Sharing Plugin – User Private Files plugin <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by pham quang huy Zibanana in WordPress Plugin User Private Files versions = 2.1.6...

WordPress WP Review Slider Pro plugin <= 12.6.8 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by h0xilo in WordPress Plugin WP Review Slider Pro versions = 12.6.8...

WordPress WP Review Slider Pro plugin <= 12.6.8 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by h0xilo in WordPress Plugin WP Review Slider Pro versions = 12.6.8...

WordPress WP Review Slider Pro plugin <= 12.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by h0xilo in WordPress Plugin WP Review Slider Pro versions = 12.6.8...

WordPress Premmerce Dev Tools plugin <= 2.0 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution vulnerability

Missing Authorization to Authenticated Subscriber+ Remote Code Execution vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Premmerce Dev Tools versions = 2.0...

WordPress Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin <= 2.0.13 - Authenticated (Administrator+) PHP Object Injection vulnerability

Authenticated Administrator+ PHP Object Injection vulnerability discovered by Duc Long in WordPress Plugin Counter Box versions = 2.0.13...

WordPress RTMKit plugin <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access vulnerability

Authenticated Contributor+ Missing Authorization to Arbitrary Form Submission Access vulnerability discovered by wesley wcraft in WordPress Plugin RTMKit versions = 2.0.7...

WordPress Static Block plugin <= 2.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Sensitive Information Disclosure vulnerability discovered by dyingman in WordPress Plugin Static Block versions = 2.2...

WordPress Abandoned Contact Form 7 plugin <= 2.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability discovered by g0wthr in WordPress Plugin Abandoned Contact Form 7 versions = 2.2...

WordPress Video Conferencing with Zoom plugin <= 4.6.7 - Missing Authorization to Unauthenticated Zoom SDK Credential Exposure vulnerability

Missing Authorization to Unauthenticated Zoom SDK Credential Exposure vulnerability discovered by aetta in WordPress Plugin Video Conferencing with Zoom versions = 4.6.7...

WordPress Pods plugin <= 3.3.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin Pods versions = 3.3.8...

WordPress Media LIbrary Assistant plugin <= 3.35 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin Media LIbrary Assistant versions = 3.35...

WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by VanTastic in WordPress Plugin JetEngine versions = 3.8.10.1...

WordPress Envira Photo Gallery plugin <= 1.12.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Tiago Ventura @perses in WordPress Plugin Envira Photo Gallery versions = 1.12.5...

WordPress GetGenie plugin <= 4.4.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by hhhai in WordPress Plugin GetGenie versions = 4.4.1...

WordPress GEO my WordPress plugin <= 4.5.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by alvarodh5 in WordPress Plugin GEO my WordPress versions = 4.5.5...

WordPress SEO Plugin by Squirrly SEO plugin <= 12.4.16 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin SEO Plugin by Squirrly SEO versions = 12.4.16...

WordPress WooCommerce POS plugin <= 1.8.14 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WooCommerce POS versions = 1.8.14...

WordPress Attendance Manager plugin <= 0.6.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Attendance Manager versions = 0.6.2...

WordPress Elite Elementor Addons and Widgets plugin <= 1.2.2 - Other vulnerability Type vulnerability

Other vulnerability Type vulnerability discovered by mcdruid in WordPress Plugin Elite Elementor Addons and Widgets versions = 1.2.2...

WordPress WP Event SOlution plugin <= 4.1.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by l3m3s in WordPress Plugin WP Event SOlution versions = 4.1.12...

WordPress Arabesque theme <= 1.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Arabesque versions = 1.6...

WordPress ShiftUp theme <= 1.2.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme ShiftUp versions = 1.2.1...

WordPress Avada theme <= 3.15.3 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Theme Avada versions = 3.15.3...

WordPress Fusion Builder plugin <= 3.15.4 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.4...

WordPress WorkScout-Core plugin <= 1.7.11 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin WorkScout-Core versions = 1.7.11...