SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.
SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.
Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.
Capsicum sandbox escape in FreeBSD allows a compromised capability-mode process to send arbitrary signals - including SIGKILL and SIGSTOP - to processes outside its sandbox, undermining Capsicum's core isolation guarantee. Affected are FreeBSD 14.3-RELEASE through 15.0-RELEASE in versions prior to their respective patch levels; the root cause is a 2011-era omission in kern_sigqueue that never enforced a PID self-restriction when a process operates in capability mode. EPSS is 0.14% (4th percentile), SSVC marks exploitation as none and non-automatable, and no public exploit has been identified at time of analysis.
Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.
Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.
Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.
Reflected Cross-Site Scripting in the MaxButtons - Create buttons WordPress plugin (versions up to and including 9.8.5) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'view' parameter, executing in the victim's browser context when a crafted URL is clicked. The flaw is traced to insufficient input sanitization in listController.php and maxbuttons-list.php, as confirmed by Wordfence and source-level references in the WordPress plugin repository. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make social-engineering-based exploitation straightforward.
Sensitive application data exposure in HCL Traveler for Microsoft Outlook (HTMO) allows a local low-privileged attacker to read sensitive information - likely credentials, tokens, or session data written to application log files (CWE-532) - potentially enabling follow-on attacks against connected systems. The CVSS vector confirms local access with low privileges is sufficient to achieve high confidentiality impact, with no integrity or availability consequences. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated form submission data exfiltration in NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) exposes sensitive PII and payment details to any remote attacker. Missing authorization checks on report download endpoints allow sequential enumeration of report IDs without any credentials, enabling mass harvesting of names, email addresses, phone numbers, postal addresses, payment details, and file paths from every saved form report on the site. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and zero authentication requirement make opportunistic exploitation straightforward.
Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the account-takeover impact makes this a critical priority for any site running the plugin with active PayPal payment integration.
The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.
Stored Cross-Site Scripting in the Gutenverse WordPress Blocks, Page Builder & Site Editor plugin (all versions through 3.8.0) enables authenticated editor-level users to persist arbitrary JavaScript into pages served to any site visitor. The vulnerability is constrained to WordPress multi-site installations or single-site deployments where unfiltered_html has been explicitly disabled. No public exploit has been identified at time of analysis, and a upstream fix commit (changeset 3578328) has been published to the WordPress plugin repository.
Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege requirement makes this accessible to any registered contributor on affected WordPress installations.
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Unauthorized taxonomy manipulation in the Product Specifications for WooCommerce WordPress plugin (versions up to and including 0.8.9) exposes AJAX endpoints that any authenticated subscriber can invoke without authorization checks or CSRF protection, enabling arbitrary creation, modification, and deletion of product specification groups and attributes. The affected AJAX actions 'dwps_modify_groups' and 'dwps_modify_attributes' - bound to the __invoke() methods of AttributeGroupController and AttributeController - operate on 'spec-group' and attribute taxonomy terms, meaning successful exploitation directly corrupts WooCommerce store business data and breaks frontend product display. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.
Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the `hdq_validate_nonce` function (`includes/functions.php:39`), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in `includes/actions-ajax.php`. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though Wordfence has published a detailed advisory with source code references for both affected versions.
Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. No public exploit code or active exploitation has been identified at time of analysis; CVSS rates this 4.3 (Medium) reflecting limited integrity-only impact with no confidentiality or availability consequence.