Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin through version 2.7.8 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user sessions. The vulnerability requires user interaction (UI:R) and affects authenticated users (PR:L), limiting immediate blast radius but posing persistent risk to WordPress installations using this Elementor extension.
Stored XSS in Crocoblock JetEngine WordPress plugin versions 3.7.3 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability requires user interaction (UI:R) to trigger and affects confidentiality, integrity, and availability with limited scope. With EPSS at 0.07% and no KEV status indicating active exploitation, this represents a low-probability but real risk requiring patching in multi-user WordPress environments.
Reflected cross-site scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4 allows authenticated users to inject malicious scripts that execute in other users' browsers when they interact with crafted links. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk; EPSS score of 0.07% indicates low exploitation probability despite the moderate CVSS 6.5 rating.
Stored Cross-Site Scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4.1 allows authenticated users with low privileges to inject malicious scripts that persist in web pages and execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions. EPSS score of 0.07% and lack of public exploit code indicate low real-world exploitation probability despite the moderate CVSS 6.5 score.
DOM-based cross-site scripting (XSS) in Crocoblock JetWooBuilder plugin through version 2.1.20 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (UI:R per CVSS) and affects the plugin's web page generation functions. No public exploit code or active exploitation has been confirmed, though the issue carries a moderate CVSS score of 6.5 and low EPSS probability (0.07%, 22nd percentile) suggesting limited real-world attack incentive despite the authentication requirement being relatively low-barrier for WordPress environments.
Stored XSS vulnerability in Crocoblock JetWooBuilder WordPress plugin versions up to 2.1.20.1 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages, potentially leading to session hijacking, credential theft, or defacement. The vulnerability requires user interaction (UI:R) from victims and affects the confidentiality, integrity, and availability of website content. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting (XSS) in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.18 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity, with an EPSS score of 0.06% indicating very low real-world exploitation likelihood despite the moderate CVSS 5.4 rating.
Authorization bypass in Houzez WordPress theme versions up to 4.2.5 allows authenticated users to access or modify resources they should not have permission to reach through insecure direct object reference (IDOR) vulnerabilities. An authenticated attacker with low privileges can exploit inadequately configured access controls to view or modify data belonging to other users, achieving limited information disclosure and integrity compromise. The vulnerability is not confirmed as actively exploited, though the attack vector is network-based with low complexity.
Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.14.
Missing Authorization vulnerability in Breeze Team Breeze Checkout breeze-checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze Checkout: from n/a through <= 1.4.0.
Missing Authorization vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
Missing Authorization vulnerability in Wikimedia Foundation Wikipedia Preview wikipedia-preview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wikipedia Preview: from n/a through <= 1.15.0.
Missing Authorization vulnerability in FRESHFACE Custom CSS custom-css-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom CSS: from n/a through <= 1.4.0.
Unauthenticated attackers can bypass access controls in SUMO Memberships for WooCommerce versions below 7.8.0 to perform unauthorized actions including content modification and deletion through incorrectly configured membership level enforcement. The vulnerability requires user interaction (UI:R) but affects confidentiality, integrity, and availability of protected content. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting in Cinza Grid WordPress plugin versions up to 1.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'cgrid_skin_content' post meta field, which executes when other users view the affected pages. The vulnerability stems from missing input sanitization and output escaping in backend processing functions. CVSS 6.4 reflects moderate impact with network-accessible attack surface, though exploitation requires valid WordPress contributor-level credentials.
Stored Cross-Site Scripting in WP-Force Images Download WordPress plugin versions up to 1.8 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class' attribute of the 'wpfid' shortcode due to insufficient input sanitization and output escaping. The vulnerability executes malicious scripts in the browser of any user viewing an affected page, potentially enabling account compromise, malware distribution, or defacement with CVSS 6.4 (medium severity). No public exploit code or confirmed active exploitation has been identified at time of analysis.
Missing Authorization vulnerability in Themefic Hydra Booking hydra-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hydra Booking: from n/a through <= 1.1.9.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through <= 1.6.7.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoefff Werk aan de Muur werk-aan-de-muur allows Stored XSS.This issue affects Werk aan de Muur: from n/a through <= 1.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Colibri Page Builder colibri-page-builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through < 1.0.334.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows DOM-Based XSS.This issue affects Seriously Simple Podcasting: from n/a through <= 3.11.1.
Insertion of Sensitive Information Into Sent Data vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Retrieve Embedded Sensitive Data.This issue affects Easy Post Submission: from n/a through <= 1.7.0.
Server-Side Request Forgery (SSRF) vulnerability in captcha.eu Captcha.eu captcha-eu allows Server Side Request Forgery.This issue affects Captcha.eu: from n/a through <= 1.0.61.
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform SmartCrawl smartcrawl-seo.This issue affects SmartCrawl: from n/a through <= 3.14.3.
Missing Authorization vulnerability in VeronaLabs WP SMS wp-sms.This issue affects WP SMS: from n/a through <= 7.0.1.
Missing Authorization vulnerability in accessiBe Web Accessibility By accessiBe accessibe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Web Accessibility By accessiBe: from n/a through <= 2.10.
FreeBSD kernel fails to properly validate socket connection state when adding sockets to SO_REUSEPORT_LB load-balancing groups, allowing connected sockets to receive packets from arbitrary hosts instead of only from their connected peer. This breaks the fundamental contract of the connect(2) system call and sendto(2), creating a spoofing vulnerability where applications believe they are receiving authenticated peer traffic but may actually receive unsolicited packets from any host. The vulnerability affects remote attackers with user-level privileges on systems running vulnerable FreeBSD versions.
Missing Authorization vulnerability in templazee Templazee templazee allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templazee: from n/a through <= 1.0.2.
Missing Authorization vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects DELUCKS SEO: from n/a through <= 2.5.9.
Missing Authorization vulnerability in CoSchedule CoSchedule coschedule-by-todaymade allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CoSchedule: from n/a through <= 3.4.0.
Missing Authorization vulnerability in StellarWP WPComplete wpcomplete allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPComplete: from n/a through <= 2.9.5.3.
Missing Authorization vulnerability in bdthemes ZoloBlocks zoloblocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ZoloBlocks: from n/a through <= 2.3.11.
Missing Authorization vulnerability in jjlemstra Whydonate wp-whydonate allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Whydonate: from n/a through <= 4.0.15.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS: from n/a through <= 3.6.20.
SQL injection in Email Tracker plugin for WordPress (versions up to 5.3.15) allows authenticated administrators to extract sensitive database information via the 'orderby' parameter due to insufficient escaping and query preparation. CVSS 4.9 reflects high confidentiality impact but requires high-privilege authenticated access; no public exploit code or active exploitation confirmed at analysis time.
Missing Authorization vulnerability in etruel WPeMatico RSS Feed Fetcher wpematico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPeMatico RSS Feed Fetcher: from n/a through <= 2.8.3.
Missing Authorization vulnerability in Sovlix MeetingHub meetinghub.This issue affects MeetingHub: from n/a through <= 1.23.9.
Missing Authorization vulnerability in Rustaurius Front End Users front-end-only-users.This issue affects Front End Users: from n/a through <= 3.2.33.
Missing Authorization vulnerability in Repuso Social proof testimonials and reviews by Repuso social-testimonials-and-reviews-widget.This issue affects Social proof testimonials and reviews by Repuso: from n/a through <= 5.29.
Missing Authorization vulnerability in WPXPO WowRevenue revenue.This issue affects WowRevenue: from n/a through <= 1.2.13.
Missing Authorization vulnerability in Horea Radu One Page Express Companion one-page-express-companion.This issue affects One Page Express Companion: from n/a through <= 1.6.43.
Missing Authorization vulnerability in Made Neat Acknowledgify acknowledgify.This issue affects Acknowledgify: from n/a through <= 1.1.3.
Missing Authorization vulnerability in POSIMYTH UiChemy uichemy.This issue affects UiChemy: from n/a through <= 4.0.0.
Missing Authorization vulnerability in Syed Balkhi Smash Balloon Social Post Feed custom-facebook-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smash Balloon Social Post Feed: from n/a through <= 4.3.2.
Missing Authorization vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MDTF: from n/a through <= 1.3.3.9.
Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Media Categories wp-media-categories allows Cross Site Request Forgery.This issue affects WP Media Categories: from n/a through <= 2.1.0.
Cross-Site Request Forgery (CSRF) vulnerability in impleCode Product Catalog Simple post-type-x.This issue affects Product Catalog Simple: from n/a through <= 1.8.4.
Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") UPC/EAN/GTIN Code Generator upc-ean-barcode-generator allows Cross Site Request Forgery.This issue affects UPC/EAN/GTIN Code Generator: from n/a through <= 2.0.2.
Cross-Site Request Forgery (CSRF) vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Cross Site Request Forgery.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5.