WordPress Avada (Fusion) Builder plugin <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value vulnerability

Unauthenticated Arbitrary File Deletion via Form Entry Value vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.3...

WordPress WP EasyPay plugin <= 4.4.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Sajjad Haqi in WordPress Plugin WP EasyPay versions = 4.4.0...

WordPress Media LIbrary Assistant plugin <= 3.35 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Media LIbrary Assistant versions = 3.35...

WordPress Ocean Product Sharing plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Ocean Product Sharing versions = 2.2.2...

WordPress CF7 to Webhook plugin <= 5.0.0 - Unauthenticated Server-Side Request Forgery vulnerability

Unauthenticated Server-Side Request Forgery vulnerability discovered by Lucius-log in WordPress Plugin CF7 to Webhook versions = 5.0.0...

WordPress SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin <= 4.3.6 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Customize My Account for WooCommerce versions = 4.3.6...

WordPress Offload, AI & Optimize with Cloudflare Images plugin <= 1.10.2 - Authenticated (Author+) Remote Code Execution vulnerability

Authenticated Author+ Remote Code Execution vulnerability discovered by Yat in WordPress Plugin Offload, AI & Optimize with Cloudflare Images versions = 1.10.2...

WordPress Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin <= 30.0.2 - Authenticated (Author+) Privilege Escalation vulnerability

Authenticated Author+ Privilege Escalation vulnerability discovered by ? in WordPress Plugin Contest Gallery versions = 30.0.2...

WordPress Slideshow Gallery LITE plugin <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Slideshow Gallery versions = 1.8.5...

WordPress Fancy Testimonials plugin <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Fancy Testimonials versions = 1.0...

WordPress Appointment Booking Calendar plugin <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by ? in WordPress Plugin Appointment Booking Calendar versions = 1.4.01...

WordPress PowerPress Podcasting plugin by Blubrry plugin <= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Mukhlis Amien in WordPress Plugin PowerPress Podcasting versions = 11.16.8...

WordPress UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset vulnerability

Insecure Direct Object Reference to Authenticated Editor+ Arbitrary User Avatar/Banner Reset vulnerability discovered by Pasindu Dilshan K4PXD - HACK KAP PVT LTD in WordPress Plugin UsersWP versions = 1.2.63...

WordPress SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Customize My Account for WooCommerce versions = 4.3.6...

WordPress Tutor LMS – eLearning and online course solution plugin <= 3.9.11 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by s1kr10s - Nayrox in WordPress Plugin Tutor LMS versions = 3.9.11...

WordPress Simple Membership plugin <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation vulnerability

Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation vulnerability discovered by Nikita Fenko - self in WordPress Plugin Simple Membership versions = 4.7.5...

WordPress Services Section Block – Showcase Service Details in Grid or Columns plugin <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Philipp Doblhofer - codeaware GmbH in WordPress Plugin Services Section block versions = 1.4.4...

WordPress PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification vulnerability

Insecure Direct Object Reference to Authenticated Custom+ Arbitrary Modification vulnerability discovered by Truong Tran in WordPress Plugin PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin versions = 2.3.0...

WordPress Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Meher Sudhakar Abbireddi in WordPress Plugin Orbit Fox by ThemeIsle versions = 3.0.6...

WordPress Advanced Order Export For WooCommerce plugin <= 4.0.10 - Authenticated (Shop Manager+) SQL Injection vulnerability

Authenticated Shop Manager+ SQL Injection vulnerability discovered by Yaswanth Reddy Sunkara in WordPress Plugin Advanced Order Export For WooCommerce versions = 4.0.10...

WordPress Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by se1en in WordPress Plugin Gutenberg Blocks by Kadence Blocks versions = 3.7.5...

WordPress Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection vulnerability

Authenticated Adminsitrator+ SQL Injection vulnerability discovered by Muhammad Arsalan Diponegoro tripoloski in WordPress Plugin Form Maker by 10Web versions = 1.15.43...

WordPress Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin <= 1.15.43 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by Muhammad Arsalan Diponegoro tripoloski in WordPress Plugin Form Maker by 10Web versions = 1.15.43...

WordPress Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin <= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by Umut Can Yurdayardım in WordPress Plugin Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets versions = 1.3.13.1...

WordPress Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin <= 1.42.1 - Missing Authorization to Authenticated (Author+) Arbitrary Accessibility Issue Modification vulnerability

Missing Authorization to Authenticated Author+ Arbitrary Accessibility Issue Modification vulnerability discovered by g0wthr in WordPress Plugin Accessibility Checker by Equalize Digital versions = 1.42.1...

WordPress E2Pdf – Export Pdf Tool for WordPress plugin <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation vulnerability

Missing Authorization to Authenticated Custom+ Arbitrary Option Update / Privilege Escalation vulnerability discovered by endy in WordPress Plugin e2pdf versions = 1.32.26...

WordPress Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification vulnerability

Insecure Direct Object Reference to Authenticated Custom+ Arbitrary Order Modification vulnerability discovered by Kirasec in WordPress Plugin Dokan versions = 5.0.3...

WordPress Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin <= 4.2.6 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Alexandru Bucur in WordPress Plugin Optimole versions = 4.2.6...

WordPress FireBox Popups – Increase Sales and Grow Your Email List plugin <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Parameter vulnerability

Unauthenticated Sensitive Information Exposure in 'formid' Parameter vulnerability discovered by Duc Manh in WordPress Plugin FireBox versions = 3.1.7...

WordPress Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Romain Deperne ang3L in WordPress Plugin myCred versions = 3.1...

WordPress Permalink Manager Lite plugin <= 2.5.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Ahmad Marzouk in WordPress Plugin Permalink Manager Lite versions = 2.5.3.3...

WordPress WP eMember plugin < v10.9.4 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin WP eMember versions v10.9.4...

WordPress Registration Form for WooCommerce plugin <= 1.0.9 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by ParkHyunWoo in WordPress Plugin Registration Form for WooCommerce versions = 1.0.9...

WordPress WP Activity Log plugin <= 5.6.3.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin WP Activity Log versions = 5.6.3.1...

WordPress Falang multilanguage plugin <= 1.4.2 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by ParkHyunWoo in WordPress Plugin Falang multilanguage versions = 1.4.2...

WordPress Melhor Envio plugin <= 2.16.3 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by HieuPenguinnn in WordPress Plugin Melhor Envio versions = 2.16.3...

WordPress SMS Alert Order Notifications plugin <= 3.9.3 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin SMS Alert Order Notifications versions = 3.9.3...

WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Peng Zhou in WordPress Plugin SMS Alert Order Notifications versions = 3.9.4...

WordPress Fusion Builder plugin <= 3.15.4 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by daroo in WordPress Plugin Fusion Builder versions = 3.15.4...

WordPress Clean Login plugin <= 1.15 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Jakub Herman in WordPress Plugin Clean Login versions = 1.15...

WordPress JetEngine plugin <= 3.8.10 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by VanTastic in WordPress Plugin JetEngine versions = 3.8.10...

WordPress JetFormBuilder plugin <= 3.6.1 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Baikuya in WordPress Plugin JetFormBuilder versions = 3.6.1...

WordPress JetEngine plugin <= 3.8.10 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by VanTastic in WordPress Plugin JetEngine versions = 3.8.10...

WordPress JobSearch plugin <= 3.2.9 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin JobSearch versions = 3.2.9...

WordPress Cornerstone plugin < 7.8.8 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Cornerstone versions 7.8.8...

WordPress JetFormBuilder plugin <= 3.6.0.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin JetFormBuilder versions = 3.6.0.1...

WordPress Popup box plugin <= 6.2.9 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Popup box versions = 6.2.9...

WordPress WooCommerce Stripe Payment Gateway plugin <= 10.7.0 - Missing Authorization to Unauthenticated Order Status Manipulation vulnerability

Missing Authorization to Unauthenticated Order Status Manipulation vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WooCommerce Stripe Payment Gateway versions = 10.7.0...

WordPress Secure Client Portal and Private File Sharing Plugin – User Private Files plugin <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by pham quang huy Zibanana in WordPress Plugin User Private Files versions = 2.1.6...

WordPress WP Review Slider Pro plugin <= 12.6.8 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by h0xilo in WordPress Plugin WP Review Slider Pro versions = 12.6.8...