PHP
Monthly
DOM-based cross-site scripting (XSS) in Designinvento DirectoryPress WordPress plugin through version 3.6.25 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers when they view affected pages. The vulnerability requires user interaction (clicking a malicious link) and can affect website visitors across the entire site, potentially leading to session hijacking, credential theft, or malware distribution. EPSS score of 0.02% indicates low exploitation probability despite the publicly available vulnerability details.
Broken access control in RealMag777 MDTF (WordPress Meta Data Filter and Taxonomy Filter) plugin versions up to 1.3.6 allows low-privileged authenticated users to bypass authorization controls and access or modify sensitive metadata and taxonomy filter configurations. While rated CVSS 8.1 (High), real-world exploitation risk remains moderate with EPSS at 0.03% (9th percentile) and no confirmed active exploitation or public exploit code identified at time of analysis. This authentication bypass vulnerability was disclosed by Patchstack's security audit team.
Remote code execution in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions up to 7.3.23) allows authenticated administrators to inject and execute arbitrary code through code injection vulnerabilities. The CVSS 9.1 severity reflects scope change and high impact across confidentiality, integrity, and availability. EPSS exploitation probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring privileged access rather than an imminent mass-exploitation threat.
Broken access control in Revive Old Posts (tweet-old-post) WordPress plugin through version 9.3.3 allows authenticated attackers with low-level privileges to escalate permissions and execute high-impact operations including data exfiltration, modification, and service disruption. EPSS score of 0.05% (15th percentile) indicates low probability of mass exploitation, though the 8.8 CVSS score reflects significant potential damage once low-privilege access is obtained. No public exploit identified at time of analysis, and no CISA KEV listing exists.
Broken access control in Welcart e-Commerce WordPress plugin through version 2.11.24 allows authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. This authentication bypass vulnerability (CWE-862) enables low-privileged authenticated attackers to access, modify, or delete data beyond their permission level, potentially compromising store operations, customer data, and site integrity. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, though no public exploit has been identified at time of analysis.
Missing authorization controls in the Open Close WooCommerce Store plugin (versions ≤4.9.9) allow authenticated low-privileged users to bypass access restrictions and perform unauthorized high-impact operations, potentially modifying store configuration or accessing sensitive data. With CVSS 8.1 (High severity) but only 0.03% EPSS (9th percentile), this represents a significant vulnerability for affected WordPress/WooCommerce sites, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The authentication requirement (PR:L) substantially limits attack surface compared to unauthenticated vulnerabilities.
WordPress Table Block by RioVizual plugin versions through 3.0.0 contains a broken access control vulnerability allowing authenticated attackers with low privileges to bypass authorization checks and perform high-impact actions including data theft, modification, and service disruption. The CVSS score of 8.8 reflects network-accessible exploitation with low complexity requiring only minimal authentication. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, with no public exploit identified at time of analysis.
DOM-based cross-site scripting (XSS) in RomanCode MapSVG WordPress plugin versions up to 8.7.22 allows remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of web sessions. Although the CVSS score is 6.1 (medium), the EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified; this suggests the practical attack likelihood is minimal despite the moderate CVSS rating.
Broken access control in Conversios.io WooCommerce analytics plugin (versions ≤7.2.13) allows authenticated low-privilege users to access or modify high-sensitivity data without proper authorization checks. The vulnerability enables privilege escalation where any authenticated user can bypass intended access restrictions to read confidential information or alter plugin settings/data. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation probability; no public exploit identified at time of analysis.
DOM-based cross-site scripting (XSS) in Marquee Addons for Elementor WordPress plugin versions through 3.8.2 allows remote attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected websites. While CVSS scores 6.1 (medium), the 0.02% EPSS percentile indicates low real-world exploitation probability despite public awareness.
Unauthenticated remote attackers can bypass authorization controls in TS Demo Importer plugin for WordPress (versions ≤0.1.3), enabling high-impact integrity and availability compromise through misconfigured access control. EPSS scoring at 7th percentile (0.07%) suggests low observed exploitation probability. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the authentication bypass tag and critical CVSS 9.1 rating warrant immediate attention for exposed WordPress installations.
Broken access control in IgnitionDeck WordPress plugin (versions ≤2.0.15) enables authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. The vulnerability requires low-privilege authentication but has low attack complexity (CVSS 8.8, AV:N/AC:L/PR:L), allowing compromise of confidentiality, integrity, and availability. EPSS probability is low (0.05%, 15th percentile), and no public exploit is identified at time of analysis, suggesting limited active targeting despite the high severity rating.
Broken access control in WP Flights & Hotels Booking WP Plugin (adiaha-hotel) versions ≤3.1 allows authenticated users with low privileges to bypass authorization checks and gain unauthorized access to high-impact functionality. Attackers can achieve complete compromise of confidentiality, integrity, and availability within the plugin's scope. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Stored cross-site scripting (XSS) in WPClever WPC Smart Messages for WooCommerce plugin versions up to 4.2.8 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity through script injection, with a CVSS score of 5.4 reflecting moderate risk; however, the 0.02% EPSS score indicates minimal real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
Sensitive system information disclosure in ThemeHunk WP Popup Builder plugin for WordPress (versions ≤1.3.8) allows unauthenticated remote attackers to retrieve embedded sensitive data without authentication. The vulnerability presents a CVSS 7.5 HIGH severity with confirmed network-based exploitation requiring no user interaction. EPSS score of 0.03% (10th percentile) indicates minimal observed exploitation activity, and no public exploit identified at time of analysis. The flaw stems from improper exposure of sensitive information to unauthorized control spheres (CWE-497).
Improper neutralization of HTML script tags in WP Recipe Maker through version 10.0.x enables reflected cross-site scripting (XSS) attacks against users. The vulnerability affects the Brecht WP Recipe Maker WordPress plugin and requires user interaction (clicking a malicious link) to exploit. An attacker can inject arbitrary JavaScript into the page context, achieving code execution in the victim's browser with potential to steal session tokens or perform actions on behalf of authenticated users. The vulnerability has low real-world exploitation probability (EPSS 0.02%) and does not appear to be actively exploited in the wild.
Sensitive data exposure in Atarim Visual Collaboration WordPress plugin (versions through 4.2.1) allows unauthenticated remote attackers to retrieve embedded confidential information via network-accessible endpoints. The vulnerability enables direct extraction of sensitive data with no authentication required and low attack complexity. EPSS score of 0.03% (10th percentile) indicates minimal current exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Broken access control in King Addons for Elementor (WordPress plugin) versions through 51.1.61 allows authenticated attackers with low privileges to bypass authorization checks and gain unauthorized access to high-privilege functionality. The CVSS 8.8 score reflects potential for full compromise (high confidentiality, integrity, and availability impact), though the EPSS score of 0.05% (15th percentile) indicates minimal real-world exploitation observed. No public exploit code or CISA KEV listing identified at time of analysis. The vulnerability stems from improperly configured access control security levels (CWE-862: Missing Authorization), enabling privilege escalation by low-privileged users.
DOM-based cross-site scripting (XSS) in King Addons for Elementor plugin versions up to 51.1.61 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (clicking a link) and affects the confidentiality and integrity of website content, with an EPSS score of 0.02% indicating low real-world exploitation probability despite the moderate CVSS rating of 5.4.
Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Pricing Table builder WordPress plugin (versions up to 1.5.3) enables stored Cross-Site Scripting (XSS) attacks through social engineering. Unauthenticated remote attackers can trick administrators into executing malicious actions that inject persistent JavaScript code into the WordPress site. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, with no CISA KEV listing or public exploit identified at time of analysis. The CVSS score of 8.8 reflects the high impact potential when user interaction succeeds, though real-world risk depends heavily on social engineering effectiveness.
DOM-based cross-site scripting (XSS) in RexTheme WP VR WordPress plugin up to version 8.5.48 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers with site-wide scope. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability equally. Exploitation requires valid WordPress account credentials but carries moderate real-world risk given the low EPSS score (0.02%) and authenticated requirement despite the CVSS 6.5 rating.
Missing authorization in RelyWP Coupon Affiliates plugin (versions up to 7.2.0) allows unauthenticated remote attackers to access restricted functionality and read sensitive data due to inadequate access control list (ACL) enforcement. The vulnerability requires no authentication and has low attack complexity, enabling attackers to bypass WordPress permission checks and retrieve coupon-related information not intended for public access.
Cross-Site Request Forgery in WordPress IndieAuth plugin (all versions ≤4.5.4) enables unauthenticated attackers to force authenticated users to authorize malicious OAuth applications, leading to account takeover with full administrative privileges (create, update, delete scopes). Missing nonce validation on login_form_indieauth() and the /wp-login.php?action=indieauth authorization endpoint allows attackers to steal authorization codes and exchange them for access tokens. CVSS 8.8 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Patch released in version 4.5.5.
Privilege escalation in FantasticPlugins SUMO Memberships for WooCommerce (versions ≤7.8.0) allows authenticated users with low-level privileges to elevate permissions and gain unauthorized high-level access to WordPress site functions. The vulnerability stems from incorrect privilege assignment (CWE-266), enabling attackers to bypass intended access controls. With CVSS 8.8 (High) severity, the flaw permits complete compromise of confidentiality, integrity, and availability. EPSS probability is low (0.06%, 17th percentile), and no public exploit identified at time of analysis, though Patchstack has published advisory details.
Remote code execution in Beplusthemes Alone WordPress theme through version 7.8.3 allows unauthenticated attackers to inject and execute arbitrary code via a code injection vulnerability. With a critical CVSS score of 10.0 and network-based exploitation requiring no privileges or user interaction, this vulnerability enables complete system compromise. EPSS exploitation probability is low (0.06%, 17th percentile), and no public exploit or CISA KEV listing identified at time of analysis.
Privilege escalation in N-Media Simple User Registration (WordPress plugin) through version 6.8 allows authenticated low-privilege users to elevate their access to administrator-level permissions via incorrect privilege assignment. With EPSS at 0.06% (17th percentile) and no public exploit identified at time of analysis, real-world exploitation risk remains low despite the high CVSS score. The vulnerability requires low-privilege authentication (PR:L) but has low attack complexity (AC:L) and no user interaction (UI:N), making it straightforward to exploit once an attacker has basic user credentials.
Unauthenticated attackers can bypass access controls in SUMO Memberships for WooCommerce versions below 7.8.0 to perform unauthorized actions including content modification and deletion through incorrectly configured membership level enforcement. The vulnerability requires user interaction (UI:R) but affects confidentiality, integrity, and availability of protected content. No public exploit code or active exploitation has been confirmed.
Code injection in WP Last Modified Info plugin versions ≤1.9.4 allows authenticated attackers with low-level privileges to execute arbitrary code remotely via vulnerable code generation controls. The CVSS 7.4 rating reflects network accessibility, low attack complexity, and scope change enabling cross-boundary impact. EPSS probability is minimal (0.05%, 15th percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, suggesting limited real-world exploitation activity despite the critical vulnerability class.
Reflected cross-site scripting (XSS) in the Contact Form by Supsystic WordPress plugin (versions through 1.7.36) allows unauthenticated remote attackers to execute malicious JavaScript in victims' browsers via crafted URLs. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of the victim's authenticated session. EPSS probability indicates low exploitation likelihood (0.07%, 22nd percentile) with no public exploit identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in WordPress plugin oik-privacy-policy versions ≤1.4.10 allows remote attackers to execute arbitrary JavaScript in victims' browsers. Exploitation requires user interaction (victim must click malicious link). EPSS probability is low (0.07%, 22nd percentile), and no active exploitation is confirmed. Reported by Patchstack security audit team, indicating professional vulnerability disclosure.
Reflected cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions up to 2.24.0 allows authenticated attackers to inject malicious scripts via unvalidated input during web page generation. An attacker with user credentials can craft a malicious link that, when clicked by another user, executes arbitrary JavaScript in their browser context. The vulnerability carries a moderate CVSS score of 6.5 but exhibits very low real-world exploitation probability (EPSS 0.03%, 8th percentile), indicating it has not been actively exploited in practice despite the presence of public vulnerability disclosure.
Reflected cross-site scripting in bbPress Notify plugin versions up to 2.19.5 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability stems from improper input sanitization during web page generation (CWE-79). With CVSS 7.1 and changed scope (S:C), successful exploitation enables session hijacking, credential theft, and malicious actions in the victim's context. EPSS score of 0.03% (8th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though Patchstack has publicly documented the vulnerability.
Reflected cross-site scripting in Robokassa Payment Gateway for WooCommerce plugin (versions ≤1.8.5) allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability enables changed-scope attacks where attackers can steal session tokens, perform unauthorized actions, or redirect victims to malicious sites through crafted URLs. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating minimal observed exploitation activity.
Authorization bypass in Houzez WordPress theme versions up to 4.2.5 allows authenticated users to access or modify resources they should not have permission to reach through insecure direct object reference (IDOR) vulnerabilities. An authenticated attacker with low privileges can exploit inadequately configured access controls to view or modify data belonging to other users, achieving limited information disclosure and integrity compromise. The vulnerability is not confirmed as actively exploited, though the attack vector is network-based with low complexity.
Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin through version 2.7.8 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user sessions. The vulnerability requires user interaction (UI:R) and affects authenticated users (PR:L), limiting immediate blast radius but posing persistent risk to WordPress installations using this Elementor extension.
Stored XSS in Crocoblock JetEngine WordPress plugin versions 3.7.3 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability requires user interaction (UI:R) to trigger and affects confidentiality, integrity, and availability with limited scope. With EPSS at 0.07% and no KEV status indicating active exploitation, this represents a low-probability but real risk requiring patching in multi-user WordPress environments.
Stored cross-site scripting (XSS) in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.18 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity, with an EPSS score of 0.06% indicating very low real-world exploitation likelihood despite the moderate CVSS 5.4 rating.
Reflected cross-site scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4 allows authenticated users to inject malicious scripts that execute in other users' browsers when they interact with crafted links. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk; EPSS score of 0.07% indicates low exploitation probability despite the moderate CVSS 6.5 rating.
Stored Cross-Site Scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4.1 allows authenticated users with low privileges to inject malicious scripts that persist in web pages and execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions. EPSS score of 0.07% and lack of public exploit code indicate low real-world exploitation probability despite the moderate CVSS 6.5 score.
Blind SQL injection in Crocoblock JetSearch plugin (WordPress) versions up to 3.5.10 allows unauthenticated remote attackers to extract database contents via crafted search queries. The vulnerability carries a critical CVSS 9.3 score due to network-based exploitation requiring no authentication or user interaction, though EPSS exploitation probability remains low at 0.04% (12th percentile), and no public exploit identified at time of analysis. The flaw enables data exfiltration from WordPress databases hosting sites using the vulnerable search plugin.
Reflected cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions through 3.5.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but carries a changed scope, meaning successful exploitation can impact resources beyond the vulnerable component. EPSS probability is low (0.07%, 22nd percentile), indicating minimal observed exploitation attempts, and no public exploit code or CISA KEV listing exists at time of analysis.
DOM-based cross-site scripting (XSS) in Crocoblock JetWooBuilder plugin through version 2.1.20 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (UI:R per CVSS) and affects the plugin's web page generation functions. No public exploit code or active exploitation has been confirmed, though the issue carries a moderate CVSS score of 6.5 and low EPSS probability (0.07%, 22nd percentile) suggesting limited real-world attack incentive despite the authentication requirement being relatively low-barrier for WordPress environments.
Stored XSS vulnerability in Crocoblock JetWooBuilder WordPress plugin versions up to 2.1.20.1 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages, potentially leading to session hijacking, credential theft, or defacement. The vulnerability requires user interaction (UI:R) from victims and affects the confidentiality, integrity, and availability of website content. No public exploit code or active exploitation has been confirmed at time of analysis.
Local file inclusion vulnerability in Crocoblock JetReviews WordPress plugin (versions ≤3.0.0) allows unauthenticated remote attackers to read arbitrary files from the server filesystem via improper filename control in PHP include/require statements. The vulnerability carries moderate real-world risk with EPSS exploitation probability of 0.13% (33rd percentile), indicating relatively low attacker interest despite the network-accessible attack vector requiring no privileges. No public exploit identified at time of analysis, and no active exploitation confirmed.
Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5.
The Trinity Audio - Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'range-date' parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Trinity Audio - Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Contest Gallery - Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Cryptographic signature bypass in OAuth SSO WordPress plugin. EPSS 0.65%.
The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_label' and 'after_label' parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A security vulnerability in Widget Builder (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser.
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the website settings module. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.
An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists due to insufficient validation of SVG file uploads in the /admin/media.php component, allowing attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in XunRuiCMS version 4.7.1. The vulnerability exists due to insufficient validation of SVG file uploads in the dayrui/Fcms/Library/Upload.php component, allowing attackers to inject malicious JavaScript code that executes when the uploaded file is viewed.
The Optimize More! - CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The AP Background plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to missing or incorrect nonce validation on the advParallaxBackAdminSaveSlider function. This makes it possible for unauthenticated attackers to create or modify background sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The MPWizard - Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Ird Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irdslider' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The A Simple Multilanguage Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'asmp-switcher' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotype_config function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Ultimate Multi Design Video Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The TextBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 1.0.0 to 1.1.1. This is due to missing or incorrect nonce validation on the 'handleToken' function. This makes it possible for unauthenticated attackers to update a user's authorization token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Once the token is updated, an attacker can update the user's password and email address.
The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution.
Auth bypass in RestroPress WordPress ordering plugin 3.0.0-3.1.9.2.
The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.
The Blappsta Mobile App Plugin - Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0.8.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Woo superb slideshow transition gallery with random effect plugin for WordPress is vulnerable to SQL Injection via the 'woo-superb-slideshow' shortcode in all versions up to, and including, 9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Wp cycle text announcement plugin for WordPress is vulnerable to SQL Injection via the 'cycle-text' shortcode in all versions up to, and including, 8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icol’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
DOM-based cross-site scripting (XSS) in Designinvento DirectoryPress WordPress plugin through version 3.6.25 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers when they view affected pages. The vulnerability requires user interaction (clicking a malicious link) and can affect website visitors across the entire site, potentially leading to session hijacking, credential theft, or malware distribution. EPSS score of 0.02% indicates low exploitation probability despite the publicly available vulnerability details.
Broken access control in RealMag777 MDTF (WordPress Meta Data Filter and Taxonomy Filter) plugin versions up to 1.3.6 allows low-privileged authenticated users to bypass authorization controls and access or modify sensitive metadata and taxonomy filter configurations. While rated CVSS 8.1 (High), real-world exploitation risk remains moderate with EPSS at 0.03% (9th percentile) and no confirmed active exploitation or public exploit code identified at time of analysis. This authentication bypass vulnerability was disclosed by Patchstack's security audit team.
Remote code execution in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions up to 7.3.23) allows authenticated administrators to inject and execute arbitrary code through code injection vulnerabilities. The CVSS 9.1 severity reflects scope change and high impact across confidentiality, integrity, and availability. EPSS exploitation probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring privileged access rather than an imminent mass-exploitation threat.
Broken access control in Revive Old Posts (tweet-old-post) WordPress plugin through version 9.3.3 allows authenticated attackers with low-level privileges to escalate permissions and execute high-impact operations including data exfiltration, modification, and service disruption. EPSS score of 0.05% (15th percentile) indicates low probability of mass exploitation, though the 8.8 CVSS score reflects significant potential damage once low-privilege access is obtained. No public exploit identified at time of analysis, and no CISA KEV listing exists.
Broken access control in Welcart e-Commerce WordPress plugin through version 2.11.24 allows authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. This authentication bypass vulnerability (CWE-862) enables low-privileged authenticated attackers to access, modify, or delete data beyond their permission level, potentially compromising store operations, customer data, and site integrity. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, though no public exploit has been identified at time of analysis.
Missing authorization controls in the Open Close WooCommerce Store plugin (versions ≤4.9.9) allow authenticated low-privileged users to bypass access restrictions and perform unauthorized high-impact operations, potentially modifying store configuration or accessing sensitive data. With CVSS 8.1 (High severity) but only 0.03% EPSS (9th percentile), this represents a significant vulnerability for affected WordPress/WooCommerce sites, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The authentication requirement (PR:L) substantially limits attack surface compared to unauthenticated vulnerabilities.
WordPress Table Block by RioVizual plugin versions through 3.0.0 contains a broken access control vulnerability allowing authenticated attackers with low privileges to bypass authorization checks and perform high-impact actions including data theft, modification, and service disruption. The CVSS score of 8.8 reflects network-accessible exploitation with low complexity requiring only minimal authentication. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, with no public exploit identified at time of analysis.
DOM-based cross-site scripting (XSS) in RomanCode MapSVG WordPress plugin versions up to 8.7.22 allows remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of web sessions. Although the CVSS score is 6.1 (medium), the EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified; this suggests the practical attack likelihood is minimal despite the moderate CVSS rating.
Broken access control in Conversios.io WooCommerce analytics plugin (versions ≤7.2.13) allows authenticated low-privilege users to access or modify high-sensitivity data without proper authorization checks. The vulnerability enables privilege escalation where any authenticated user can bypass intended access restrictions to read confidential information or alter plugin settings/data. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation probability; no public exploit identified at time of analysis.
DOM-based cross-site scripting (XSS) in Marquee Addons for Elementor WordPress plugin versions through 3.8.2 allows remote attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected websites. While CVSS scores 6.1 (medium), the 0.02% EPSS percentile indicates low real-world exploitation probability despite public awareness.
Unauthenticated remote attackers can bypass authorization controls in TS Demo Importer plugin for WordPress (versions ≤0.1.3), enabling high-impact integrity and availability compromise through misconfigured access control. EPSS scoring at 7th percentile (0.07%) suggests low observed exploitation probability. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the authentication bypass tag and critical CVSS 9.1 rating warrant immediate attention for exposed WordPress installations.
Broken access control in IgnitionDeck WordPress plugin (versions ≤2.0.15) enables authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. The vulnerability requires low-privilege authentication but has low attack complexity (CVSS 8.8, AV:N/AC:L/PR:L), allowing compromise of confidentiality, integrity, and availability. EPSS probability is low (0.05%, 15th percentile), and no public exploit is identified at time of analysis, suggesting limited active targeting despite the high severity rating.
Broken access control in WP Flights & Hotels Booking WP Plugin (adiaha-hotel) versions ≤3.1 allows authenticated users with low privileges to bypass authorization checks and gain unauthorized access to high-impact functionality. Attackers can achieve complete compromise of confidentiality, integrity, and availability within the plugin's scope. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Stored cross-site scripting (XSS) in WPClever WPC Smart Messages for WooCommerce plugin versions up to 4.2.8 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity through script injection, with a CVSS score of 5.4 reflecting moderate risk; however, the 0.02% EPSS score indicates minimal real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
Sensitive system information disclosure in ThemeHunk WP Popup Builder plugin for WordPress (versions ≤1.3.8) allows unauthenticated remote attackers to retrieve embedded sensitive data without authentication. The vulnerability presents a CVSS 7.5 HIGH severity with confirmed network-based exploitation requiring no user interaction. EPSS score of 0.03% (10th percentile) indicates minimal observed exploitation activity, and no public exploit identified at time of analysis. The flaw stems from improper exposure of sensitive information to unauthorized control spheres (CWE-497).
Improper neutralization of HTML script tags in WP Recipe Maker through version 10.0.x enables reflected cross-site scripting (XSS) attacks against users. The vulnerability affects the Brecht WP Recipe Maker WordPress plugin and requires user interaction (clicking a malicious link) to exploit. An attacker can inject arbitrary JavaScript into the page context, achieving code execution in the victim's browser with potential to steal session tokens or perform actions on behalf of authenticated users. The vulnerability has low real-world exploitation probability (EPSS 0.02%) and does not appear to be actively exploited in the wild.
Sensitive data exposure in Atarim Visual Collaboration WordPress plugin (versions through 4.2.1) allows unauthenticated remote attackers to retrieve embedded confidential information via network-accessible endpoints. The vulnerability enables direct extraction of sensitive data with no authentication required and low attack complexity. EPSS score of 0.03% (10th percentile) indicates minimal current exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Broken access control in King Addons for Elementor (WordPress plugin) versions through 51.1.61 allows authenticated attackers with low privileges to bypass authorization checks and gain unauthorized access to high-privilege functionality. The CVSS 8.8 score reflects potential for full compromise (high confidentiality, integrity, and availability impact), though the EPSS score of 0.05% (15th percentile) indicates minimal real-world exploitation observed. No public exploit code or CISA KEV listing identified at time of analysis. The vulnerability stems from improperly configured access control security levels (CWE-862: Missing Authorization), enabling privilege escalation by low-privileged users.
DOM-based cross-site scripting (XSS) in King Addons for Elementor plugin versions up to 51.1.61 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (clicking a link) and affects the confidentiality and integrity of website content, with an EPSS score of 0.02% indicating low real-world exploitation probability despite the moderate CVSS rating of 5.4.
Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Pricing Table builder WordPress plugin (versions up to 1.5.3) enables stored Cross-Site Scripting (XSS) attacks through social engineering. Unauthenticated remote attackers can trick administrators into executing malicious actions that inject persistent JavaScript code into the WordPress site. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, with no CISA KEV listing or public exploit identified at time of analysis. The CVSS score of 8.8 reflects the high impact potential when user interaction succeeds, though real-world risk depends heavily on social engineering effectiveness.
DOM-based cross-site scripting (XSS) in RexTheme WP VR WordPress plugin up to version 8.5.48 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers with site-wide scope. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability equally. Exploitation requires valid WordPress account credentials but carries moderate real-world risk given the low EPSS score (0.02%) and authenticated requirement despite the CVSS 6.5 rating.
Missing authorization in RelyWP Coupon Affiliates plugin (versions up to 7.2.0) allows unauthenticated remote attackers to access restricted functionality and read sensitive data due to inadequate access control list (ACL) enforcement. The vulnerability requires no authentication and has low attack complexity, enabling attackers to bypass WordPress permission checks and retrieve coupon-related information not intended for public access.
Cross-Site Request Forgery in WordPress IndieAuth plugin (all versions ≤4.5.4) enables unauthenticated attackers to force authenticated users to authorize malicious OAuth applications, leading to account takeover with full administrative privileges (create, update, delete scopes). Missing nonce validation on login_form_indieauth() and the /wp-login.php?action=indieauth authorization endpoint allows attackers to steal authorization codes and exchange them for access tokens. CVSS 8.8 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Patch released in version 4.5.5.
Privilege escalation in FantasticPlugins SUMO Memberships for WooCommerce (versions ≤7.8.0) allows authenticated users with low-level privileges to elevate permissions and gain unauthorized high-level access to WordPress site functions. The vulnerability stems from incorrect privilege assignment (CWE-266), enabling attackers to bypass intended access controls. With CVSS 8.8 (High) severity, the flaw permits complete compromise of confidentiality, integrity, and availability. EPSS probability is low (0.06%, 17th percentile), and no public exploit identified at time of analysis, though Patchstack has published advisory details.
Remote code execution in Beplusthemes Alone WordPress theme through version 7.8.3 allows unauthenticated attackers to inject and execute arbitrary code via a code injection vulnerability. With a critical CVSS score of 10.0 and network-based exploitation requiring no privileges or user interaction, this vulnerability enables complete system compromise. EPSS exploitation probability is low (0.06%, 17th percentile), and no public exploit or CISA KEV listing identified at time of analysis.
Privilege escalation in N-Media Simple User Registration (WordPress plugin) through version 6.8 allows authenticated low-privilege users to elevate their access to administrator-level permissions via incorrect privilege assignment. With EPSS at 0.06% (17th percentile) and no public exploit identified at time of analysis, real-world exploitation risk remains low despite the high CVSS score. The vulnerability requires low-privilege authentication (PR:L) but has low attack complexity (AC:L) and no user interaction (UI:N), making it straightforward to exploit once an attacker has basic user credentials.
Unauthenticated attackers can bypass access controls in SUMO Memberships for WooCommerce versions below 7.8.0 to perform unauthorized actions including content modification and deletion through incorrectly configured membership level enforcement. The vulnerability requires user interaction (UI:R) but affects confidentiality, integrity, and availability of protected content. No public exploit code or active exploitation has been confirmed.
Code injection in WP Last Modified Info plugin versions ≤1.9.4 allows authenticated attackers with low-level privileges to execute arbitrary code remotely via vulnerable code generation controls. The CVSS 7.4 rating reflects network accessibility, low attack complexity, and scope change enabling cross-boundary impact. EPSS probability is minimal (0.05%, 15th percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, suggesting limited real-world exploitation activity despite the critical vulnerability class.
Reflected cross-site scripting (XSS) in the Contact Form by Supsystic WordPress plugin (versions through 1.7.36) allows unauthenticated remote attackers to execute malicious JavaScript in victims' browsers via crafted URLs. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of the victim's authenticated session. EPSS probability indicates low exploitation likelihood (0.07%, 22nd percentile) with no public exploit identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in WordPress plugin oik-privacy-policy versions ≤1.4.10 allows remote attackers to execute arbitrary JavaScript in victims' browsers. Exploitation requires user interaction (victim must click malicious link). EPSS probability is low (0.07%, 22nd percentile), and no active exploitation is confirmed. Reported by Patchstack security audit team, indicating professional vulnerability disclosure.
Reflected cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions up to 2.24.0 allows authenticated attackers to inject malicious scripts via unvalidated input during web page generation. An attacker with user credentials can craft a malicious link that, when clicked by another user, executes arbitrary JavaScript in their browser context. The vulnerability carries a moderate CVSS score of 6.5 but exhibits very low real-world exploitation probability (EPSS 0.03%, 8th percentile), indicating it has not been actively exploited in practice despite the presence of public vulnerability disclosure.
Reflected cross-site scripting in bbPress Notify plugin versions up to 2.19.5 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability stems from improper input sanitization during web page generation (CWE-79). With CVSS 7.1 and changed scope (S:C), successful exploitation enables session hijacking, credential theft, and malicious actions in the victim's context. EPSS score of 0.03% (8th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though Patchstack has publicly documented the vulnerability.
Reflected cross-site scripting in Robokassa Payment Gateway for WooCommerce plugin (versions ≤1.8.5) allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability enables changed-scope attacks where attackers can steal session tokens, perform unauthorized actions, or redirect victims to malicious sites through crafted URLs. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating minimal observed exploitation activity.
Authorization bypass in Houzez WordPress theme versions up to 4.2.5 allows authenticated users to access or modify resources they should not have permission to reach through insecure direct object reference (IDOR) vulnerabilities. An authenticated attacker with low privileges can exploit inadequately configured access controls to view or modify data belonging to other users, achieving limited information disclosure and integrity compromise. The vulnerability is not confirmed as actively exploited, though the attack vector is network-based with low complexity.
Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin through version 2.7.8 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user sessions. The vulnerability requires user interaction (UI:R) and affects authenticated users (PR:L), limiting immediate blast radius but posing persistent risk to WordPress installations using this Elementor extension.
Stored XSS in Crocoblock JetEngine WordPress plugin versions 3.7.3 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability requires user interaction (UI:R) to trigger and affects confidentiality, integrity, and availability with limited scope. With EPSS at 0.07% and no KEV status indicating active exploitation, this represents a low-probability but real risk requiring patching in multi-user WordPress environments.
Stored cross-site scripting (XSS) in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.18 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity, with an EPSS score of 0.06% indicating very low real-world exploitation likelihood despite the moderate CVSS 5.4 rating.
Reflected cross-site scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4 allows authenticated users to inject malicious scripts that execute in other users' browsers when they interact with crafted links. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk; EPSS score of 0.07% indicates low exploitation probability despite the moderate CVSS 6.5 rating.
Stored Cross-Site Scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4.1 allows authenticated users with low privileges to inject malicious scripts that persist in web pages and execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions. EPSS score of 0.07% and lack of public exploit code indicate low real-world exploitation probability despite the moderate CVSS 6.5 score.
Blind SQL injection in Crocoblock JetSearch plugin (WordPress) versions up to 3.5.10 allows unauthenticated remote attackers to extract database contents via crafted search queries. The vulnerability carries a critical CVSS 9.3 score due to network-based exploitation requiring no authentication or user interaction, though EPSS exploitation probability remains low at 0.04% (12th percentile), and no public exploit identified at time of analysis. The flaw enables data exfiltration from WordPress databases hosting sites using the vulnerable search plugin.
Reflected cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions through 3.5.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but carries a changed scope, meaning successful exploitation can impact resources beyond the vulnerable component. EPSS probability is low (0.07%, 22nd percentile), indicating minimal observed exploitation attempts, and no public exploit code or CISA KEV listing exists at time of analysis.
DOM-based cross-site scripting (XSS) in Crocoblock JetWooBuilder plugin through version 2.1.20 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (UI:R per CVSS) and affects the plugin's web page generation functions. No public exploit code or active exploitation has been confirmed, though the issue carries a moderate CVSS score of 6.5 and low EPSS probability (0.07%, 22nd percentile) suggesting limited real-world attack incentive despite the authentication requirement being relatively low-barrier for WordPress environments.
Stored XSS vulnerability in Crocoblock JetWooBuilder WordPress plugin versions up to 2.1.20.1 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages, potentially leading to session hijacking, credential theft, or defacement. The vulnerability requires user interaction (UI:R) from victims and affects the confidentiality, integrity, and availability of website content. No public exploit code or active exploitation has been confirmed at time of analysis.
Local file inclusion vulnerability in Crocoblock JetReviews WordPress plugin (versions ≤3.0.0) allows unauthenticated remote attackers to read arbitrary files from the server filesystem via improper filename control in PHP include/require statements. The vulnerability carries moderate real-world risk with EPSS exploitation probability of 0.13% (33rd percentile), indicating relatively low attacker interest despite the network-accessible attack vector requiring no privileges. No public exploit identified at time of analysis, and no active exploitation confirmed.
Drupal Protected Pages module fails to implement rate limiting on authentication attempts, enabling unauthenticated attackers to conduct brute force attacks against password-protected content. Affected versions include Protected Pages 0.0.0 through 1.7.x and 7.x-1.0 through 7.x-2.4. The vulnerability permits attackers to enumerate valid credentials and bypass access controls through repeated login submissions without detection or throttling mechanisms. No public exploit code or active exploitation has been confirmed; EPSS scoring of 0.05% (15th percentile) indicates low real-world exploitation likelihood despite the moderate CVSS score of 6.5.
The Trinity Audio - Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'range-date' parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Trinity Audio - Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Contest Gallery - Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Cryptographic signature bypass in OAuth SSO WordPress plugin. EPSS 0.65%.
The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_label' and 'after_label' parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A security vulnerability in Widget Builder (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser.
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the website settings module. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed.
An information disclosure vulnerability has been discovered in SeaCMS 13.1. The vulnerability exists in the admin_safe.php component located in the /btcoan/ directory. This security flaw allows authenticated administrators to scan and download not only the application’s source code but also potentially any file accessible on the server’s root directory.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists due to insufficient validation of SVG file uploads in the /admin/media.php component, allowing attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to persistent JavaScript execution.
A stored Cross-Site Scripting (XSS) vulnerability has been discovered in XunRuiCMS version 4.7.1. The vulnerability exists due to insufficient validation of SVG file uploads in the dayrui/Fcms/Library/Upload.php component, allowing attackers to inject malicious JavaScript code that executes when the uploaded file is viewed.
The Optimize More! - CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The AP Background plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to missing or incorrect nonce validation on the advParallaxBackAdminSaveSlider function. This makes it possible for unauthenticated attackers to create or modify background sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The MPWizard - Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Ird Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irdslider' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The A Simple Multilanguage Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'asmp-switcher' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotype_config function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
The Ultimate Multi Design Video Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Interactive Human Anatomy with Clickable Body Parts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The TextBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 1.0.0 to 1.1.1. This is due to missing or incorrect nonce validation on the 'handleToken' function. This makes it possible for unauthenticated attackers to update a user's authorization token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Once the token is updated, an attacker can update the user's password and email address.
The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code execution.
Auth bypass in RestroPress WordPress ordering plugin 3.0.0-3.1.9.2.
The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.
The Blappsta Mobile App Plugin - Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0.8.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Woo superb slideshow transition gallery with random effect plugin for WordPress is vulnerable to SQL Injection via the 'woo-superb-slideshow' shortcode in all versions up to, and including, 9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Wp cycle text announcement plugin for WordPress is vulnerable to SQL Injection via the 'cycle-text' shortcode in all versions up to, and including, 8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icol’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.