WordPress SureForms plugin <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Tiến Dũng Nguyễn in WordPress Plugin SureForms versions = 2.2.0...

WordPress BM Content Builder plugin <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting via uxcbpageoptionssave vulnerability discovered by István Márton - Wordfence in WordPress Plugin BM Content Builder versions = 3.16.2.1...

WordPress Ads Pro plugin <= 4.95 - Unauthenticated SQL Injection via site_id vulnerability

Unauthenticated SQL Injection via siteid vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ads Pro versions = 4.95...

WordPress Royal Elementor Addons and Templates plugin <= 1.7.1012 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by stealthcopter in WordPress Plugin Royal Elementor Addons versions = 1.7.1012...

WordPress Image License and Protection plugin <= 1.0 - Supply Chain Compromise vulnerability

Supply Chain Compromise vulnerability discovered by Mike Gozdiskowski in WordPress Plugin Image License and Protection versions = 1.0...

WordPress Pixter Right Click Protect Images for WordPress plugin <= 1.2 - Supply Chain Compromise vulnerability

Supply Chain Compromise vulnerability discovered by Mike Gozdiskowski in WordPress Plugin Pixter Right Click Protect Images for WordPress versions = 1.2...

WordPress Product Import Export for WooCommerce plugin <= 2.5.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function vulnerability

Directory Traversal to Authenticated Administrator+ Limited Arbitrary File Deletion via adminlogpage Function vulnerability discovered by HayMiz in WordPress Plugin Product Import Export for WooCommerce versions = 2.5.0...

WordPress Service Finder Bookings plugin < 6.1 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover vulnerability

Authenticated Subscriber+ Privilege Escalation via Account Takeover vulnerability discovered by Thái An in WordPress Plugin Service Finder Booking versions 6.1...

WordPress Ultimate Blocks plugin <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via content Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Ultimate Blocks versions = 3.2.7...

WordPress eMagicOne Store Manager for WooCommerce plugin <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image() vulnerability

Unauthenticated Arbitrary File Upload via setimage vulnerability discovered by Ryan Kozak in WordPress Plugin eMagicOne Store Manager versions = 1.2.5...

WordPress Xpro Addons For Elementor plugin <= 1.4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Site Title' widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'Site Title' widget vulnerability discovered by Prissy - Developer in WordPress Plugin Xpro Elementor Addons versions = 1.4.7.1...

WordPress WP Video Lightbox plugin <= 1.9.11 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin WP Video Lightbox versions = 1.9.11...

WordPress Auto Thickbox plugin <= 3.5 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Auto Thickbox versions = 3.5...

WordPress NextGEN Gallery plugin <= 3.59.11 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin NextGEN Gallery versions = 3.59.11...

WordPress YouTube Embed, Playlist and Popup by WpDevArt plugin <= 2.6.7 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin YouTube Embed, Playlist and Popup by WpDevArt versions = 2.6.7...

WordPress Easy Image Gallery plugin <= 1.5.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Easy Image Gallery versions = 1.5.2...

WordPress Easy 3D Viewer plugin <= 1.8.6.6 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Easy 3D Viewer versions = 1.8.6.6...

WordPress Search Exclude plugin <= 2.4.9 - Missing Authorization to Unauthenticated Plugin Settings Modification vulnerability

Missing Authorization to Unauthenticated Plugin Settings Modification vulnerability discovered by Noah Stead TurtleBurg in WordPress Plugin Search Exclude versions = 2.4.9...

WordPress MelaPress Login Security Premium plugin 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin MelaPress Login Security Premium versions 2.1.0...

WordPress MelaPress Login Security plugin 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin MelaPress Login Security versions 2.1.0...

WordPress Ultimate Blocks plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Ultimate Blocks versions = 3.3.3...

WordPress Elementor Pro plugin <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Tonn in WordPress Plugin Elementor Pro versions = 3.29.0...

WordPress LA-Studio Element Kit for Elementor plugin <= 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table of Contents Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Table of Contents Widget vulnerability discovered by Webbernaut in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.4.9...

WordPress 3DPrint Lite plugin <= 2.1.3.6 - Authenticated (Admin+) SQL Injection via 'material_text' vulnerability

Authenticated Admin+ SQL Injection via 'materialtext' vulnerability discovered by WordFence in WordPress Plugin 3DPrint Lite versions = 2.1.3.6...

WordPress 3DPrint Lite plugin <= 2.1.3.6 - Authenticated (Admin+) SQL Injection via 'infill_text' vulnerability

Authenticated Admin+ SQL Injection via 'infilltext' vulnerability discovered by WordFence in WordPress Plugin 3DPrint Lite versions = 2.1.3.6...

WordPress Service Finder Bookings plugin <= 6.0 - Authenticated (Subscriber+) Privilege Escalation via change_candidate_password vulnerability

Authenticated Subscriber+ Privilege Escalation via changecandidatepassword vulnerability discovered by Foxyyy in WordPress Plugin Service Finder Booking versions = 6.0...

WordPress 3DPrint Lite plugin <= 2.1.3.6 - Authenticated (Admin+) SQL Injection via 'coating_text' vulnerability

Authenticated Admin+ SQL Injection via 'coatingtext' vulnerability discovered by WordFence in WordPress Plugin 3DPrint Lite versions = 2.1.3.6...

WordPress Ocean Extra plugin <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ocean_gallery_id' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'oceangalleryid' vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Ocean Extra versions = 2.4.6...

WordPress Bold Page Builder plugin <= 5.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-text' Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'data-text' Parameter vulnerability discovered by Webbernaut in WordPress Plugin Bold Page Builder versions = 5.3.5...

WordPress ElementsKit Elementor Addons and Templates plugin <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom Widget vulnerability discovered by Hardik Raval in WordPress Plugin ElementsKit Elementor addons Lite versions = 3.5.2...

WordPress WordPress Simple PayPal Shopping Cart plugin <= 5.1.3 - Insecure Direct Object Reference via 'quantity' vulnerability

Insecure Direct Object Reference via 'quantity' vulnerability discovered by Jack Taylor in WordPress Plugin Simple Shopping Cart versions = 5.1.3...

WordPress MultiVendorX plugin <= 4.2.22 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Post Deletion vulnerability

Incorrect Authorization to Authenticated Contributor+ Arbitrary Post Deletion vulnerability discovered by Brian Sans-Souci liardom in WordPress Plugin MultiVendorX versions = 4.2.22...

WordPress Beaver Builder Plugin (Starter Version) plugin <= 2.9.1 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by Tom Broucke - Otomaties in WordPress Plugin Beaver Builder Plugin Starter Version versions = 2.9.1...

WordPress Database for Contact Form 7, WPforms, Elementor forms plugin <= 1.4.3 - Unauthenticated PHP Object Injection to Arbitrary File Deletion vulnerability

Unauthenticated PHP Object Injection to Arbitrary File Deletion vulnerability discovered by mikemyers in WordPress Plugin Contact Form Entries versions = 1.4.3...

WordPress WP-DownloadManager plugin <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion vulnerability

Authenticated Administrator+ Arbitrary File Deletion vulnerability discovered by Jamshed Yergashvoyev CVE Guy - Turan Security in WordPress Plugin WP-DownloadManager versions = 1.68.10...

WordPress IRM Newsroom plugin <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmeventlist' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'irmeventlist' Shortcode vulnerability discovered by Chuck - None in WordPress Plugin IRM Newsroom versions = 1.2.19...

WordPress Downloable by American Osteopathic Association plugin <= 0.1.0 - Unauthenticated Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download vulnerability discovered by Aly Khaled in WordPress Plugin Aoa Downloadable versions = 0.1.0...

WordPress IRM Newsroom plugin <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmcalendarview' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'irmcalendarview' Shortcode vulnerability discovered by Chuck - None in WordPress Plugin IRM Newsroom versions = 1.2.19...

WordPress Form Maker by 10Web plugin < 1.15.31 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ingatyev in WordPress Plugin Form Maker by 10Web versions 1.15.31...

WordPress AHAthat Plugin plugin <= 1.6 - Admin+ SQL Injection vulnerability

Admin+ SQL Injection vulnerability discovered by Régis SENET in WordPress Plugin AHAthat versions = 1.6...

WordPress WP Online Users Stats plugin <= 1.0.0 - Authenticated (Editor+) SQL Injection via table_name Parameter vulnerability

Authenticated Editor+ SQL Injection via tablename Parameter vulnerability discovered by rajanhoyr in WordPress Plugin WP Online Users Stats versions = 1.0.0...

WordPress TableOn plugin <= 1.0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via tableon_popup_iframe_button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via tableonpopupiframebutton Shortcode vulnerability discovered by Peter Thaleikis in WordPress Plugin TableOn versions = 1.0.4.1...

WordPress WP VR plugin <= 8.5.32 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin WP VR versions = 8.5.32...

WordPress Dynamic AJAX Product Filters for WooCommerce plugin <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via className Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Dynamic AJAX Product Filters for WooCommerce versions = 1.3.7...

WordPress FooBox plugin <= 2.7.34 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Robert DeVore in WordPress Plugin FooBox Image Lightbox versions = 2.7.34...

WordPress 3D FlipBook - Lite Edition plugin <= 1.16.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via style and mode Parameters vulnerability

WordPress 3D FlipBook - Lite Edition plugin = 1.16.15 - Authenticated Contributor+ Stored Cross-Site Scripting via style and mode Parameters vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin 3D FlipBook – PDF Flipbook Viewer, Flipbook Image Gallery versions = 1.16.15...

WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin <= 5.25.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via SQLREPORT Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via SQLREPORT Shortcode vulnerability discovered by Gilang - DJ in WordPress Plugin EZ SQL Reports Shortcode Widget and DB Backup versions = 5.25.11...

WordPress Magic Buttons for Elementor plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via magic-button Shortcode vulnerability discovered by Gilang - DJ in WordPress Plugin Magic Buttons for Elementor versions = 1.0...

WordPress Email Subscribers plugin < 5.7.45 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Email Subscribers & Newsletters versions 5.7.45...

WordPress WP Customer Area plugin < 8.2.5 - Bulk Delete via CSRF vulnerability

Bulk Delete via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin WP Customer Area versions 8.2.5...