WordPress Double the Donation plugin <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by WordFence in WordPress Plugin Double the Donation versions = 3.0.0...

WordPress Memberlite Shortcodes plugin <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Memberlite Shortcodes versions = 1.4...

WordPress Cookie Notice & Compliance for GDPR / CCPA plugin <= 2.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Cookie Notice & Compliance for GDPR / CCPA versions = 2.5.8...

WordPress JetFormBuilder plugin <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation vulnerability

Missing Authorization to Unauthenticated Form Generation vulnerability discovered by Tri Firdyanto Firdy - ZeroByte in WordPress Plugin JetFormBuilder versions = 3.5.3...

WordPress VK All in One Expansion Unit plugin <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Rafshanzani Suhada in WordPress Plugin VK All in One Expansion Unit versions = 9.112.1...

WordPress Featured Image from URL (FIFU) plugin <= 5.2.7 - Authenticated (Admin+) SQL Injection vulnerability

Authenticated Admin+ SQL Injection vulnerability discovered by ifoundbug in WordPress Plugin Featured Image from URL versions = 5.2.7...

WordPress Course Booking System plugin <= 6.1.5 - Missing Authorization to Unauthenticated Booking Data Export vulnerability

Missing Authorization to Unauthenticated Booking Data Export vulnerability discovered by Powpy in WordPress Plugin Course Booking System versions = 6.1.5...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Restore vulnerability

Missing Authorization to Authenticated Subscriber+ Trash Restore vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.1...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Ticket Restore vulnerability

Missing Authorization to Authenticated Subscriber+ Ticket Restore vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.1...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Empty vulnerability

Missing Authorization to Authenticated Subscriber+ Trash Empty vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.1...

WordPress Return Refund and Exchange For WooCommerce plugin <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Refund Request Cancellation vulnerability discovered by Powpy in WordPress Plugin Return Refund and Exchange For WooCommerce versions = 4.5.5...

WordPress Omnipress plugin <= 1.6.5 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Kai Aizen in WordPress Plugin Omnipress versions = 1.6.5...

WordPress EPROLO Dropshipping plugin <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Tracking Data Modification vulnerability discovered by Legion Hunter in WordPress Plugin EPROLO Dropshipping versions = 2.3.1...

WordPress XCloner plugin <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save() vulnerability

Cross-Site Request Forgery in XclonerRemoteStorage:save vulnerability discovered by Rafshanzani Suhada in WordPress Plugin XCloner versions = 4.8.2...

WordPress Webcake plugin <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Webcake versions = 1.1...

WordPress Hide Categories Or Products On Shop Page plugin <= 1.0.7 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Hide Categories Or Products On Shop Page versions = 1.0.7...

WordPress Bread & Butter plugin <= 7.11.1374 - Cross-Site Request Forgery to Arbitrary File Upload vulnerability

Cross-Site Request Forgery to Arbitrary File Upload vulnerability discovered by Ryan Kozak in WordPress Plugin Bread & Butter versions = 7.11.1374...

WordPress Sermon Manager plugin <= 2.30.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Sermon Manager versions = 2.30.0...

WordPress Image Optimizer by wps.sk plugin <= 1.2.0 - Cross-Site Request Forgery to Bulk Image Optimization vulnerability

Cross-Site Request Forgery to Bulk Image Optimization vulnerability discovered by Sarawut Poolkhet MisterHelloz in WordPress Plugin Image Optimizer by wps.sk versions = 1.2.0...

WordPress Private Google Calendars plugin <= 20250811 - Missing Authorization to Authenticated (Subscriber+) Settings Reset vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Reset vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Private Google Calendars versions = 20250811...

WordPress Takeads plugin <= 1.0.13 - Missing Authorization to Plugin Settings Deletion vulnerability

Missing Authorization to Plugin Settings Deletion vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Takeads versions = 1.0.13...

WordPress Community Events plugin <= 1.5.1 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by ifoundbug in WordPress Plugin Community Events versions = 1.5.1...

WordPress ProfileGrid plugin <= 5.9.4.5 - Authenticated (Subscriber+) PHP Object Injection vulnerability

Authenticated Subscriber+ PHP Object Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin ProfileGrid versions = 5.9.4.5...

WordPress Outdoor plugin <= 1.3.2 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by John Lee in WordPress Theme Outdoor versions = 1.3.2...

WordPress GiveWP - Donation plugin and Fundraising Platform plugin <= 4.6.0 - Unauthenticated Donor Data Exposure vulnerability

WordPress GiveWP - Donation plugin and Fundraising Platform plugin = 4.6.0 - Unauthenticated Donor Data Exposure vulnerability discovered by WordFence in WordPress Plugin GiveWP versions = 4.6.0...

WordPress Qubely plugin <= 1.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' and 'UniqueID' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'align' and 'UniqueID' vulnerability discovered by Nishiv - Developer in WordPress Plugin Qubely versions = 1.8.12...

WordPress Essential Addons for Elementor plugin <= 6.1.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Event Calendar Widget vulnerability

AuthenticatedContributor+ Stored Cross-Site Scripting via Event Calendar Widget vulnerability discovered by zer0gh0st in WordPress Plugin Essential Addons for Elementor versions = 6.1.12...

WordPress AI Power: Complete AI Pack plugin <= 1.8.96 - Authenticated (Admin+) PHP Object Injection via wpaicg_export_prompts vulnerability

Authenticated Admin+ PHP Object Injection via wpaicgexportprompts vulnerability discovered by Tran Anh Duc in WordPress Plugin GPT3 AI Content Writer versions = 1.8.96...

WordPress CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin <= 4.2 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by luckybuddy in WordPress Plugin cits-support-svg-webp-media-upload versions = 4.2...

WordPress CRM Memberships plugin <= 2.5 - Missing Authorization to Privilege Escalation via Unauthenticated Password Reset in 'ntzcrm_changepassword' AJAX Endpoint vulnerability

Missing Authorization to Privilege Escalation via Unauthenticated Password Reset in 'ntzcrmchangepassword' AJAX Endpoint vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin CRM Memberships versions = 2.5...

WordPress LazyTasks plugin <= 1.2.29 - Missing Authorization to Uanuthenticated Privilege Escalation vulnerability

Missing Authorization to Uanuthenticated Privilege Escalation vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin LazyTasks versions = 1.2.29...

WordPress WP Featherlight plugin <= 1.3.4 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin WP Featherlight versions = 1.3.4...

WordPress Responsive Lightbox & Gallery plugin <= 2.4.7 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Responsive Lightbox versions = 2.4.7...

WordPress Feedify - Web Push Notifications plugin < 2.4.6 - Reflected XSS vulnerability

WordPress Feedify - Web Push Notifications plugin 2.4.6 - Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin Feedify – Web Push Notifications versions 2.4.6...

Travel Tour < 5.2.4 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Amine SAJID in WordPress Theme Travel Tour versions 5.2.4...

WordPress Dyn Business Panel plugin <= 1.0.0 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Bob Matyas in WordPress Plugin Dyn Business Panel versions = 1.0.0...

WordPress Total Contest Lite plugin < 2.9.0 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin TotalContest Lite versions 2.9.0...

WordPress Downloable by American Osteopathic Association plugin <= 0.1.0 - Unauthenticated SSRF vulnerability

Unauthenticated SSRF vulnerability discovered by Aly Khaled in WordPress Plugin Aoa Downloadable versions = 0.1.0...

WordPress Solidres plugin <= 0.9.4 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin Solidres – Hotel booking plugin versions = 0.9.4...

WordPress Widget4call plugin <= 1.0.7 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin Widget4Call versions = 1.0.7...

WordPress Binary MLM Plan plugin <= 3.0 - Unauthenticated Limited Privilege Escalation vulnerability

Unauthenticated Limited Privilege Escalation vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Binary MLM Plan versions = 3.0...

WordPress Content Blocks (Custom Post Widget) plugin <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via content Parameter vulnerability discovered by lowol in WordPress Plugin Content Blocks Custom Post Widget versions = 3.3.5...

WordPress Essential Addons for Elementor plugin <= 6.0.4 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Essential Addons for Elementor versions = 6.0.4...

WordPress Shortcodes Ultimate plugin <= 7.4.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Shortcodes Ultimate versions = 7.4.2...

WordPress Divi Builder plugin <= 4.27.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Divi Builder versions = 4.27.1...

WordPress OceanWP theme <= 3.6.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Theme OceanWP versions = 3.6.0...

WordPress Robo Gallery plugin <= 3.2.22 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Robo Gallery versions = 3.2.22...

WordPress DiviTorque plugin <= 4.0.5 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin DiviTorque – Divi Theme, Divi Builder and Extra Theme versions = 4.0.5...

WordPress Gutentor plugin <= 3.4.9 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Gutentor versions = 3.4.9...

WordPress Supreme Modules Lite plugin <= 2.5.52 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Supreme Modules Lite versions = 2.5.52...