WordPress
Monthly
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
Arbitrary file deletion in wpForo Forum plugin for WordPress (≤3.0.2) allows authenticated attackers with subscriber-level access to delete critical server files including wp-config.php. A two-step logic flaw permits injection of attacker-controlled file paths via poisoned postmeta arrays (data[body][fileurl]), which are later passed unvalidated to wp_delete_file(). The vulnerability requires low-privilege authentication (PR:L) and enables denial-of-service against WordPress installations through deletion of configuration or core files. No public exploit identified at time of analysis.
Insecure Direct Object Reference in Tutor LMS WordPress plugin versions up to 3.9.7 allows authenticated Subscriber-level users to manipulate course content structure across any course by exploiting missing authorization checks in the save_course_content_order() method, enabling attackers to detach lessons from topics, reorder course content, and reassign lessons between courses without proper ownership verification.
Blind Server-Side Request Forgery in UsersWP WordPress plugin versions up to 1.2.58 allows authenticated subscribers and above to force the WordPress server to make arbitrary HTTP requests via the uwp_crop parameter in avatar/banner image crop operations. The vulnerability stems from insufficient URL origin validation in the process_image_crop() method, which accepts user-controlled URLs and passes them to PHP image processing functions that support URL wrappers, enabling internal network reconnaissance and potential access to sensitive services. No public exploit code or active exploitation has been confirmed, though the vulnerability requires only authenticated access and low attack complexity.
Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.
Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.
Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.
Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.
SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.
Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.
Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. Affects Gravity SMTP by Rocketgenius. Successful exploitation enables low-privileged users to disable critical SMTP mail delivery functionality and remove plugin settings without proper permission checks. No public exploit identified at time of analysis.
Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists.
Remote code execution in YML for Yandex Market WordPress plugin versions before 5.0.26 allows unauthenticated remote attackers to execute arbitrary code through the feed generation process. The vulnerability has a CVSS score of 6.5 and publicly available exploit code exists. Exploitation requires only network access with no user interaction, making it relatively straightforward to weaponize despite the low EPSS score (0.09%), suggesting limited real-world exploitation activity at the time of analysis.
Stored cross-site scripting (XSS) in AddFunc Head & Footer Code plugin for WordPress versions up to 2.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via custom post meta fields that execute when administrators preview or view posts. The vulnerability exists because the plugin outputs user-supplied code from `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` meta values without sanitization or escaping, and fails to restrict meta key access via WordPress `register_meta()` authentication callbacks despite restricting its own admin interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Reflected Cross-Site Scripting (XSS) in Royal WordPress Backup & Restore Plugin up to version 1.0.16 allows unauthenticated attackers to inject arbitrary JavaScript via the 'wpr_pending_template' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing the injected script to execute in the admin's browser with their privileges. This affects all installations running the vulnerable plugin versions, and no active exploitation has been confirmed, though the low attack complexity and lack of authentication requirements make this a practical threat.
Improper access control in UsersWP plugin for WordPress versions up to 1.2.58 allows authenticated subscribers and above to manipulate restricted user metadata fields via the upload_file_remove() AJAX handler, bypassing field-level permissions intended to restrict modifications to administrator-only fields. The vulnerability stems from insufficient validation of the $htmlvar parameter against allowed fields or admin-use restrictions, enabling attackers to clear or reset sensitive usermeta columns on their own user records.
Cross-site request forgery in Aruba HiSpeed Cache WordPress plugin up to version 3.0.4 allows unauthenticated attackers to reset all plugin settings to defaults by tricking site administrators into clicking a malicious link, due to missing nonce verification on the ahsc_ajax_reset_options() function. The CVSS score of 4.3 reflects the low-impact integrity violation requiring user interaction, with no known public exploit code or confirmed active exploitation.
Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.
Stored Cross-Site Scripting (XSS) in the Webling WordPress plugin versions up to 3.9.0 allows authenticated attackers with Subscriber-level access to inject malicious scripts into forms and memberlists that execute when administrators view the admin interface. The vulnerability stems from insufficient input sanitization and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions, combined with missing capability checks. No public exploit code or active exploitation has been reported at time of analysis.
Authenticated attackers with Contributor-level or higher access to WordPress sites using the Download Manager plugin (versions up to 3.3.51) can strip protection metadata from any media file, including those they do not own, by exploiting a missing capability check in the makeMediaPublic() and makeMediaPrivate() functions. This allows unauthorized modification of access restrictions, passwords, and private flags on media files, exposing admin-protected content via direct URLs. The vulnerability is non-critical (CVSS 4.3) but represents a privilege escalation and data integrity issue requiring authenticated access.
Unauthenticated attackers can overwrite billing profile data (name, email, phone, address) for any WordPress user with an incomplete manual order in Tutor LMS plugin versions ≤3.9.7. The pay_incomplete_order() function accepts attacker-controlled order_id parameters without identity verification, writing billing fields directly to the order owner's profile. Exploitation is simplified by predictable Tutor nonce exposure on public pages, enabling targeted profile manipulation via crafted POST requests with enumerated order IDs. No public exploit or active exploitation confirmed at time of analysis.
WP-Optimize plugin for WordPress allows authenticated subscribers and higher to execute admin-only operations including log file access, backup image deletion, and bulk image processing due to missing capability checks in the Heartbeat handler function. The vulnerability affects all versions up to 4.5.0 and requires user authentication but no elevated privileges, enabling privilege escalation from subscriber-level accounts to perform administrative image optimization tasks that should be restricted to site administrators.
Unauthenticated attackers can bypass authentication in Customer Reviews for WooCommerce plugin versions up to 5.103.0 by submitting an empty string as the review permission key, allowing them to create, modify, and inject malicious product reviews via the REST API without any legitimate order association. The vulnerability exploits improper key validation using strict equality comparison without checking for empty values, combined with auto-approval of reviews by default, enabling widespread review injection across all products on affected WooCommerce installations.
Supply chain compromise in Smart Slider 3 Pro 3.5.1.35 for WordPress and Joomla delivers multi-stage remote access toolkit via compromised update mechanism. Unauthenticated attackers achieve pre-authentication remote code execution through malicious HTTP headers, deploy authenticated backdoors accepting arbitrary PHP/OS commands, create hidden administrator accounts, exfiltrate credentials and API keys, and establish persistence via must-use plugins and core file modifications. Vendor confirmed malicious build distributed through official update channel. No public exploit identified at time of analysis.
Price manipulation in Bookly WordPress plugin (versions up to 27.0) allows unauthenticated attackers to reduce appointment booking costs to zero by submitting negative values to the 'tips' parameter, exploiting insufficient server-side validation of user-supplied pricing input. No public exploit code or active exploitation has been confirmed, but the vulnerability carries moderate risk due to its ease of exploitation and direct financial impact on e-commerce transactions.
Stored cross-site scripting in List Category Posts plugin for WordPress (all versions up to 0.94.0) allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, enabling persistent payload execution whenever affected pages are accessed. CVSS 6.4 reflects moderate confidentiality and integrity impact with network-level access; exploitation requires contributor-level WordPress account.
Stored Cross-Site Scripting in UsersWP WordPress plugin up to version 1.2.60 allows authenticated subscribers and above to inject arbitrary JavaScript into user profile badge widgets via insufficiently sanitized URL fields, executing malicious scripts for all site visitors viewing affected pages. The vulnerability affects the badge widget rendering component due to improper output escaping in the wp-ayecode-ui library integration. No public exploit code or active exploitation has been identified, though the low attack complexity and subscriber-level access requirement make this a realistic threat in multi-user WordPress environments.
Stored cross-site scripting in Ultimate FAQ Accordion plugin for WordPress (all versions up to 2.4.7) allows authenticated Author-level users to inject arbitrary web scripts into FAQ pages. The vulnerability exploits a double-encoding bypass: the plugin calls html_entity_decode() on FAQ content during rendering, converting entity-encoded payloads (e.g., <img src=x onerror=alert()>) back into executable HTML, which then bypasses WordPress output escaping in the faq-answer.php template. The ufaq custom post type is REST API-enabled with default post capabilities, allowing Authors to create and publish malicious FAQs via REST API. No public exploit code has been identified at time of analysis, but the vulnerability has a moderate CVSS 6.4 score reflecting its authenticated requirement and cross-site impact.
Remote code execution in Quick Playground plugin for WordPress (all versions through 1.3.1) allows unauthenticated attackers to execute arbitrary PHP code on the server. Vulnerability stems from insufficient authorization on REST API endpoints that expose a sync code and permit unrestricted file uploads. Attackers can retrieve the sync code via unsecured endpoints, upload malicious PHP files using path traversal techniques, and achieve full server compromise without authentication. CVSS 9.8 critical severity. No public exploit identified at time of analysis.
Authenticated subscribers and above in WordPress sites using MStore API plugin up to version 4.18.3 can modify arbitrary user meta fields on their own accounts, including legacy privilege escalation keys like wp_user_level and plugin-specific authorization flags, potentially leading to privilege escalation or stored XSS. The vulnerability stems from the update_user_profile() function accepting unsanitized, user-supplied meta_data JSON without allowlist or validation before passing it directly to update_user_meta(). No public exploit code or active exploitation has been identified at this time.
Stored Cross-Site Scripting in Experto Dashboard for WooCommerce plugin versions up to 1.0.4 allows authenticated administrators to inject arbitrary JavaScript into plugin settings fields (Navigation Font Size, Font Weight, Heading Font Size, Font Weight, Text Font Size, and Font Weight) due to missing input sanitization and output escaping. The injected scripts execute when any user accesses the settings page, affecting only multi-site WordPress installations or single-site installations with unfiltered_html disabled. No public exploit code identified at time of analysis.
Stored Cross-Site Scripting in OSM - OpenStreetMap WordPress plugin versions up to 6.1.15 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through insufficiently sanitized 'marker_name' and 'file_color_list' shortcode attributes in [osm_map_v3], executing malicious scripts whenever users access affected pages. CVSS 6.4 reflects moderate severity with cross-site impact; exploitation requires valid WordPress user credentials but no user interaction beyond page access.
Stored cross-site scripting in Download Manager for WordPress up to version 3.3.52 allows authenticated contributors and above to inject arbitrary JavaScript through the 'sid' parameter of the 'wpdm_members' shortcode, which is stored in post metadata and executed when users access the affected page. The vulnerability stems from missing input sanitization in the members() function and absent output escaping (esc_attr()) when the 'sid' value is rendered directly into HTML id attributes. EPSS score indicates moderate-to-high exploitation probability; no active exploitation in CISA KEV has been confirmed at time of analysis.
Ziggeo plugin for WordPress up to version 3.1.1 allows authenticated attackers with Subscriber-level access or above to perform unauthorized administrative operations including modifying translations, creating or deleting event templates, changing SDK settings, and managing notifications through missing capability checks in AJAX handlers. While nonce validation is present, the absence of current_user_can() checks combined with nonce exposure to all logged-in users enables privilege escalation from basic subscribers to near-administrative functionality. CVSS 5.4 reflects moderate impact with low complexity exploitability.
Missing authorization bypass in Vertex Addons for Elementor (WordPress plugin, all versions ≤1.6.4) allows authenticated attackers with Subscriber-level privileges to install and activate arbitrary WordPress plugins. The activate_required_plugins() function checks current_user_can('install_plugins') capability but fails to halt execution on denial, permitting installation/activation to proceed before error response is sent. CVSS 8.8 (High) reflects authenticated (PR:L) network attack enabling high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in Post Blocks & Tools WordPress plugin versions up to 1.3.0 allows authenticated attackers with author-level access to inject arbitrary JavaScript through the 'sliderStyle' block attribute in the Posts Slider block, which executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent payload injection that affects any site administrator or editor visiting a compromised post.
Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in Extensions for Leaflet Map plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'elevation-track' shortcode due to insufficient input sanitization and output escaping, enabling arbitrary script execution whenever users access injected pages. The vulnerability affects all versions up to and including 4.14, with a CVSS score of 6.4 reflecting the moderate but significant impact across multiple users of the same WordPress installation.
Cross-Site Request Forgery in Advanced Contact Form 7 DB plugin for WordPress (versions up to 2.0.9) allows unauthenticated attackers to delete form entries by exploiting missing nonce validation in the 'vsz_cf7_save_setting_callback' function. An attacker must trick a site administrator into clicking a malicious link, but no public exploit code or active exploitation has been confirmed at the time of analysis.
Export sensitive Contact Form 7 submissions without proper authorization in Advanced Contact form 7 DB plugin for WordPress versions up to 2.0.9 allows authenticated attackers with Subscriber-level or higher permissions to export form data to Excel files due to a missing capability check on the 'vsz_cf7_export_to_excel' function. While the CVSS score of 4.3 reflects low severity and no public exploit code exists, the vulnerability enables unauthorized data access on any WordPress site using this plugin, affecting site administrators managing contact form submissions that may contain sensitive user information.
Unauthenticated arbitrary file upload in ProSolution WP Client plugin (≤1.9.9) enables attackers to upload executable files without validation via the 'proSol_fileUploadProcess' function, leading to remote code execution on WordPress servers. Critical severity (CVSS 9.8) with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in Page Builder: Pagelayer WordPress plugin versions up to 2.0.8 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into page content via the Button widget's Custom Attributes field. The vulnerability bypasses an incomplete XSS filter that blocks common event handlers but fails to block all variants, enabling persistent script execution whenever affected pages are viewed. No public exploit code or active exploitation has been confirmed; however, the low attack complexity and broad applicability to WordPress sites using this popular page builder plugin present meaningful risk.
Time-based SQL injection in WCAPF (WooCommerce Ajax Product Filter) WordPress plugin versions up to 4.2.3 allows unauthenticated remote attackers to extract sensitive database information via the 'post-author' parameter. The vulnerability stems from inadequate input sanitization and SQL query preparation, enabling attackers to append malicious SQL commands to existing queries. EPSS data not provided, but the unauthenticated network-accessible attack vector and public disclosure via Wordfence Threat Intelligence create immediate exploitation risk for WordPress sites using this e-commerce filtering plugin. No active exploitation confirmed (not in CISA KEV), though publicly available proof-of-concept code exists in security advisories.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to modify WooCommerce product data including prices, descriptions, and other fields by tricking administrators or shop managers into clicking a malicious link, due to missing nonce validation in the woobe_redraw_table_row() function. CVSS 6.5 reflects the high integrity impact; no public exploit code or active exploitation has been confirmed at analysis time.
Stored Cross-Site Scripting in Beaver Builder Page Builder plugin for WordPress up to version 2.10.1.1 allows authenticated attackers with author-level access or higher to inject arbitrary JavaScript through the 'settings[js]' parameter due to insufficient input sanitization and output escaping. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site integrity and user accounts. No public exploit code or active CISA KEV status reported at analysis time.
Arbitrary file deletion in DanbiLabs Advanced Members for ACF plugin for WordPress (versions ≤1.2.5) allows authenticated attackers with Subscriber-level privileges to delete critical server files via path traversal, enabling remote code execution by removing wp-config.php or similar critical files. The vulnerability stems from insufficient path validation in the create_crop function and was only partially patched in version 1.2.5, leaving residual risk. CVSS 8.8 (High) reflects network accessibility with low attack complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to delete WooCommerce taxonomy terms via a malicious link that tricks site administrators or shop managers into performing an action. The vulnerability stems from missing nonce validation on the woobe_delete_tax_term() function, enabling integrity compromise with low CVSS impact (4.3) but requiring user interaction.
SQL Injection in User Registration & Membership plugin for WordPress (versions up to 5.1.2) allows authenticated Subscriber-level attackers to extract sensitive database information via unsanitized 'membership_ids[]' parameter. The vulnerability stems from insufficient escaping and lack of prepared statements in SQL query construction, enabling attackers to append arbitrary SQL commands to existing queries. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting in Robo Gallery for WordPress up to version 5.1.3 allows authenticated Author-level users to inject arbitrary JavaScript via the Loading Label gallery setting. The vulnerability exploits a custom marker pattern (`|***...***|`) in the `fixJsFunction()` method that converts JSON-wrapped strings into raw JavaScript code; input validation with `sanitize_text_field()` fails to strip the markers, enabling script injection that executes whenever the gallery shortcode is rendered. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in PrivateContent Free WordPress plugin versions up to 1.2.0 allows authenticated contributors and above to inject arbitrary JavaScript through the 'align' shortcode attribute in [pc-login-form], which executes when any user visits an affected page. The vulnerability stems from the 'align' parameter being concatenated directly into an HTML class attribute without proper escaping (esc_attr), enabling persistent XSS attacks. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in WP Visitor Statistics plugin versions up to 8.4 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript through the 'wsm_showDayStatsGraph' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user accessing the affected page, potentially compromising site visitors and enabling account takeover or malware distribution. No public exploit code or active exploitation has been confirmed at this time.
Stored cross-site scripting (XSS) in the pdfl.io WordPress plugin allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'text' attribute of the 'pdflio' shortcode, which is executed in the browsers of all site visitors due to missing output escaping. All versions up to and including 1.0.5 are affected, and the vulnerability requires Contributor-level WordPress access but no user interaction beyond page access. No public exploit code or active exploitation has been confirmed; the attack relies on insufficient input sanitization in the output_shortcode() function.
Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.5.5.
Missing Authorization vulnerability in mailercloud Mailercloud – Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud – Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7.
Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3.4.
Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through <= 4.0.4.
Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through <= 1.4.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.
Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4.
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.
Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAIO – The new AI GEO / SEO tool: from n/a through <= 6.2.8.
Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.
Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box - Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box - Bitcoin & Crypto Donations: from n/a through <= 2.2.13.
Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12.
Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapid Car Check Vehicle Data: from n/a through <= 2.0.
Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Moneytizer: from n/a through <= 10.0.10.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.
Missing Authorization vulnerability in webmuehle Court Reservation court-reservation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Court Reservation: from n/a through <= 1.10.11.
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.
Book Previewer for WooCommerce plugin versions up to 1.0.6 fail to enforce authorization checks on sensitive functionality, allowing unauthenticated remote attackers to access restricted content with low-complexity exploitation. The vulnerability stems from missing access control validation, enabling attackers to bypass intended security boundaries without user interaction. While CVSS rates this as moderate (5.3), EPSS exploitation probability remains minimal at 0.02% percentile, and no public exploit code or active exploitation has been confirmed.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5.
Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5.
Missing authorization in ProWCPlugins Product Price by Formula for WooCommerce plugin (versions up to 2.5.6) allows unauthenticated remote attackers to read sensitive configuration data through incorrectly configured access control. The vulnerability exposes limited information confidentiality without enabling modification or denial of service, and carries a low real-world exploitation probability (EPSS 0.02%) despite a moderate CVSS score.
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1.
Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12.
Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.
Missing Authorization vulnerability in Deepen Bajracharya Video Conferencing with Zoom video-conferencing-with-zoom-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Video Conferencing with Zoom: from n/a through <= 4.6.6.
Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
Missing Authorization vulnerability in themebeez Royale News royale-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royale News: from n/a through <= 2.2.4.
Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.
Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.
Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13.
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
Arbitrary file deletion in wpForo Forum plugin for WordPress (≤3.0.2) allows authenticated attackers with subscriber-level access to delete critical server files including wp-config.php. A two-step logic flaw permits injection of attacker-controlled file paths via poisoned postmeta arrays (data[body][fileurl]), which are later passed unvalidated to wp_delete_file(). The vulnerability requires low-privilege authentication (PR:L) and enables denial-of-service against WordPress installations through deletion of configuration or core files. No public exploit identified at time of analysis.
Insecure Direct Object Reference in Tutor LMS WordPress plugin versions up to 3.9.7 allows authenticated Subscriber-level users to manipulate course content structure across any course by exploiting missing authorization checks in the save_course_content_order() method, enabling attackers to detach lessons from topics, reorder course content, and reassign lessons between courses without proper ownership verification.
Blind Server-Side Request Forgery in UsersWP WordPress plugin versions up to 1.2.58 allows authenticated subscribers and above to force the WordPress server to make arbitrary HTTP requests via the uwp_crop parameter in avatar/banner image crop operations. The vulnerability stems from insufficient URL origin validation in the process_image_crop() method, which accepts user-controlled URLs and passes them to PHP image processing functions that support URL wrappers, enabling internal network reconnaissance and potential access to sensitive services. No public exploit code or active exploitation has been confirmed, though the vulnerability requires only authenticated access and low attack complexity.
Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.
Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.
Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.
Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.
SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.
Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.
Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. Affects Gravity SMTP by Rocketgenius. Successful exploitation enables low-privileged users to disable critical SMTP mail delivery functionality and remove plugin settings without proper permission checks. No public exploit identified at time of analysis.
Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists.
Remote code execution in YML for Yandex Market WordPress plugin versions before 5.0.26 allows unauthenticated remote attackers to execute arbitrary code through the feed generation process. The vulnerability has a CVSS score of 6.5 and publicly available exploit code exists. Exploitation requires only network access with no user interaction, making it relatively straightforward to weaponize despite the low EPSS score (0.09%), suggesting limited real-world exploitation activity at the time of analysis.
Stored cross-site scripting (XSS) in AddFunc Head & Footer Code plugin for WordPress versions up to 2.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via custom post meta fields that execute when administrators preview or view posts. The vulnerability exists because the plugin outputs user-supplied code from `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` meta values without sanitization or escaping, and fails to restrict meta key access via WordPress `register_meta()` authentication callbacks despite restricting its own admin interface. No public exploit code or active exploitation has been confirmed at time of analysis.
Reflected Cross-Site Scripting (XSS) in Royal WordPress Backup & Restore Plugin up to version 1.0.16 allows unauthenticated attackers to inject arbitrary JavaScript via the 'wpr_pending_template' parameter. An attacker can craft a malicious link and trick a WordPress administrator into clicking it, causing the injected script to execute in the admin's browser with their privileges. This affects all installations running the vulnerable plugin versions, and no active exploitation has been confirmed, though the low attack complexity and lack of authentication requirements make this a practical threat.
Improper access control in UsersWP plugin for WordPress versions up to 1.2.58 allows authenticated subscribers and above to manipulate restricted user metadata fields via the upload_file_remove() AJAX handler, bypassing field-level permissions intended to restrict modifications to administrator-only fields. The vulnerability stems from insufficient validation of the $htmlvar parameter against allowed fields or admin-use restrictions, enabling attackers to clear or reset sensitive usermeta columns on their own user records.
Cross-site request forgery in Aruba HiSpeed Cache WordPress plugin up to version 3.0.4 allows unauthenticated attackers to reset all plugin settings to defaults by tricking site administrators into clicking a malicious link, due to missing nonce verification on the ahsc_ajax_reset_options() function. The CVSS score of 4.3 reflects the low-impact integrity violation requiring user interaction, with no known public exploit code or confirmed active exploitation.
Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.
Stored Cross-Site Scripting (XSS) in the Webling WordPress plugin versions up to 3.9.0 allows authenticated attackers with Subscriber-level access to inject malicious scripts into forms and memberlists that execute when administrators view the admin interface. The vulnerability stems from insufficient input sanitization and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions, combined with missing capability checks. No public exploit code or active exploitation has been reported at time of analysis.
Authenticated attackers with Contributor-level or higher access to WordPress sites using the Download Manager plugin (versions up to 3.3.51) can strip protection metadata from any media file, including those they do not own, by exploiting a missing capability check in the makeMediaPublic() and makeMediaPrivate() functions. This allows unauthorized modification of access restrictions, passwords, and private flags on media files, exposing admin-protected content via direct URLs. The vulnerability is non-critical (CVSS 4.3) but represents a privilege escalation and data integrity issue requiring authenticated access.
Unauthenticated attackers can overwrite billing profile data (name, email, phone, address) for any WordPress user with an incomplete manual order in Tutor LMS plugin versions ≤3.9.7. The pay_incomplete_order() function accepts attacker-controlled order_id parameters without identity verification, writing billing fields directly to the order owner's profile. Exploitation is simplified by predictable Tutor nonce exposure on public pages, enabling targeted profile manipulation via crafted POST requests with enumerated order IDs. No public exploit or active exploitation confirmed at time of analysis.
WP-Optimize plugin for WordPress allows authenticated subscribers and higher to execute admin-only operations including log file access, backup image deletion, and bulk image processing due to missing capability checks in the Heartbeat handler function. The vulnerability affects all versions up to 4.5.0 and requires user authentication but no elevated privileges, enabling privilege escalation from subscriber-level accounts to perform administrative image optimization tasks that should be restricted to site administrators.
Unauthenticated attackers can bypass authentication in Customer Reviews for WooCommerce plugin versions up to 5.103.0 by submitting an empty string as the review permission key, allowing them to create, modify, and inject malicious product reviews via the REST API without any legitimate order association. The vulnerability exploits improper key validation using strict equality comparison without checking for empty values, combined with auto-approval of reviews by default, enabling widespread review injection across all products on affected WooCommerce installations.
Supply chain compromise in Smart Slider 3 Pro 3.5.1.35 for WordPress and Joomla delivers multi-stage remote access toolkit via compromised update mechanism. Unauthenticated attackers achieve pre-authentication remote code execution through malicious HTTP headers, deploy authenticated backdoors accepting arbitrary PHP/OS commands, create hidden administrator accounts, exfiltrate credentials and API keys, and establish persistence via must-use plugins and core file modifications. Vendor confirmed malicious build distributed through official update channel. No public exploit identified at time of analysis.
Price manipulation in Bookly WordPress plugin (versions up to 27.0) allows unauthenticated attackers to reduce appointment booking costs to zero by submitting negative values to the 'tips' parameter, exploiting insufficient server-side validation of user-supplied pricing input. No public exploit code or active exploitation has been confirmed, but the vulnerability carries moderate risk due to its ease of exploitation and direct financial impact on e-commerce transactions.
Stored cross-site scripting in List Category Posts plugin for WordPress (all versions up to 0.94.0) allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, enabling persistent payload execution whenever affected pages are accessed. CVSS 6.4 reflects moderate confidentiality and integrity impact with network-level access; exploitation requires contributor-level WordPress account.
Stored Cross-Site Scripting in UsersWP WordPress plugin up to version 1.2.60 allows authenticated subscribers and above to inject arbitrary JavaScript into user profile badge widgets via insufficiently sanitized URL fields, executing malicious scripts for all site visitors viewing affected pages. The vulnerability affects the badge widget rendering component due to improper output escaping in the wp-ayecode-ui library integration. No public exploit code or active exploitation has been identified, though the low attack complexity and subscriber-level access requirement make this a realistic threat in multi-user WordPress environments.
Stored cross-site scripting in Ultimate FAQ Accordion plugin for WordPress (all versions up to 2.4.7) allows authenticated Author-level users to inject arbitrary web scripts into FAQ pages. The vulnerability exploits a double-encoding bypass: the plugin calls html_entity_decode() on FAQ content during rendering, converting entity-encoded payloads (e.g., <img src=x onerror=alert()>) back into executable HTML, which then bypasses WordPress output escaping in the faq-answer.php template. The ufaq custom post type is REST API-enabled with default post capabilities, allowing Authors to create and publish malicious FAQs via REST API. No public exploit code has been identified at time of analysis, but the vulnerability has a moderate CVSS 6.4 score reflecting its authenticated requirement and cross-site impact.
Remote code execution in Quick Playground plugin for WordPress (all versions through 1.3.1) allows unauthenticated attackers to execute arbitrary PHP code on the server. Vulnerability stems from insufficient authorization on REST API endpoints that expose a sync code and permit unrestricted file uploads. Attackers can retrieve the sync code via unsecured endpoints, upload malicious PHP files using path traversal techniques, and achieve full server compromise without authentication. CVSS 9.8 critical severity. No public exploit identified at time of analysis.
Authenticated subscribers and above in WordPress sites using MStore API plugin up to version 4.18.3 can modify arbitrary user meta fields on their own accounts, including legacy privilege escalation keys like wp_user_level and plugin-specific authorization flags, potentially leading to privilege escalation or stored XSS. The vulnerability stems from the update_user_profile() function accepting unsanitized, user-supplied meta_data JSON without allowlist or validation before passing it directly to update_user_meta(). No public exploit code or active exploitation has been identified at this time.
Stored Cross-Site Scripting in Experto Dashboard for WooCommerce plugin versions up to 1.0.4 allows authenticated administrators to inject arbitrary JavaScript into plugin settings fields (Navigation Font Size, Font Weight, Heading Font Size, Font Weight, Text Font Size, and Font Weight) due to missing input sanitization and output escaping. The injected scripts execute when any user accesses the settings page, affecting only multi-site WordPress installations or single-site installations with unfiltered_html disabled. No public exploit code identified at time of analysis.
Stored Cross-Site Scripting in OSM - OpenStreetMap WordPress plugin versions up to 6.1.15 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through insufficiently sanitized 'marker_name' and 'file_color_list' shortcode attributes in [osm_map_v3], executing malicious scripts whenever users access affected pages. CVSS 6.4 reflects moderate severity with cross-site impact; exploitation requires valid WordPress user credentials but no user interaction beyond page access.
Stored cross-site scripting in Download Manager for WordPress up to version 3.3.52 allows authenticated contributors and above to inject arbitrary JavaScript through the 'sid' parameter of the 'wpdm_members' shortcode, which is stored in post metadata and executed when users access the affected page. The vulnerability stems from missing input sanitization in the members() function and absent output escaping (esc_attr()) when the 'sid' value is rendered directly into HTML id attributes. EPSS score indicates moderate-to-high exploitation probability; no active exploitation in CISA KEV has been confirmed at time of analysis.
Ziggeo plugin for WordPress up to version 3.1.1 allows authenticated attackers with Subscriber-level access or above to perform unauthorized administrative operations including modifying translations, creating or deleting event templates, changing SDK settings, and managing notifications through missing capability checks in AJAX handlers. While nonce validation is present, the absence of current_user_can() checks combined with nonce exposure to all logged-in users enables privilege escalation from basic subscribers to near-administrative functionality. CVSS 5.4 reflects moderate impact with low complexity exploitability.
Missing authorization bypass in Vertex Addons for Elementor (WordPress plugin, all versions ≤1.6.4) allows authenticated attackers with Subscriber-level privileges to install and activate arbitrary WordPress plugins. The activate_required_plugins() function checks current_user_can('install_plugins') capability but fails to halt execution on denial, permitting installation/activation to proceed before error response is sent. CVSS 8.8 (High) reflects authenticated (PR:L) network attack enabling high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in Post Blocks & Tools WordPress plugin versions up to 1.3.0 allows authenticated attackers with author-level access to inject arbitrary JavaScript through the 'sliderStyle' block attribute in the Posts Slider block, which executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent payload injection that affects any site administrator or editor visiting a compromised post.
Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in Extensions for Leaflet Map plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'elevation-track' shortcode due to insufficient input sanitization and output escaping, enabling arbitrary script execution whenever users access injected pages. The vulnerability affects all versions up to and including 4.14, with a CVSS score of 6.4 reflecting the moderate but significant impact across multiple users of the same WordPress installation.
Cross-Site Request Forgery in Advanced Contact Form 7 DB plugin for WordPress (versions up to 2.0.9) allows unauthenticated attackers to delete form entries by exploiting missing nonce validation in the 'vsz_cf7_save_setting_callback' function. An attacker must trick a site administrator into clicking a malicious link, but no public exploit code or active exploitation has been confirmed at the time of analysis.
Export sensitive Contact Form 7 submissions without proper authorization in Advanced Contact form 7 DB plugin for WordPress versions up to 2.0.9 allows authenticated attackers with Subscriber-level or higher permissions to export form data to Excel files due to a missing capability check on the 'vsz_cf7_export_to_excel' function. While the CVSS score of 4.3 reflects low severity and no public exploit code exists, the vulnerability enables unauthorized data access on any WordPress site using this plugin, affecting site administrators managing contact form submissions that may contain sensitive user information.
Unauthenticated arbitrary file upload in ProSolution WP Client plugin (≤1.9.9) enables attackers to upload executable files without validation via the 'proSol_fileUploadProcess' function, leading to remote code execution on WordPress servers. Critical severity (CVSS 9.8) with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.
Stored Cross-Site Scripting in Page Builder: Pagelayer WordPress plugin versions up to 2.0.8 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into page content via the Button widget's Custom Attributes field. The vulnerability bypasses an incomplete XSS filter that blocks common event handlers but fails to block all variants, enabling persistent script execution whenever affected pages are viewed. No public exploit code or active exploitation has been confirmed; however, the low attack complexity and broad applicability to WordPress sites using this popular page builder plugin present meaningful risk.
Time-based SQL injection in WCAPF (WooCommerce Ajax Product Filter) WordPress plugin versions up to 4.2.3 allows unauthenticated remote attackers to extract sensitive database information via the 'post-author' parameter. The vulnerability stems from inadequate input sanitization and SQL query preparation, enabling attackers to append malicious SQL commands to existing queries. EPSS data not provided, but the unauthenticated network-accessible attack vector and public disclosure via Wordfence Threat Intelligence create immediate exploitation risk for WordPress sites using this e-commerce filtering plugin. No active exploitation confirmed (not in CISA KEV), though publicly available proof-of-concept code exists in security advisories.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to modify WooCommerce product data including prices, descriptions, and other fields by tricking administrators or shop managers into clicking a malicious link, due to missing nonce validation in the woobe_redraw_table_row() function. CVSS 6.5 reflects the high integrity impact; no public exploit code or active exploitation has been confirmed at analysis time.
Stored Cross-Site Scripting in Beaver Builder Page Builder plugin for WordPress up to version 2.10.1.1 allows authenticated attackers with author-level access or higher to inject arbitrary JavaScript through the 'settings[js]' parameter due to insufficient input sanitization and output escaping. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site integrity and user accounts. No public exploit code or active CISA KEV status reported at analysis time.
Arbitrary file deletion in DanbiLabs Advanced Members for ACF plugin for WordPress (versions ≤1.2.5) allows authenticated attackers with Subscriber-level privileges to delete critical server files via path traversal, enabling remote code execution by removing wp-config.php or similar critical files. The vulnerability stems from insufficient path validation in the create_crop function and was only partially patched in version 1.2.5, leaving residual risk. CVSS 8.8 (High) reflects network accessibility with low attack complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users.
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to delete WooCommerce taxonomy terms via a malicious link that tricks site administrators or shop managers into performing an action. The vulnerability stems from missing nonce validation on the woobe_delete_tax_term() function, enabling integrity compromise with low CVSS impact (4.3) but requiring user interaction.
SQL Injection in User Registration & Membership plugin for WordPress (versions up to 5.1.2) allows authenticated Subscriber-level attackers to extract sensitive database information via unsanitized 'membership_ids[]' parameter. The vulnerability stems from insufficient escaping and lack of prepared statements in SQL query construction, enabling attackers to append arbitrary SQL commands to existing queries. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting in Robo Gallery for WordPress up to version 5.1.3 allows authenticated Author-level users to inject arbitrary JavaScript via the Loading Label gallery setting. The vulnerability exploits a custom marker pattern (`|***...***|`) in the `fixJsFunction()` method that converts JSON-wrapped strings into raw JavaScript code; input validation with `sanitize_text_field()` fails to strip the markers, enabling script injection that executes whenever the gallery shortcode is rendered. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in PrivateContent Free WordPress plugin versions up to 1.2.0 allows authenticated contributors and above to inject arbitrary JavaScript through the 'align' shortcode attribute in [pc-login-form], which executes when any user visits an affected page. The vulnerability stems from the 'align' parameter being concatenated directly into an HTML class attribute without proper escaping (esc_attr), enabling persistent XSS attacks. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in WP Visitor Statistics plugin versions up to 8.4 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript through the 'wsm_showDayStatsGraph' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user accessing the affected page, potentially compromising site visitors and enabling account takeover or malware distribution. No public exploit code or active exploitation has been confirmed at this time.
Stored cross-site scripting (XSS) in the pdfl.io WordPress plugin allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'text' attribute of the 'pdflio' shortcode, which is executed in the browsers of all site visitors due to missing output escaping. All versions up to and including 1.0.5 are affected, and the vulnerability requires Contributor-level WordPress access but no user interaction beyond page access. No public exploit code or active exploitation has been confirmed; the attack relies on insufficient input sanitization in the output_shortcode() function.
Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.5.5.
Missing Authorization vulnerability in mailercloud Mailercloud – Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud – Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7.
Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3.4.
Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through <= 4.0.4.
Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through <= 1.4.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.
Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4.
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.
Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAIO – The new AI GEO / SEO tool: from n/a through <= 6.2.8.
Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.
Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box - Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box - Bitcoin & Crypto Donations: from n/a through <= 2.2.13.
Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12.
Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapid Car Check Vehicle Data: from n/a through <= 2.0.
Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Moneytizer: from n/a through <= 10.0.10.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.
Missing Authorization vulnerability in webmuehle Court Reservation court-reservation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Court Reservation: from n/a through <= 1.10.11.
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.
Book Previewer for WooCommerce plugin versions up to 1.0.6 fail to enforce authorization checks on sensitive functionality, allowing unauthenticated remote attackers to access restricted content with low-complexity exploitation. The vulnerability stems from missing access control validation, enabling attackers to bypass intended security boundaries without user interaction. While CVSS rates this as moderate (5.3), EPSS exploitation probability remains minimal at 0.02% percentile, and no public exploit code or active exploitation has been confirmed.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5.
Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5.
Missing authorization in ProWCPlugins Product Price by Formula for WooCommerce plugin (versions up to 2.5.6) allows unauthenticated remote attackers to read sensitive configuration data through incorrectly configured access control. The vulnerability exposes limited information confidentiality without enabling modification or denial of service, and carries a low real-world exploitation probability (EPSS 0.02%) despite a moderate CVSS score.
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1.
Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12.
Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.
Missing Authorization vulnerability in Deepen Bajracharya Video Conferencing with Zoom video-conferencing-with-zoom-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Video Conferencing with Zoom: from n/a through <= 4.6.6.
Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
Missing Authorization vulnerability in themebeez Royale News royale-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royale News: from n/a through <= 2.2.4.
Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.
Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.
Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13.