WordPress Five Star Restaurant Reservations plugin <= 2.7.5 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Five Star Restaurant Reservations versions = 2.7.5...

WordPress ContentStudio plugin <= 1.3.7 - Authenticated (Author+) Arbitrary File Upload vulnerability

Authenticated Author+ Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin Contentstudio versions = 1.3.7...

WordPress URL Image Importer plugin <= 1.0.6 - Authenticated (Author+) Arbitrary File Upload vulnerability

Authenticated Author+ Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin URL Image Importer versions 1.0-1.0.6...

WordPress Featured Image via URL plugin <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload vulnerability

Authenticated Contributor+ Arbitrary FIle Upload vulnerability discovered by kr0d in WordPress Plugin Featured Image via URL versions = 0.1...

WordPress Auto Thumbnailer plugin <= 1.0 - Authenticated (Contributor+) Arbitrary File Upload vulnerability

Authenticated Contributor+ Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin Auto Thumbnailer versions = 1.0...

WordPress RESTful Content Syndication plugin 1.1.0 - 1.5.0 - Authenticated (Author+) Arbitrary File Upload vulnerability

WordPress RESTful Content Syndication plugin 1.1.0 - 1.5.0 - Authenticated Author+ Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin RESTful Content Syndication versions 1.1.0-1.5.0...

WordPress PDF Catalog for WooCommerce plugin <= 1.1.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by kr0d in WordPress Plugin PDF Catalog for WooCommerce versions = 1.1.18...

WordPress HandL UTM Grabber / Tracker plugin < 2.8.1 - Reflected XSS via utm_source vulnerability

Reflected XSS via utmsource vulnerability discovered by Alex Tselevich nos3curity in WordPress Plugin HandL UTM Grabber versions 2.8.1...

WordPress Product Table for WooCommerce plugin <= 5.0.8 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Product Table for WooCommerce versions = 5.0.8...

WordPress WP JobHunt plugin <= 7.1 - Unauthenticated Privilege Escalation via Email Update/Account Takeover vulnerability

Unauthenticated Privilege Escalation via Email Update/Account Takeover vulnerability discovered by Tonn in WordPress Plugin WP JobHunt versions = 7.1...

WordPress WordPress Webinar Plugin - WebinarPress plugin <= 1.33.24 - Missing Authorization to Authenticated (Subscriber+) Webinar Updates vulnerability

WordPress WordPress Webinar Plugin - WebinarPress plugin = 1.33.24 - Missing Authorization to Authenticated Subscriber+ Webinar Updates vulnerability discovered by Lucio Sá in WordPress Plugin WebinarPress versions = 1.33.24...

WordPress Booking Calendar and Notification plugin <= 4.0.3 - Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions vulnerability

Missing Authorization via wpcballbookings, wpcbupdatebookingpost, and wpcbdeleteposts Functions vulnerability discovered by WordFence in WordPress Plugin Booking Calendar and Notification versions = 4.0.3...

WordPress Estatik Mortgage Calculator plugin <= 2.0.11 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by vgo0 in WordPress Plugin Mortgage Calculator Estatik versions = 2.0.11...

WordPress Ultimate Member Widgets for Elementor plugin <= 2.3 - Missing Authorization to Unauthenticated Information Exposure vulnerability

Missing Authorization to Unauthenticated Information Exposure vulnerability discovered by Powpy in WordPress Plugin Ultimate Member Widgets for Elementor versions = 2.3...

WordPress Featured Image plugin <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin Featured Image versions = 2.1...

WordPress eRoom - Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin <= 1.5.6 - Unauthenticated Sensitive Information Exposure vulnerability

WordPress eRoom - Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin = 1.5.6 - Unauthenticated Sensitive Information Exposure vulnerability discovered by Rafshanzani Suhada in WordPress Plugin eRoom versions = 1.5.6...

WordPress WhyDonate - FREE Donate button - Crowdfunding - Fundraising plugin <= 4.0.15 - Missing Authorization to Unauthenticated wp_wdplugin_style Rww Deletion vulnerability

WordPress WhyDonate - FREE Donate button - Crowdfunding - Fundraising plugin = 4.0.15 - Missing Authorization to Unauthenticated wpwdpluginstyle Rww Deletion vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Whydonate versions = 4.0.15...

WordPress IDonate - Blood Donation, Request And Donor Management System plugin <= 2.1.15 - Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability

WordPress IDonate - Blood Donation, Request And Donor Management System plugin = 2.1.15 - Missing Authorization to Unauthenticated Arbitrary Post Deletion vulnerability discovered by Varakorn Chanthasri iCreaM in WordPress Plugin IDonate versions = 2.1.14...

WordPress Construction Light theme < 1.6.8 - Subscriber+ Arbitrary Plugin Activation vulnerability

Subscriber+ Arbitrary Plugin Activation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Theme Construction Light versions 1.6.8...

WordPress Cool Tag Cloud plugin <= 2.29 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Cool Tag Cloud versions = 2.29...

WordPress Premium Addons for Elementor plugin <= 4.11.53 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'get_template_content' vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure via 'gettemplatecontent' vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Premium Addons for Elementor versions = 4.11.53...

WordPress GDPR Cookie Compliance plugin <= 4.15.6 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin GDPR Cookie Compliance versions = 4.15.6...

WordPress Fluent Booking - The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution plugin <= 1.9.11 - Authenticated (Subscriber+) Missing Authorization to Calendar Import and Management vulnerability

WordPress Fluent Booking - The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution plugin = 1.9.11 - Authenticated Subscriber+ Missing Authorization to Calendar Import and Management vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPre...

WordPress Elementor plugin <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Tonn in WordPress Plugin Elementor Website Builder versions = 3.29.0...

WordPress Profiler - What Slowing Down Your WP plugin <= 1.0.0 - Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration vulnerability

WordPress Profiler - What Slowing Down Your WP plugin = 1.0.0 - Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration vulnerability discovered by ch4r0n - FPT Software in WordPress Plugin Profiler - What Slowing Down Your WP versions = 1.0.0...

WordPress Depicter plugin <= 4.0.4 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Depicter Slider versions = 4.0.4...

WordPress Zoho Flow plugin <= 2.14.1 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by wesley wcraft in WordPress Plugin Zoho Flow versions = 2.14.1...

WordPress Gosign - Posts Slider Block plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

WordPress Gosign - Posts Slider Block plugin = 1.1.0 - Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Nishiv - Developer in WordPress Plugin Gosign – Posts Slider Block versions = 1.1.0...

WordPress Post Grid, Slider & Carousel Ultimate - with Shortcode, Gutenberg Block & Elementor Widget plugin <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler() vulnerability

WordPress Post Grid, Slider & Carousel Ultimate - with Shortcode, Gutenberg Block & Elementor Widget plugin = 1.6.10 - Authenticated Contributor+ Local File Inclusion via posttypeajaxhandler vulnerability discovered by Hiroho Shimada in WordPress Plugin Post Grid, Slider & Carousel Ultimate...

WordPress Ketchup Shortcodes plugin <= 0.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Ketchup Shortcodes versions = 0.1.2...

WordPress Front End Users plugin <= 3.2.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via forgot-password Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via forgot-password Shortcode vulnerability discovered by zaim in WordPress Plugin Front End Users versions = 3.2.30...

WordPress Simple Map No Api plugin <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via width Parameter vulnerability discovered by zaim in WordPress Plugin Simple Map No Api versions = 1.9...

WordPress DethemeKit For Elementor plugin <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via De Gallery Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via De Gallery Widget vulnerability discovered by zer0gh0st in WordPress Plugin DethemeKit For Elementor versions = 2.1.8...

WordPress Listamester plugin <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin Listamester versions = 2.3.4...

WordPress Form Builder CP plugin <= 1.2.41 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by Peter Thaleikis in WordPress Plugin Form Builder CP versions = 1.2.41...

WordPress SKT Blocks - Gutenberg based Page Builder plugin <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

WordPress SKT Blocks - Gutenberg based Page Builder plugin = 1.7 - Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin SKT Blocks versions = 1.7...

WordPress WordPress Auction plugin <= 3.7 - Editor+ SQL Injection vulnerability

Editor+ SQL Injection vulnerability discovered by Thanh Kieu in WordPress Plugin WordPress Auction Plugin versions = 3.7...

WordPress Maps for WP plugin <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Maps for WP versions = 1.2.4...

WordPress SecuPress Free - WordPress Security plugin <= 2.2.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via secupress_check_ban_ips_form Shortcode vulnerability

WordPress SecuPress Free - WordPress Security plugin = 2.2.5.3 - Authenticated Contributor+ Stored Cross-Site Scripting via secupresscheckbanipsform Shortcode vulnerability discovered by Brian Sans-Souci liardom in WordPress Plugin SecuPress Free versions = 2.2.5.3...

WordPress Structured Content (JSON-LD) #wpsc plugin <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_fs_local_business Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via scfslocalbusiness Shortcode vulnerability discovered by shaman0x01 - Shaman Red Team in WordPress Plugin Structured Content versions = 1.6.3...

WordPress WP Enabled SVG plugin <= 0.2 - Author+ Stored XSS via SVG vulnerability

Author+ Stored XSS via SVG vulnerability discovered by Pierre Rudloff in WordPress Plugin WP Enabled SVG versions = 0.2...

WordPress Visual Website Collaboration, Feedback & Project Management - Atarim plugin <= 4.0.9 - Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion vulnerability

WordPress Visual Website Collaboration, Feedback & Project Management - Atarim plugin = 4.0.9 - Missing Authorization to Authenticated Subscriber+ Project Page/File Deletion vulnerability discovered by WordFence in WordPress Plugin Atarim versions = 4.0.9...

WordPress WP jQuery DataTable plugin <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP jQuery DataTable versions = 4.0.1...

WordPress Wishlist plugin <= 1.0.43 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by SOPROBRO in WordPress Plugin Wishlist versions = 1.0.43...

WordPress Music Sheet Viewer plugin <= 4.1 - Unauthenticated Arbitrary File Read vulnerability

Unauthenticated Arbitrary File Read vulnerability discovered by Peter Thaleikis in WordPress Plugin Music Sheet Viewer versions = 4.1...

WordPress CiyaShop - Multipurpose WooCommerce Theme plugin <= 4.19.0 - Unauthenticated PHP Object Injection vulnerability

WordPress CiyaShop - Multipurpose WooCommerce Theme plugin = 4.19.0 - Unauthenticated PHP Object Injection vulnerability discovered by Lucio Sá in WordPress Theme CiyaShop versions = 4.19.0...

WordPress Age Restriction plugin <= 3.0.2 - Subscriber+ Privilege Escalation vulnerability

Subscriber+ Privilege Escalation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Premium Age Verification / Restriction for WordPress versions = 3.0.2...

WordPress Small Package Quotes - Worldwide Express Edition plugin <= 5.2.18 - Unauthenticated SQL Injection vulnerability

WordPress Small Package Quotes - Worldwide Express Edition plugin = 5.2.18 - Unauthenticated SQL Injection vulnerability discovered by Colin Xu in WordPress Plugin Small Package Quotes – Worldwide Express Edition versions = 5.2.18...

WordPress ZoomSounds - WordPress Wave Audio Player with Playlist plugin <= 6.91 - Unauthenticated PHP Object Injection vulnerability

WordPress ZoomSounds - WordPress Wave Audio Player with Playlist plugin = 6.91 - Unauthenticated PHP Object Injection vulnerability discovered by Lucio Sá in WordPress Plugin ZoomSounds versions = 6.91...

WordPress Directory Listings WordPress plugin - uListing plugin <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update and PHP Object Injection vulnerability

WordPress Directory Listings WordPress plugin - uListing plugin = 2.2.0 - Missing Authorization to Authenticated Subscriber+ Arbitrary Post Meta Update and PHP Object Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin uListing versions = 2.2.0...