WordPress Divi theme <= 4.27.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Theme Divi versions = 4.27.1...

WordPress Happy Addons for Elementor plugin <= 3.12.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Happy Addons for Elementor versions = 3.12.2...

WordPress Bold Page Builder plugin <= 5.1.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Bold Page Builder versions = 5.1.2...

WordPress Carousel Slider plugin <= 2.2.14 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin Carousel Slider versions = 2.2.14...

WordPress BlossomThemes Social Feed plugin <= 2.0.5 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin BlossomThemes Social Feed versions = 2.0.5...

WordPress Master Slider - Responsive Touch Slider plugin <= 3.10.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode vulnerability

WordPress Master Slider - Responsive Touch Slider plugin = 3.10.6 - Authenticated Contributor+ Stored Cross-Site Scripting via mslayer Shortcode vulnerability discovered by Krzysztof Zając - CERT PL in WordPress Plugin Master Slider versions = 3.10.6...

WordPress Motors - Car Dealer, Classifieds & Listing plugin <= 1.4.57 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Listing Template Creation vulnerability

WordPress Motors - Car Dealer, Classifieds & Listing plugin = 1.4.57 - Missing Authorization to Authenticated Subscriber+ Arbitrary Post Deletion and Listing Template Creation vulnerability discovered by Thanh Nam Tran in WordPress Plugin Motors versions = 1.4.57...

WordPress GamiPress plugin <= 7.2.1 - Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function vulnerability

Unauthenticated Arbitrary Shortcode Execution via gamipressdoshortcode Function vulnerability discovered by abrahack in WordPress Plugin GamiPress versions = 7.2.1...

WordPress Kona Gallery Block plugin <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Nishiv - Developer in WordPress Plugin Kona Gallery Block versions = 1.7...

WordPress Autoship Cloud for WooCommerce Subscription Products plugin <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Autoship Cloud for WooCommerce Subscription Products versions = 2.8.0...

WordPress WP Job Portal plugin <= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion vulnerability

Insecure Direct Object Reference to Authenticated Employer+ Arbitrary Job Deletion vulnerability discovered by thevietronin - GalaxyOne in WordPress Plugin WP Job Portal versions = 2.2.6...

WordPress Post Grid, Slider & Carousel Ultimate plugin <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion vulnerability

Authenticated Contributor+ Local File Inclusion vulnerability discovered by zaim in WordPress Plugin Post Grid, Slider & Carousel Ultimate versions = 1.6.10...

WordPress ABC Notation plugin <= 6.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin ABC Notation versions = 6.1.3...

WordPress Zigaform plugin <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin Zigaform versions = 7.4.7...

WordPress Piotnet Addons For Elementor plugin <= 2.4.36 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Piotnet Addons For Elementor versions = 2.4.36...

WordPress Zigaform plugin <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin Zigaform – Price Calculator & Cost Estimation Form Builder Lite versions = 7.4.7...

WordPress Simplebooklet PDF Viewer and Embedder plugin <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Simplebooklet PDF Viewer and Embedder versions = 1.1.2...

WordPress RapidLoad plugin <= 2.4.4 - Missing Authorization to Authenticated (Subscriber+) Limited Setting Reset vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Setting Reset vulnerability discovered by Tieu Pham Trong Nhan - TechlabCorp in WordPress Plugin RapidLoad versions = 2.4.4...

WordPress SlingBlocks plugin <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Nishiv - Developer in WordPress Plugin SlingBlocks versions = 1.5.0...

WordPress Jobify theme <= 4.2.7 - Missing Authorization to Unauthenticated Server-Side Request Forgery, Arbitrary Image Upload, and Image Generation vulnerability

Missing Authorization to Unauthenticated Server-Side Request Forgery, Arbitrary Image Upload, and Image Generation vulnerability discovered by Lucio Sá in WordPress Theme Jobify versions = 4.2.7...

WordPress Survey & Poll plugin <= 1.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WordPress Survey & Poll versions = 1.7.5...

WordPress Linear plugin <= 2.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Linear versions = 2.7.12...

WordPress Unlimited Elements For Elementor plugin <= 1.5.135 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by Webbernaut in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 1.5.135...

WordPress Webcraftic Clearfy plugin <= 2.3.1 - Cross-Site Request Forgery to Clear Cache vulnerability

Cross-Site Request Forgery to Clear Cache vulnerability discovered by Whit Taylor in WordPress Plugin Clearfy Cache versions = 2.3.1...

WordPress DeBounce Email Validator plugin <= 5.8.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by SOPROBRO in WordPress Plugin DeBounce Email Validator versions = 5.8.0...

WordPress CoSign Single Signon plugin <= 0.3.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin CoSign Single Signon versions = 0.3.1...

WordPress Live Composer plugin <= 2.0.2 - Authenticated (Contributor+) PHP Object Injection via dslc_module_posts_output Shortcode vulnerability

Authenticated Contributor+ PHP Object Injection via dslcmodulepostsoutput Shortcode vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Page Builder: Live Composer versions = 2.0.2...

WordPress Simple AL Slider plugin <= 1.2.10 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Simple AL Slider versions = 1.2.10...

WordPress Image Magnify plugin <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Image Magnify versions = 1.1...

WordPress Popup - MailChimp, GetResponse and ActiveCampaign Intergrations plugin <= 3.2.6 - Unauthenticated SQL Injection vulnerability

WordPress Popup - MailChimp, GetResponse and ActiveCampaign Intergrations plugin = 3.2.6 - Unauthenticated SQL Injection vulnerability discovered by Lucio Sá in WordPress Plugin Popup – MailChimp, GetResponse and ActiveCampaign Intergrations versions = 3.2.6...

WordPress NitroPack plugin <= 1.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Transient Update vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Transient Update vulnerability discovered by Sean Murphy in WordPress Plugin NitroPack versions = 1.17.0...

WordPress Contact Form and Calls To Action by vcita plugin <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Contact Form and Calls To Action by vcita versions = 2.7.1...

WordPress Pinpoint Booking System plugin <= 2.9.9.5.4 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Pinpoint Booking System versions = 2.9.9.5.4...

WordPress Post Saint plugin <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Lucio Sá in WordPress Plugin Post Saint versions = 1.3.1...

WordPress GiveWP plugin <= 3.19.2 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by PetrusViet in WordPress Plugin GiveWP versions = 3.19.2...

WordPress Online Payments - Get Paid with PayPal, Square & Stripe plugin <= 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

WordPress Online Payments - Get Paid with PayPal, Square & Stripe plugin = 3.20.0 - Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Online Payments – Get Paid with PayPal, Square & Stripe versions = 3.20.0...

WordPress Activity Plus Reloaded for BuddyPress plugin <= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Blind Server-Side Request Forgery vulnerability discovered by Francesco Carlucci in WordPress Plugin Activity Plus Reloaded for BuddyPress versions = 1.1.1...

WordPress Royal Elementor Addons and Templates plugin <= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Royal Elementor Addons versions = 1.7.1017...

WordPress WP Directorybox Manager plugin <= 2.5 - Authentication Bypass vulnerability

Authentication Bypass vulnerability discovered by Foxyyy in WordPress Plugin WP Directorybox Manager versions = 2.5...

WordPress Pearl plugin <= 1.3.8 - Cross-Site Request Forgery to Header Deletion vulnerability

Cross-Site Request Forgery to Header Deletion vulnerability discovered by Noah Stead TurtleBurg in WordPress Plugin Pearl versions = 1.3.8...

WordPress Marketplace Items plugin <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marketplace' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'marketplace' Shortcode vulnerability discovered by zakaria in WordPress Plugin Marketplace Items versions = 1.5.5...

WordPress Uptodown APK Download Widget plugin <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Uptodown APK Download Widget versions = 0.1.10...

WordPress Demo Importer Plus plugin <= 2.0.6 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass vulnerability

Authenticated Author+ Arbitrary File Upload via WXR Upload Bypass vulnerability discovered by mikemyers in WordPress Plugin Demo Importer Plus versions = 2.0.6...

WordPress ClickWhale - Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin <= 2.4.1 - Reflected Cross-Site Scripting vulnerability

WordPress ClickWhale - Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin = 2.4.1 - Reflected Cross-Site Scripting vulnerability discovered by vgo0 in WordPress Plugin ClickWhale versions = 2.4.1...

WordPress RomethemeKit For Elementor plugin <= 1.5.2 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates vulnerability

Authenticated Contributor+ Sensitive Information Exposure via Elementor Templates vulnerability discovered by Ankit Patel in WordPress Plugin RTMKit versions = 1.5.2...

WordPress BuddyBoss Platform plugin <= 2.8.50 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bp_nouveau_ajax_media_save' function vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via 'bpnouveauajaxmediasave' function vulnerability discovered by Kaique Peres in WordPress Plugin Buddyboss Platform versions = 2.8.50...

WordPress BuddyBoss Platform plugin <= 2.8.50 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bbp_topic_title' vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via 'bbptopictitle' vulnerability discovered by Kaique Peres in WordPress Plugin Buddyboss Platform versions = 2.8.50...

WordPress Qyrr plugin <= 2.0.7 - Authenticated (Contributor+) Arbitrary File Upload vulnerability

Authenticated Contributor+ Arbitrary File Upload vulnerability discovered by CVEhunter in WordPress Plugin Qyrr versions = 2.0.7...

WordPress Link Whisper Free plugin <= 0.8.8 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Nicolai Hellesnes nico in WordPress Plugin Link Whisper Free versions = 0.8.8...

WordPress Starter Templates by FancyWP plugin <= 2.0.0 - Unauthenticated Blind Server-Side Request Forgery vulnerability

Unauthenticated Blind Server-Side Request Forgery vulnerability discovered by Francesco Carlucci in WordPress Plugin Starter Templates by FancyWP versions = 2.0.0...