WordPress Anber Elementor Addon plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Banner button link vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Banner button link vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Anber Elementor Addon versions = 1.0.1...

WordPress Stratum plugin <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Google Maps and Image Hotspot Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Advanced Google Maps and Image Hotspot Widgets vulnerability discovered by zer0gh0st in WordPress Plugin Stratum versions = 1.6.0...

WordPress Sertifier Certificate & Badge Maker plugin <= 1.19 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Sertifier Certificate & Badge Maker versions = 1.19...

WordPress Email Subscribers plugin < 5.7.45 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Email Subscribers & Newsletters versions 5.7.45...

WordPress Email Subscribers plugin < 5.7.45 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Email Subscribers & Newsletters versions 5.7.45...

WordPress Prisna GWT plugin < 1.4.14 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Bob Matyas in WordPress Plugin Prisna GWT – Google Website Translator versions 1.4.14...

WordPress Twitter Bootstrap Collapse aka Accordian Shortcode plugin <= 1.0 - Stored XSS via Shortcode vulnerability

Stored XSS via Shortcode vulnerability discovered by Bob Matyas in WordPress Plugin Twitter Bootstrap Collapse aka Accordian Shortcode versions = 1.0...

WordPress Arielbrailovsky-Viralad plugin <= 1.0.8 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by siyuan shao in WordPress Plugin ArielBrailovsky-ViralAd versions = 1.0.8...

WordPress Likes and Dislikes Plugin plugin <= 1.0.0 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Likes and Dislikes versions = 1.0.0...

WordPress Ads Pro plugin <= 4.89 - Unauthenticated Time-Based SQL Injection via ‘bsa_pro_id' vulnerability

Unauthenticated Time-Based SQL Injection via ‘bsaproid' vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ads Pro versions = 4.89...

WordPress WoWPth plugin <= 2.0 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin WoWPth versions = 2.0...

WordPress Ads Pro plugin <= 4.89 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ads Pro versions = 4.89...

WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin <= 1.4.9 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes versions = 1.4.9...

WordPress Advanced Google reCAPTCHA plugin <= 1.29 - Authenticated (Subscriber+) Limited SQL Injection via 'sSearch' Parameter vulnerability

Authenticated Subscriber+ Limited SQL Injection via 'sSearch' Parameter vulnerability discovered by Muhamad Visat in WordPress Plugin Advanced Google reCAPTCHA versions = 1.29...

WordPress WPBookit plugin <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Email Update vulnerability

Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Email Update vulnerability discovered by kr0d in WordPress Plugin WPBookit versions = 1.0.2...

WordPress Frontend Dashboard plugin 1.5.10 - 2.2.7 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via ajax_request Function vulnerability

WordPress Frontend Dashboard plugin 1.5.10 - 2.2.7 - Missing Authorization to Authenticated Subscriber+ Account Takeover/Privilege Escalation via ajaxrequest Function vulnerability discovered by kr0d in WordPress Plugin Frontend Dashboard versions 1.5.10-2.2.7...

WordPress GoZen Forms plugin <= 1.1.5 - Unauthenticated SQL Injection via emdedSc() vulnerability

Unauthenticated SQL Injection via emdedSc vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin GoZen Forms versions = 1.1.5...

WordPress Feedback Modal for Website plugin <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Feedback Data Exfiltration via 'export_data' Parameter vulnerability

Missing Authorization to Unauthenticated Arbitrary Feedback Data Exfiltration via 'exportdata' Parameter vulnerability discovered by Legion Hunter in WordPress Plugin Feedback Modal for Website versions = 1.0.1...

WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' Setting vulnerability

Authenticated Author+ Stored Cross-Site Scripting via 'Custom Scripts' Setting vulnerability discovered by WordFence in WordPress Plugin Image Photo Gallery Final Tiles Grid versions = 3.6.8...

WordPress Modula Image Gallery plugin <= 2.13.3 - Missing Authorization to Arbitrary Directory Listing vulnerability

Missing Authorization to Arbitrary Directory Listing vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Modula Image Gallery versions = 2.13.3...

WordPress TaxoPress plugin <= 3.40.1 - Authenticated (Contributor+) SQL Injection via ORDER BY Clause vulnerability

Authenticated Contributor+ SQL Injection via ORDER BY Clause vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin TaxoPress versions = 3.40.1...

WordPress Bold Timeline Lite plugin <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Parameter in 'bold_timeline_group' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'title' Parameter in 'boldtimelinegroup' Shortcode vulnerability discovered by zaim in WordPress Plugin Bold Timeline Lite versions = 1.2.7...

WordPress Easy Jump Links Menus plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by theviper17y in WordPress Plugin Easy Jump Links Menus versions = 1.0.0...

WordPress WishSuite plugin <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'buttontext' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin WishSuite versions = 1.5.1...

WordPress Tainacan plugin <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Metadata Section Creation vulnerability

Missing Authorization to Unauthenticated Arbitrary Metadata Section Creation vulnerability discovered by Deadbee - NA in WordPress Plugin Tainacan versions = 1.0.1...

WordPress WC Builder plugin <= 1.2.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'heading_color' Shortcode Attribute vulnerability

Authenticated Shop Manager+ Stored Cross-Site Scripting via 'headingcolor' Shortcode Attribute vulnerability discovered by zaim in WordPress Plugin WC Builder versions = 1.2.0...

WordPress ProfileGrid plugin <= 5.9.4.4 - Missing Authorinzation to Authenticated (Subscriber+) Join Group Requests Management vulnerability

Missing Authorinzation to Authenticated Subscriber+ Join Group Requests Management vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin ProfileGrid versions = 5.9.4.4...

WordPress Advanced iFrame plugin <= 2024.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Host Header vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Host Header vulnerability discovered by omstaendlig in WordPress Plugin Advanced iFrame versions = 2024.5...

WordPress Eyewear prescription form plugin <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary WooCommerce Category Deletion vulnerability discovered by WordFence in WordPress Plugin Eyewear prescription form versions = 6.0.1...

WordPress Frontend Post Submission Manager Lite plugin <= 1.2.5 - Missing Authorization to Unauthenticated Arbitrary Post Modification vulnerability

Missing Authorization to Unauthenticated Arbitrary Post Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Frontend Post Submission Manager Lite versions = 1.2.5...

WordPress WPvivid Backup & Migration plugin <= 0.9.120 - Authenticated (Admin+) Arbitrary Directory Creation vulnerability

Authenticated Admin+ Arbitrary Directory Creation vulnerability discovered by blue0x1 in WordPress Plugin WPvivid Backup and Migration versions = 0.9.120...

WordPress g-FFL Cockpit plugin <= 1.7.1 - Missing Authorization to Unauthenticated Information Exposure vulnerability

Missing Authorization to Unauthenticated Information Exposure vulnerability discovered by Ryan Kozak in WordPress Plugin g-FFL Cockpit versions = 1.7.1...

WordPress Shortcodes Ultimate plugin <= 7.4.5 - Authenticated (Administrator+) Server-Side Request Forgery vulnerability

Authenticated Administrator+ Server-Side Request Forgery vulnerability discovered by apolo2 in WordPress Plugin Shortcodes Ultimate versions = 7.4.5...

WordPress Premmerce Brands for WooCommerce plugin <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update vulnerability

Missing Authorization To Authenticated Subscriber+ Brand Permalink Settings Update vulnerability discovered by WordFence in WordPress Plugin Premmerce Brands for WooCommerce versions = 1.2.13...

WordPress Subscriptions & Memberships for PayPal plugin <= 1.1.7 - Unauthenticated Fake Payment Creation vulnerability

Unauthenticated Fake Payment Creation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Subscriptions & Memberships for PayPal versions = 1.1.7...

WordPress KiotViet Sync plugin <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Update vulnerability discovered by kr0d in WordPress Plugin KiotViet Sync versions = 1.8.5...

WordPress FunnelKit plugin <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wfopphone Shortcode vulnerability discovered by zaim in WordPress Plugin Funnel Builder by FunnelKit versions = 3.13.1.2...

WordPress Booking Calendar plugin <= 10.14.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingcalendar Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via bookingcalendar Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Booking Calendar versions = 10.14.6...

WordPress ContentStudio plugin <= 1.3.7 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Contentstudio versions = 1.3.7...

WordPress Ultimate Blocks plugin <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Ultimate Blocks versions = 3.2.7...

WordPress Survey Maker plugin <= 5.1.9.4 - Missing Authorization to Unauthenticated Limited Option Update vulnerability

Missing Authorization to Unauthenticated Limited Option Update vulnerability discovered by DityaRA in WordPress Plugin Survey Maker versions = 5.1.9.4...

WordPress SurveyJS plugin <= 1.12.20 - Cross-Site Request Forgery to Survey Deletion vulnerability

Cross-Site Request Forgery to Survey Deletion vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin SurveyJS versions = 1.12.20...

WordPress Ultimate Member plugin <= 2.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Ultimate Member versions = 2.11.0...

WordPress Accessiy By CodeConfig Accessibility plugin <= 1.0.2 - Authenticated (Subscriber+) Missing Authorization to Modify Accessibility Settings vulnerability

Authenticated Subscriber+ Missing Authorization to Modify Accessibility Settings vulnerability discovered by Peerapat Samatathanyakorn - Thai Team CVE in WordPress Plugin CodeConfig Accessibility versions = 1.0.2...

WordPress CRM Memberships plugin <= 2.5 - Missing Authorization to Unauthenticated 'ntzcrm_add_new_tag' AJAX Action vulnerability

Missing Authorization to Unauthenticated 'ntzcrmaddnewtag' AJAX Action vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin CRM Memberships versions = 2.5...

WordPress Quantic Social Image Hover plugin <= 1.0.8 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Quantic Social Image Hover versions = 1.0.8...

WordPress Norby AI plugin <= 1.0.3 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Norby AI versions = 1.0.3...

WordPress SSP Debug plugin <= 1.0.0 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin SSP Debug versions = 1.0.0...

WordPress Web to SugarCRM Lead plugin <= 1.0.0 - Cross-Site Request Forgery to Custom Field Deletion vulnerability

Cross-Site Request Forgery to Custom Field Deletion vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Web to SugarCRM Lead versions = 1.0.0...

WordPress Premmerce Wishlist for WooCommerce plugin <= 1.1.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wishlist Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Wishlist Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Premmerce Wishlist for WooCommerce versions = 1.1.10...