WordPress
Monthly
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Authenticated contributors and above can inject malicious scripts into WordPress pages through the Yoast SEO plugin (versions up to 26.8) by exploiting inadequate sanitization of the yoast-schema block attribute. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user data or session security. No patch is currently available for this stored cross-site scripting vulnerability.
The Code Snippets WordPress plugin through version 3.9.4 lacks nonce validation on cloud snippet operations, allowing unauthenticated attackers to conduct cross-site request forgery attacks against logged-in administrators. By tricking an admin into visiting a malicious page, attackers can force unauthorized downloads or updates of cloud snippets. No patch is currently available for this vulnerability.
WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.
Stored XSS in the Events Listing Widget plugin for WordPress (versions ≤1.3.4) allows authenticated users with Author privileges or higher to inject malicious scripts through the Event URL parameter due to inadequate input validation. An attacker exploiting this vulnerability can execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this medium-severity vulnerability.
The Employee Directory plugin for WordPress through version 1.2.1 contains a stored cross-site scripting vulnerability in the search_employee_directory shortcode due to inadequate input validation on the form_title parameter. Authenticated users with Contributor privileges or higher can inject malicious scripts that persist in pages and execute in browsers of any user viewing the affected content. No patch is currently available.
Stored XSS in WaveSurfer-WP plugin through improper sanitization of the audio shortcode 'src' attribute allows authenticated users with Contributor access or higher to inject malicious scripts into WordPress pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for versions up to 2.8.3.
Authenticated WordPress users with Contributor access or higher can inject persistent malicious scripts into pages through the Docus - YouTube Video Playlist plugin (versions up to 1.0.6) via improper handling of shortcode attributes. These injected scripts execute in the browsers of any visitor to the affected pages, potentially compromising user sessions and data. No patch is currently available for this stored XSS vulnerability.
Stored cross-site scripting in the Orange Confort+ accessibility toolbar WordPress plugin through version 0.7 allows authenticated contributors and higher-privileged users to inject malicious scripts via the ocplus_button shortcode's style parameter due to inadequate input sanitization. When other users visit pages containing the injected content, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data.
Stored XSS in WordPress Tune Library plugin versions up to 1.6.3 allows authenticated users with Subscriber access to inject malicious scripts via CSV import due to inadequate input sanitization and output escaping. Attackers can execute arbitrary JavaScript in the context of any user viewing affected pages through the [tune-library] shortcode. No patch is currently available and exploitation requires valid WordPress credentials.
The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. [CVSS 5.3 MEDIUM]
plugin versions up to 1.3.3 is affected by authorization bypass through user-controlled key (CVSS 4.3).
The Greenshift animation and page builder plugin for WordPress (up to version 12.6) fails to properly validate user capabilities on the greenshift_app_pass_validation() function, allowing authenticated subscribers and above to extract sensitive plugin configuration including stored AI API keys and inject malicious scripts through the custom_css setting. This combination of information disclosure and stored cross-site scripting (XSS) requires only valid WordPress user credentials to exploit, with a partial patch available in version 12.6.
Peter's Date Countdown plugin for WordPress through version 2.0.0 contains a reflected cross-site scripting vulnerability in the PHP_SELF parameter that allows unauthenticated attackers to inject malicious scripts. Exploitation requires social engineering to trick users into clicking a malicious link, but successful attacks can compromise user sessions and steal sensitive data. No patch is currently available.
All In One Image Viewer Block (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 7.2).
Authenticated users can modify arbitrary user profile and cover images in WordPress ProfileGrid plugin versions up to 5.9.7.2 due to missing authorization checks in the image upload AJAX handlers. Attackers with Subscriber-level access can exploit this to deface administrator accounts and other users' profiles. No patch is currently available for this integrity vulnerability.
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. [CVSS 5.3 MEDIUM]
Stored cross-site scripting in Robin Image Optimizer plugin versions up to 2.0.2 allows authenticated WordPress users with Author-level or higher privileges to inject malicious scripts through the Media Library image Alternative Text field. The injected scripts execute in the browsers of any user viewing affected pages, potentially compromising site visitors. No patch is currently available.
The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. [CVSS 4.3 MEDIUM]
Stored cross-site scripting in the Dynamic Widget Content plugin for WordPress (versions up to 1.3.6) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the Gutenberg editor widget content field due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially compromising account security and enabling credential theft or unauthorized actions.
Arbitrary file read in ShortPixel Image Optimizer plugin for WordPress through path traversal in the loadLogFile AJAX action allows authenticated users with Editor-level privileges or higher to access sensitive server files including database credentials. The vulnerability exists in versions up to 6.4.2 due to insufficient path validation on the loadFile parameter, and no patch is currently available.
Stored cross-site scripting in Essential Widgets for WordPress through version 3.0 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. A patch is not currently available for this vulnerability.
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 8.2 HIGH]
The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be...
SQL injection in the SIBS WooCommerce payment gateway plugin for WordPress (versions up to 2.2.0) allows authenticated administrators to extract sensitive database information through the unescaped 'referencedId' parameter. An attacker with administrator-level access can inject arbitrary SQL queries due to insufficient input sanitization and query preparation. No patch is currently available for this vulnerability.
The All push notification for WP plugin through version 1.5.3 contains a time-based SQL injection flaw in the 'delete_id' parameter that allows authenticated administrators to execute arbitrary SQL queries and extract sensitive database information. The vulnerability stems from insufficient input escaping and improper query preparation, requiring high-privilege access to exploit. No patch is currently available.
Stored XSS in WordPress WP Content Permission plugin through the 'ohmem-message' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.2 due to inadequate input sanitization and output escaping. Exploitation requires administrator-level privileges and no patch is currently available.
Stored cross-site scripting in the Smart Appointment & Booking WordPress plugin through version 1.0.7 allows authenticated subscribers and higher-privileged users to inject malicious scripts into pages via the saab_save_form_data AJAX action due to inadequate input sanitization. Attackers can exploit this vulnerability to execute arbitrary JavaScript that persists and runs for any user viewing the compromised pages. No patch is currently available for this medium-severity flaw.
Extended Random Number Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Unauthenticated attackers can manipulate WooCommerce order statuses through an authorization bypass in the Fortis for WooCommerce plugin (versions up to 1.2.0), allowing them to fraudulently mark orders as paid without receiving payment. The vulnerability stems from an inverted nonce validation check in the payment notification handler that fails to properly authenticate requests. This affects all WordPress sites running the vulnerable plugin and has no available patch.
Unauthenticated attackers can modify WordPress plugin settings in WebPurify Profanity Filter up to version 4.0.2 due to missing authorization checks on the options-saving function. This allows unauthorized configuration changes without requiring user authentication or interaction. No patch is currently available for this vulnerability.
Magic Import Document Extractor (WordPress plugin) versions up to 1.0.4 is affected by information exposure (CVSS 5.3).
The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. [CVSS 5.3 MEDIUM]
The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. [CVSS 4.9 MEDIUM]
Chapa Payment Gateway Plugin for WooCommerce (WordPress plugin) versions up to 1.0.3 is affected by information exposure (CVSS 5.3).
The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. [CVSS 7.5 HIGH]
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. [CVSS 7.5 HIGH]
Loyalty Points and Rewards for WooCommerce versions up to 5.6.0. is affected by missing authorization (CVSS 6.5).
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by...
WP FOFT Loader (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Stored cross-site scripting in WordPress Menu Icons by ThemeIsle plugin (versions up to 0.13.20) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the attachment image alt meta field due to improper input sanitization. The injected scripts execute in the browsers of visitors accessing the affected pages, enabling session hijacking, credential theft, or malware distribution.
The Passster WordPress plugin through version 4.2.25 contains an authorization bypass that allows authenticated users to access content protection mechanisms without proper permission validation. An attacker with low-privilege WordPress credentials can circumvent access controls to view protected content that should be restricted. No patch is currently available for this vulnerability.
WP Sync for Notion plugin through version 1.7.0 contains improper access control that allows authenticated users to modify data without proper authorization checks. An attacker with WordPress user privileges could exploit this vulnerability to alter synchronized content between WordPress and Notion. The vulnerability requires user interaction and network access but poses a medium risk to WordPress installations using affected versions.
WP Bannerize Pro versions up to 1.11.0 contain a missing authorization vulnerability that allows unauthenticated attackers to bypass access control restrictions and gain unauthorized information disclosure. The improperly configured security levels enable remote exploitation without user interaction, potentially exposing sensitive banner configuration data. WordPress site administrators using affected versions should update to a patched release when available.
Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface is affected by missing authorization (CVSS 4.3).
WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup contains a security vulnerability (CVSS 5.3).
WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics contains a security vulnerability (CVSS 5.3).
Improper access control in WP Docs plugin version 2.2.8 and earlier for WordPress allows authenticated users to modify or delete content they should not have permission to access. An attacker with user-level credentials can exploit misconfigured security settings to alter website data or cause service disruption.
wp.insider Simple Membership WP user Import simple-membership-wp-user-import is affected by cross-site request forgery (csrf) (CVSS 5.4).
approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on is affected by missing authorization (CVSS 4.3).
Unauthorized information disclosure in WordPress Strong Testimonials plugin version 3.2.20 and earlier stems from improper access control validation, allowing authenticated users to access sensitive data they should not have permission to view. An attacker with low-privilege WordPress account credentials can exploit this vulnerability to read confidential information without requiring user interaction. Currently, no patch is available for this vulnerability.
WP Chill Modula Image Gallery modula-best-grid-gallery is affected by missing authorization (CVSS 4.3).
OS DataHub Maps (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Authenticated instructors in Tutor LMS plugin for WordPress versions up to 3.9.5 can modify or delete courses owned by other users due to missing authorization checks in bulk action functions. An attacker with instructor-level access can manipulate course IDs in bulk requests to compromise arbitrary courses without proper permission validation. No patch is currently available.
The Tutor LMS plugin for WordPress fails to enforce capability checks in its coupon details AJAX function, allowing authenticated subscribers to disclose sensitive coupon data including codes, discount amounts, and usage metrics through nonce validation bypass. This information exposure affects all versions up to 3.9.5 and requires only valid user authentication to exploit. No patch is currently available.
Unauthenticated attackers can forge requests to create or modify contact notes in WordPress Mail Mint plugin versions up to 1.19.2 by exploiting missing CSRF protections, requiring only that a site administrator clicks a malicious link. The lack of input validation on these operations enables stored XSS attacks that could compromise administrator accounts and site integrity. No patch is currently available.
Authenticated contributors and above can inject malicious scripts into WordPress pages through the Happy Addons for Elementor plugin (versions up to 3.20.7) via improper sanitization of the '_elementor_data' meta field, resulting in stored XSS that executes for all users viewing affected pages. An attacker with contributor-level permissions can leverage this to steal credentials, perform actions on behalf of administrators, or deface website content. No patch is currently available.
Unauthenticated attackers can upload malicious SVG files through the Form Maker by 10Web WordPress plugin (versions up to 1.15.35) due to insufficient file type validation, enabling stored cross-site scripting attacks against administrators and site visitors. The plugin's default allowlist includes SVG files and relies on weak substring-based extension checking, allowing JavaScript execution when the uploaded files are viewed. No patch is currently available.
Stored XSS in WordPress Form Maker plugin (versions up to 1.15.35) allows unauthenticated attackers to inject malicious scripts through hidden form field values that execute when administrators view the submissions list. The vulnerability stems from improper output escaping after HTML entity decoding of user-supplied input. Website administrators using this plugin are at risk of account compromise and unauthorized actions performed within their WordPress dashboard.
Stored XSS in LatePoint WordPress plugin versions up to 5.2.5 allows unauthenticated attackers to inject malicious scripts into customer profile fields that execute when administrators review activity history. The vulnerability stems from inadequate input sanitization and output escaping, potentially enabling credential theft or administrative account compromise. No patch is currently available.
Spectra Gutenberg Blocks plugin for WordPress fails to properly check password protection before displaying post excerpts, allowing unauthenticated attackers to read excerpts from password-protected posts through Post Grid, Post Masonry, Post Carousel, and Post Timeline blocks. The vulnerability affects all versions up to 2.19.17 and requires no authentication or user interaction to exploit. Currently, no patch is available.
Unlimited Elements for Elementor (WordPress plugin) versions up to 2.0.1. is affected by cross-site scripting (xss) (CVSS 5.4).
WP ULike (WordPress plugin) versions up to 4.8.3.1. is affected by authorization bypass through user-controlled key (CVSS 5.3).
Five Star Restaurant Reservations WordPre versions up to 2.7.9 is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 7.1 HIGH]
Improper password reset process in User Profile Builder WordPress plugin before 3.15.2 allows unauthenticated attackers to reset any user's password with minimal requests.
Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. [CVSS 6.4 MEDIUM]
The Popup Box WordPress plugin through version 6.1.1 contains a Cross-Site Request Forgery vulnerability where the nonce validation mechanism accepts internally-generated tokens instead of user-submitted ones, allowing unauthenticated attackers to alter popup publish status through social engineering attacks targeting site administrators. An attacker can trick an admin into clicking a malicious link to toggle popups on or off without their knowledge or consent. No patch is currently available for this vulnerability.
Sell BTC - Cryptocurrency Selling Calculator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
Authenticated attackers with subscriber-level access or higher can exploit an insecure direct object reference in the SupportCandy plugin for WordPress (versions up to 3.4.4) to steal file attachments uploaded by other users by manipulating attachment IDs in ticket replies. This allows unauthorized users to reassociate others' files to their own tickets while removing the original owners' access. No patch is currently available.
Unauthenticated SQL injection in the SupportCandy WordPress plugin versions up to 3.4.4 allows subscribers and above to extract sensitive database information through inadequately sanitized custom field filters. An authenticated attacker can manipulate the equals operator parameter to inject malicious SQL queries and bypass existing protections, exposing confidential data stored in the WordPress database.
The Booking Calendar WordPress plugin through version 10.14.13 fails to validate user permissions in the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function, allowing unauthenticated attackers to retrieve sensitive booking data including customer names, phone numbers, and email addresses. This network-accessible vulnerability requires no user interaction and affects all installations of the affected plugin versions. No patch is currently available.
The Ajax Load More - Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. [CVSS 5.3 MEDIUM]
The NEX-Forms - Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. [CVSS 5.3 MEDIUM]
Custom Login Page Customizer WordPre versions up to 2.5.4 is affected by improper privilege management (CVSS 8.1).
WP Adminify (WordPress plugin) versions up to 4.0.7.7 is affected by information exposure (CVSS 5.3).
Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Snow Monkey Forms WordPress plugin has an arbitrary file deletion vulnerability through insufficient path validation, enabling attackers to delete critical WordPress files.
The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. [CVSS 6.4 MEDIUM]
Stored XSS in WP Google Ad Manager Plugin up to version 1.1.0 allows administrators to inject malicious scripts into WordPress pages through insufficiently sanitized admin settings, affecting multi-site installations and configurations with disabled unfiltered_html. Authenticated attackers with administrator privileges can exploit this to execute arbitrary JavaScript that persists and runs for all users visiting affected pages. No patch is currently available.
The Change WP URL plugin for WordPress through version 1.0 lacks proper nonce validation, allowing unauthenticated attackers to modify the WordPress login URL through cross-site request forgery if they can socially engineer a site administrator into clicking a malicious link. This vulnerability affects all WordPress installations using the vulnerable plugin and enables attackers to redirect administrator access to attacker-controlled pages. No patch is currently available.
The Vzaar Media Management WordPress plugin through version 1.2 contains a reflected cross-site scripting vulnerability in the PHP_SELF variable that lacks proper input sanitization, allowing unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link and tricking users into clicking it, leading to arbitrary script execution in their browsers. No patch is currently available for this vulnerability.
Bitcoin Donate Button (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Unauthenticated attackers can modify WordPress imwptip plugin settings through cross-site request forgery attacks by exploiting missing nonce validation in versions up to 1.1. An attacker can trick site administrators into clicking a malicious link to alter plugin configurations without authentication. No patch is currently available for this vulnerability.
The Frontend File Manager Plugin for WordPress through version 23.5 lacks proper authorization checks on a file sharing AJAX endpoint, allowing unauthenticated attackers to enumerate and exfiltrate sensitive uploaded files via sequential ID manipulation. By exploiting this flaw, an attacker can email arbitrary files to themselves or others, potentially exposing restricted administrative data. No patch is currently available for this high-severity vulnerability.
Simple User Registration (WordPress plugin) versions up to 6.7 is affected by improper access control (CVSS 8.8).
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. [CVSS 5.3 MEDIUM]
The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]
The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Authenticated contributors and above can inject malicious scripts into WordPress pages through the Yoast SEO plugin (versions up to 26.8) by exploiting inadequate sanitization of the yoast-schema block attribute. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user data or session security. No patch is currently available for this stored cross-site scripting vulnerability.
The Code Snippets WordPress plugin through version 3.9.4 lacks nonce validation on cloud snippet operations, allowing unauthenticated attackers to conduct cross-site request forgery attacks against logged-in administrators. By tricking an admin into visiting a malicious page, attackers can force unauthorized downloads or updates of cloud snippets. No patch is currently available for this vulnerability.
WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.
Stored XSS in the Events Listing Widget plugin for WordPress (versions ≤1.3.4) allows authenticated users with Author privileges or higher to inject malicious scripts through the Event URL parameter due to inadequate input validation. An attacker exploiting this vulnerability can execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this medium-severity vulnerability.
The Employee Directory plugin for WordPress through version 1.2.1 contains a stored cross-site scripting vulnerability in the search_employee_directory shortcode due to inadequate input validation on the form_title parameter. Authenticated users with Contributor privileges or higher can inject malicious scripts that persist in pages and execute in browsers of any user viewing the affected content. No patch is currently available.
Stored XSS in WaveSurfer-WP plugin through improper sanitization of the audio shortcode 'src' attribute allows authenticated users with Contributor access or higher to inject malicious scripts into WordPress pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for versions up to 2.8.3.
Authenticated WordPress users with Contributor access or higher can inject persistent malicious scripts into pages through the Docus - YouTube Video Playlist plugin (versions up to 1.0.6) via improper handling of shortcode attributes. These injected scripts execute in the browsers of any visitor to the affected pages, potentially compromising user sessions and data. No patch is currently available for this stored XSS vulnerability.
Stored cross-site scripting in the Orange Confort+ accessibility toolbar WordPress plugin through version 0.7 allows authenticated contributors and higher-privileged users to inject malicious scripts via the ocplus_button shortcode's style parameter due to inadequate input sanitization. When other users visit pages containing the injected content, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data.
Stored XSS in WordPress Tune Library plugin versions up to 1.6.3 allows authenticated users with Subscriber access to inject malicious scripts via CSV import due to inadequate input sanitization and output escaping. Attackers can execute arbitrary JavaScript in the context of any user viewing affected pages through the [tune-library] shortcode. No patch is currently available and exploitation requires valid WordPress credentials.
The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. [CVSS 5.3 MEDIUM]
plugin versions up to 1.3.3 is affected by authorization bypass through user-controlled key (CVSS 4.3).
The Greenshift animation and page builder plugin for WordPress (up to version 12.6) fails to properly validate user capabilities on the greenshift_app_pass_validation() function, allowing authenticated subscribers and above to extract sensitive plugin configuration including stored AI API keys and inject malicious scripts through the custom_css setting. This combination of information disclosure and stored cross-site scripting (XSS) requires only valid WordPress user credentials to exploit, with a partial patch available in version 12.6.
Peter's Date Countdown plugin for WordPress through version 2.0.0 contains a reflected cross-site scripting vulnerability in the PHP_SELF parameter that allows unauthenticated attackers to inject malicious scripts. Exploitation requires social engineering to trick users into clicking a malicious link, but successful attacks can compromise user sessions and steal sensitive data. No patch is currently available.
All In One Image Viewer Block (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 7.2).
Authenticated users can modify arbitrary user profile and cover images in WordPress ProfileGrid plugin versions up to 5.9.7.2 due to missing authorization checks in the image upload AJAX handlers. Attackers with Subscriber-level access can exploit this to deface administrator accounts and other users' profiles. No patch is currently available for this integrity vulnerability.
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. [CVSS 5.3 MEDIUM]
Stored cross-site scripting in Robin Image Optimizer plugin versions up to 2.0.2 allows authenticated WordPress users with Author-level or higher privileges to inject malicious scripts through the Media Library image Alternative Text field. The injected scripts execute in the browsers of any user viewing affected pages, potentially compromising site visitors. No patch is currently available.
The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. [CVSS 4.3 MEDIUM]
Stored cross-site scripting in the Dynamic Widget Content plugin for WordPress (versions up to 1.3.6) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the Gutenberg editor widget content field due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially compromising account security and enabling credential theft or unauthorized actions.
Arbitrary file read in ShortPixel Image Optimizer plugin for WordPress through path traversal in the loadLogFile AJAX action allows authenticated users with Editor-level privileges or higher to access sensitive server files including database credentials. The vulnerability exists in versions up to 6.4.2 due to insufficient path validation on the loadFile parameter, and no patch is currently available.
Stored cross-site scripting in Essential Widgets for WordPress through version 3.0 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. A patch is not currently available for this vulnerability.
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 8.2 HIGH]
The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be...
SQL injection in the SIBS WooCommerce payment gateway plugin for WordPress (versions up to 2.2.0) allows authenticated administrators to extract sensitive database information through the unescaped 'referencedId' parameter. An attacker with administrator-level access can inject arbitrary SQL queries due to insufficient input sanitization and query preparation. No patch is currently available for this vulnerability.
The All push notification for WP plugin through version 1.5.3 contains a time-based SQL injection flaw in the 'delete_id' parameter that allows authenticated administrators to execute arbitrary SQL queries and extract sensitive database information. The vulnerability stems from insufficient input escaping and improper query preparation, requiring high-privilege access to exploit. No patch is currently available.
Stored XSS in WordPress WP Content Permission plugin through the 'ohmem-message' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.2 due to inadequate input sanitization and output escaping. Exploitation requires administrator-level privileges and no patch is currently available.
Stored cross-site scripting in the Smart Appointment & Booking WordPress plugin through version 1.0.7 allows authenticated subscribers and higher-privileged users to inject malicious scripts into pages via the saab_save_form_data AJAX action due to inadequate input sanitization. Attackers can exploit this vulnerability to execute arbitrary JavaScript that persists and runs for any user viewing the compromised pages. No patch is currently available for this medium-severity flaw.
Extended Random Number Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Unauthenticated attackers can manipulate WooCommerce order statuses through an authorization bypass in the Fortis for WooCommerce plugin (versions up to 1.2.0), allowing them to fraudulently mark orders as paid without receiving payment. The vulnerability stems from an inverted nonce validation check in the payment notification handler that fails to properly authenticate requests. This affects all WordPress sites running the vulnerable plugin and has no available patch.
Unauthenticated attackers can modify WordPress plugin settings in WebPurify Profanity Filter up to version 4.0.2 due to missing authorization checks on the options-saving function. This allows unauthorized configuration changes without requiring user authentication or interaction. No patch is currently available for this vulnerability.
Magic Import Document Extractor (WordPress plugin) versions up to 1.0.4 is affected by information exposure (CVSS 5.3).
The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. [CVSS 5.3 MEDIUM]
The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. [CVSS 4.9 MEDIUM]
Chapa Payment Gateway Plugin for WooCommerce (WordPress plugin) versions up to 1.0.3 is affected by information exposure (CVSS 5.3).
The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. [CVSS 7.5 HIGH]
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. [CVSS 7.5 HIGH]
Loyalty Points and Rewards for WooCommerce versions up to 5.6.0. is affected by missing authorization (CVSS 6.5).
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by...
WP FOFT Loader (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Stored cross-site scripting in WordPress Menu Icons by ThemeIsle plugin (versions up to 0.13.20) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the attachment image alt meta field due to improper input sanitization. The injected scripts execute in the browsers of visitors accessing the affected pages, enabling session hijacking, credential theft, or malware distribution.
The Passster WordPress plugin through version 4.2.25 contains an authorization bypass that allows authenticated users to access content protection mechanisms without proper permission validation. An attacker with low-privilege WordPress credentials can circumvent access controls to view protected content that should be restricted. No patch is currently available for this vulnerability.
WP Sync for Notion plugin through version 1.7.0 contains improper access control that allows authenticated users to modify data without proper authorization checks. An attacker with WordPress user privileges could exploit this vulnerability to alter synchronized content between WordPress and Notion. The vulnerability requires user interaction and network access but poses a medium risk to WordPress installations using affected versions.
WP Bannerize Pro versions up to 1.11.0 contain a missing authorization vulnerability that allows unauthenticated attackers to bypass access control restrictions and gain unauthorized information disclosure. The improperly configured security levels enable remote exploitation without user interaction, potentially exposing sensitive banner configuration data. WordPress site administrators using affected versions should update to a patched release when available.
Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface is affected by missing authorization (CVSS 4.3).
WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup contains a security vulnerability (CVSS 5.3).
WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics contains a security vulnerability (CVSS 5.3).
Improper access control in WP Docs plugin version 2.2.8 and earlier for WordPress allows authenticated users to modify or delete content they should not have permission to access. An attacker with user-level credentials can exploit misconfigured security settings to alter website data or cause service disruption.
wp.insider Simple Membership WP user Import simple-membership-wp-user-import is affected by cross-site request forgery (csrf) (CVSS 5.4).
approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on is affected by missing authorization (CVSS 4.3).
Unauthorized information disclosure in WordPress Strong Testimonials plugin version 3.2.20 and earlier stems from improper access control validation, allowing authenticated users to access sensitive data they should not have permission to view. An attacker with low-privilege WordPress account credentials can exploit this vulnerability to read confidential information without requiring user interaction. Currently, no patch is available for this vulnerability.
WP Chill Modula Image Gallery modula-best-grid-gallery is affected by missing authorization (CVSS 4.3).
OS DataHub Maps (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Authenticated instructors in Tutor LMS plugin for WordPress versions up to 3.9.5 can modify or delete courses owned by other users due to missing authorization checks in bulk action functions. An attacker with instructor-level access can manipulate course IDs in bulk requests to compromise arbitrary courses without proper permission validation. No patch is currently available.
The Tutor LMS plugin for WordPress fails to enforce capability checks in its coupon details AJAX function, allowing authenticated subscribers to disclose sensitive coupon data including codes, discount amounts, and usage metrics through nonce validation bypass. This information exposure affects all versions up to 3.9.5 and requires only valid user authentication to exploit. No patch is currently available.
Unauthenticated attackers can forge requests to create or modify contact notes in WordPress Mail Mint plugin versions up to 1.19.2 by exploiting missing CSRF protections, requiring only that a site administrator clicks a malicious link. The lack of input validation on these operations enables stored XSS attacks that could compromise administrator accounts and site integrity. No patch is currently available.
Authenticated contributors and above can inject malicious scripts into WordPress pages through the Happy Addons for Elementor plugin (versions up to 3.20.7) via improper sanitization of the '_elementor_data' meta field, resulting in stored XSS that executes for all users viewing affected pages. An attacker with contributor-level permissions can leverage this to steal credentials, perform actions on behalf of administrators, or deface website content. No patch is currently available.
Unauthenticated attackers can upload malicious SVG files through the Form Maker by 10Web WordPress plugin (versions up to 1.15.35) due to insufficient file type validation, enabling stored cross-site scripting attacks against administrators and site visitors. The plugin's default allowlist includes SVG files and relies on weak substring-based extension checking, allowing JavaScript execution when the uploaded files are viewed. No patch is currently available.
Stored XSS in WordPress Form Maker plugin (versions up to 1.15.35) allows unauthenticated attackers to inject malicious scripts through hidden form field values that execute when administrators view the submissions list. The vulnerability stems from improper output escaping after HTML entity decoding of user-supplied input. Website administrators using this plugin are at risk of account compromise and unauthorized actions performed within their WordPress dashboard.
Stored XSS in LatePoint WordPress plugin versions up to 5.2.5 allows unauthenticated attackers to inject malicious scripts into customer profile fields that execute when administrators review activity history. The vulnerability stems from inadequate input sanitization and output escaping, potentially enabling credential theft or administrative account compromise. No patch is currently available.
Spectra Gutenberg Blocks plugin for WordPress fails to properly check password protection before displaying post excerpts, allowing unauthenticated attackers to read excerpts from password-protected posts through Post Grid, Post Masonry, Post Carousel, and Post Timeline blocks. The vulnerability affects all versions up to 2.19.17 and requires no authentication or user interaction to exploit. Currently, no patch is available.
Unlimited Elements for Elementor (WordPress plugin) versions up to 2.0.1. is affected by cross-site scripting (xss) (CVSS 5.4).
WP ULike (WordPress plugin) versions up to 4.8.3.1. is affected by authorization bypass through user-controlled key (CVSS 5.3).
Five Star Restaurant Reservations WordPre versions up to 2.7.9 is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. [CVSS 7.1 HIGH]
Improper password reset process in User Profile Builder WordPress plugin before 3.15.2 allows unauthenticated attackers to reset any user's password with minimal requests.
Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. [CVSS 6.4 MEDIUM]
The Popup Box WordPress plugin through version 6.1.1 contains a Cross-Site Request Forgery vulnerability where the nonce validation mechanism accepts internally-generated tokens instead of user-submitted ones, allowing unauthenticated attackers to alter popup publish status through social engineering attacks targeting site administrators. An attacker can trick an admin into clicking a malicious link to toggle popups on or off without their knowledge or consent. No patch is currently available for this vulnerability.
Sell BTC - Cryptocurrency Selling Calculator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).
Authenticated attackers with subscriber-level access or higher can exploit an insecure direct object reference in the SupportCandy plugin for WordPress (versions up to 3.4.4) to steal file attachments uploaded by other users by manipulating attachment IDs in ticket replies. This allows unauthorized users to reassociate others' files to their own tickets while removing the original owners' access. No patch is currently available.
Unauthenticated SQL injection in the SupportCandy WordPress plugin versions up to 3.4.4 allows subscribers and above to extract sensitive database information through inadequately sanitized custom field filters. An authenticated attacker can manipulate the equals operator parameter to inject malicious SQL queries and bypass existing protections, exposing confidential data stored in the WordPress database.
The Booking Calendar WordPress plugin through version 10.14.13 fails to validate user permissions in the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function, allowing unauthenticated attackers to retrieve sensitive booking data including customer names, phone numbers, and email addresses. This network-accessible vulnerability requires no user interaction and affects all installations of the affected plugin versions. No patch is currently available.
The Ajax Load More - Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. [CVSS 5.3 MEDIUM]
The NEX-Forms - Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. [CVSS 5.3 MEDIUM]
Custom Login Page Customizer WordPre versions up to 2.5.4 is affected by improper privilege management (CVSS 8.1).
WP Adminify (WordPress plugin) versions up to 4.0.7.7 is affected by information exposure (CVSS 5.3).
Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Snow Monkey Forms WordPress plugin has an arbitrary file deletion vulnerability through insufficient path validation, enabling attackers to delete critical WordPress files.
The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. [CVSS 6.4 MEDIUM]
Stored XSS in WP Google Ad Manager Plugin up to version 1.1.0 allows administrators to inject malicious scripts into WordPress pages through insufficiently sanitized admin settings, affecting multi-site installations and configurations with disabled unfiltered_html. Authenticated attackers with administrator privileges can exploit this to execute arbitrary JavaScript that persists and runs for all users visiting affected pages. No patch is currently available.
The Change WP URL plugin for WordPress through version 1.0 lacks proper nonce validation, allowing unauthenticated attackers to modify the WordPress login URL through cross-site request forgery if they can socially engineer a site administrator into clicking a malicious link. This vulnerability affects all WordPress installations using the vulnerable plugin and enables attackers to redirect administrator access to attacker-controlled pages. No patch is currently available.
The Vzaar Media Management WordPress plugin through version 1.2 contains a reflected cross-site scripting vulnerability in the PHP_SELF variable that lacks proper input sanitization, allowing unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link and tricking users into clicking it, leading to arbitrary script execution in their browsers. No patch is currently available for this vulnerability.
Bitcoin Donate Button (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Unauthenticated attackers can modify WordPress imwptip plugin settings through cross-site request forgery attacks by exploiting missing nonce validation in versions up to 1.1. An attacker can trick site administrators into clicking a malicious link to alter plugin configurations without authentication. No patch is currently available for this vulnerability.
The Frontend File Manager Plugin for WordPress through version 23.5 lacks proper authorization checks on a file sharing AJAX endpoint, allowing unauthenticated attackers to enumerate and exfiltrate sensitive uploaded files via sequential ID manipulation. By exploiting this flaw, an attacker can email arbitrary files to themselves or others, potentially exposing restricted administrative data. No patch is currently available for this high-severity vulnerability.
Simple User Registration (WordPress plugin) versions up to 6.7 is affected by improper access control (CVSS 8.8).
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. [CVSS 5.3 MEDIUM]
The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]
The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]