WordPress
Monthly
The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]
The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]
The BlockArt Blocks - Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.
Order Minimum/Maximum Amount Limits for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Stored XSS in Ivory Search WordPress plugin up to version 5.5.13 allows administrators to inject malicious scripts into admin settings due to inadequate input sanitization, affecting multi-site installations and those with unfiltered_html disabled. Attackers with admin privileges can execute arbitrary JavaScript that persists and runs for all users accessing affected pages. A patch is not currently available.
Unauthenticated attackers can exploit time-based SQL injection in the VidShop plugin for WordPress (versions up to 1.1.4) through the unescaped 'fields' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to inject malicious SQL commands without authentication. No patch is currently available for this high-severity flaw affecting WooCommerce installations.
Authenticated attackers with Author-level permissions can read, modify, and delete document library entries belonging to other users in the Document Embedder plugin for WordPress through improper access control checks in multiple AJAX handlers. The vulnerability affects all versions up to 2.0.4 and requires no additional user interaction, allowing privilege escalation within the plugin's document management system. No patch is currently available.
RegistrationMagic (WordPress plugin) versions up to 6.0.7.4. is affected by missing authorization (CVSS 5.3).
Unauthenticated attackers can delete arbitrary calendar entries in the Simple Calendar for Elementor WordPress plugin through versions 1.6.6 due to missing authorization checks on an AJAX function that accepts both authenticated and unauthenticated requests. An attacker only needs a valid nonce and the target calendar entry ID to perform the deletion. No patch is currently available for this vulnerability.
The Buy Now Plus plugin for WordPress versions up to 1.0.2 allows authenticated users with Contributor access or higher to execute arbitrary JavaScript in pages through improper sanitization of the 'buynowplus' shortcode attributes. This stored cross-site scripting vulnerability enables attackers to inject malicious scripts that execute whenever visitors view affected pages. No patch is currently available for this vulnerability.
Stored cross-site scripting in Forms Bridge - Infinite integrations plugin for WordPress versions up to 4.2.5 allows authenticated contributors and higher-privilege users to inject malicious scripts through the 'id' shortcode parameter. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this vulnerability.
New User Approve (WordPress plugin) versions up to 3.2.2. is affected by missing authorization (CVSS 7.3).
Unauthenticated attackers can bypass authorization checks in WordPress form plugins (Database for Contact Form 7, WPforms, Elementor forms) through version 1.4.5 to download CSV exports of all form submissions containing sensitive personally identifiable information. The vulnerability exists because the CSV export endpoint lacks proper capability verification and exports complete datasets regardless of user permissions, while an export key is exposed in publicly accessible page source code. This allows attackers to retrieve sensitive data without authentication or proper authorization.
The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Easy Replace Image plugin for WordPress up to version 3.5.2 lacks proper authorization checks on its AJAX image replacement function, allowing authenticated users with Contributor-level privileges to replace arbitrary image attachments with external URLs. This enables attackers to deface sites, conduct phishing attacks, or manipulate content without administrative oversight. No patch is currently available for this medium-severity vulnerability.
The Appointment Hour Booking plugin for WordPress through version 1.5.60 allows administrators to inject persistent JavaScript into the form builder interface through inadequately sanitized field configuration parameters. Exploitation requires high-level authenticated access and affects only multisite installations or those with unfiltered HTML disabled. Injected scripts execute in the context of other users accessing the form builder, enabling credential theft or unauthorized actions.
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]
The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.
Link Invoice Payment for WooCommerce (WordPress plugin) versions up to 2.8.0. is affected by missing authorization (CVSS 5.3).
The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 7.1 HIGH]
All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 4.3).
WP Go Maps plugin for WordPress through version 10.0.04 lacks proper capability validation in the processBackgroundAction() function, allowing authenticated Subscriber-level users to modify global map engine settings. This insufficient access control enables low-privileged attackers to alter critical plugin configurations without proper authorization. No patch is currently available for this vulnerability.
Save as PDF Plugin by PDFCrowd (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.1).
Arbitrary file uploads in the Hustle WordPress plugin (versions up to 7.8.9.2) allow authenticated low-privileged users with granted module permissions to bypass file type validation and upload malicious files, potentially enabling remote code execution. An attacker with Subscriber-level access or higher can exploit improper validation in the action_import_module() function if an administrator grants them Hustle module editing capabilities. No patch is currently available, leaving affected WordPress installations vulnerable until an update is released.
WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).
Stored XSS in Meta-box GalleryMeta plugin through WordPress admin settings allows authenticated editors and higher-privileged users to inject malicious scripts that execute for site visitors, affecting only multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in plugin versions up to 3.0.1, with no patch currently available.
Stored XSS in the WordPress Responsive Header plugin through version 1.0 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all users viewing affected pages. This impacts multi-site WordPress installations or those with unfiltered_html disabled, requiring high privilege access and manual user interaction to trigger exploitation. No patch is currently available.
Stored XSS in WordPress Postalicious plugin through version 3.0.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
Friendly Functions for Welcart (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Stored cross-site scripting in the JavaScript Notifier WordPress plugin through version 1.2.8 allows administrators to inject malicious scripts into website pages due to improper input sanitization in plugin settings. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. This requires administrator-level access to exploit but affects all website visitors who view the compromised pages.
Stored XSS in WordPress LeadBI Plugin versions through 1.7 allows authenticated contributors and above to inject malicious scripts through the 'form_id' shortcode parameter due to missing input sanitization, enabling attackers to execute arbitrary code in pages viewed by other users. The vulnerability requires user authentication and currently lacks a vendor patch.
Reflected XSS in WordPress Timeline Event History plugin (versions up to 3.2) allows unauthenticated attackers to inject arbitrary JavaScript through the unvalidated `id` parameter. An attacker can craft a malicious link to execute scripts in a victim's browser if they click it, potentially leading to session hijacking or credential theft. No patch is currently available.
Stored cross-site scripting in CM CSS Columns plugin for WordPress through version 1.2.1 allows authenticated contributors and higher-privileged users to inject malicious scripts via improperly sanitized shortcode attributes. When other users view pages containing the injected content, the malicious scripts execute in their browsers, potentially compromising their accounts or stealing sensitive information. No patch is currently available.
Stored cross-site scripting in the User Submitted Posts WordPress plugin through version 20251210 allows unauthenticated attackers to inject malicious scripts via custom fields due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, potentially compromising user sessions and data. No patch is currently available.
The Meta Box GalleryMeta WordPress plugin through version 3.0.1 fails to enforce proper capability checks on the 'mb_gallery' custom post type, allowing authenticated users with Author-level or higher privileges to create and publish galleries without authorization. This insufficient access control could enable low-privileged attackers to modify gallery content and bypass intended editorial workflows.
The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minu...
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]
Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. [CVSS 4.3 MEDIUM]
The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.
AIKTP plugin for WordPress versions up to 5.0.04 allows authenticated subscribers to retrieve administrator access tokens through an insufficiently protected REST API endpoint, enabling attackers to create posts, upload files, and access private content with admin privileges. The vulnerability stems from missing authorization checks that only verify user login status rather than administrative capabilities. No patch is currently available.
Stored cross-site scripting in WordPress Administrative Shortcodes plugin through version 0.3.4 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via insufficiently sanitized shortcode attributes, executing arbitrary code when other users visit affected pages. The vulnerability requires user interaction and authenticated access but can impact site visitors through persistent payload injection. No patch is currently available.
Stored XSS in the ThemeRuby Multi Authors WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts via unescaped shortcode attributes that execute in other users' browsers. The vulnerability stems from insufficient input sanitization on the 'before' and 'after' parameters, enabling attackers to compromise page content viewed by site visitors. No patch is currently available for this medium-severity vulnerability.
Stored XSS in the Canto Testimonials WordPress plugin through the 'fx' shortcode attribute allows authenticated users with Contributor access or higher to inject malicious scripts that persist in pages and execute for all visitors. The vulnerability stems from inadequate input sanitization and output escaping in versions up to 1.0, requiring an authenticated attacker but no user interaction. No patch is currently available.
WordPress Login Page Editor plugin through version 1.2 lacks CSRF protections on its AJAX settings handler, allowing attackers to modify login page configuration by tricking administrators into visiting malicious links. An unauthenticated attacker can exploit this to alter plugin settings without direct authorization, potentially affecting site security or functionality. No patch is currently available.
Cookie consent for developers (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Set Bulk Post Categories (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Star Review Manager WordPress plugin through version 1.2.2 lacks CSRF protections on its settings page, allowing unauthenticated attackers to modify CSS settings by tricking administrators into clicking a malicious link. Site administrators are at risk of unwanted plugin configuration changes that could alter site appearance or functionality. No patch is currently available for this vulnerability.
The ZT Captcha plugin for WordPress through version 1.0.4 contains a cross-site request forgery vulnerability due to insufficient nonce validation that can be bypassed with an empty token. An unauthenticated attacker can exploit this to modify plugin settings by tricking an administrator into clicking a malicious link. No patch is currently available.
The Alex User Counter WordPress plugin through version 6.0 contains a cross-site request forgery vulnerability in its settings function due to missing nonce validation, allowing unauthenticated attackers to modify plugin configuration if they can socially engineer site administrators into clicking a malicious link. The vulnerability has a low barrier to exploitation since it requires only network access and user interaction, though it cannot directly compromise confidentiality or availability. No patch is currently available for this issue.
Unauthenticated attackers can exploit a Server-Side Request Forgery vulnerability in the WordPress Frontis Blocks plugin (versions up to 1.1.6) through unvalidated URL parameters in the template proxy endpoints to perform arbitrary web requests from the affected server. This allows an attacker to scan internal networks, access local services, or exfiltrate sensitive data without authentication. No patch is currently available.
SQL injection in the WP-ClanWars WordPress plugin through version 2.0.1 allows authenticated administrators to execute arbitrary SQL queries via an unescaped 'orderby' parameter, enabling extraction of sensitive database information. The vulnerability requires high-level administrative privileges and does not allow data modification or system availability impacts. No patch is currently available for this issue.
The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. [CVSS 6.4 MEDIUM]
WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]
Wise Analytics (WordPress plugin) versions up to 1.1.9. is affected by missing authorization (CVSS 5.3).
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]
Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.
VK Google Job Posting Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. [CVSS 6.5 MEDIUM]
The Trusona WordPress plugin version 2.0.0 and earlier contains an authorization bypass that allows authenticated attackers to exploit misconfigured access controls and gain unauthorized information disclosure. An attacker with valid WordPress credentials could leverage this vulnerability to access sensitive data they should not have permission to view. No patch is currently available for this vulnerability.
Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads is affected by missing authorization (CVSS 5.3).
The Bayarcash WooCommerce plugin for WordPress (versions up to 4.3.11) contains an authorization bypass that allows unauthenticated attackers to exploit misconfigured access controls and gain unauthorized information disclosure. An attacker can leverage this missing authorization check over the network without authentication to access sensitive data. This vulnerability affects WordPress installations using the vulnerable plugin versions and has a CVSS score of 5.3.
marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails is affected by cross-site request forgery (csrf) (CVSS 4.7).
Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin contains a security vulnerability (CVSS 5.3).
Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration is affected by missing authorization (CVSS 6.5).
sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce is affected by missing authorization (CVSS 5.3).
WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce is affected by missing authorization (CVSS 5.4).
WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp is affected by missing authorization (CVSS 4.3).
The Ryviu product reviews plugin for WordPress versions 3.1.26 and earlier contains an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improperly configured access controls. This could enable attackers to manipulate product reviews or other protected functionality without proper authentication. No patch is currently available for this vulnerability.
Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers contains a security vulnerability (CVSS 4.3).
John James Jacoby WP Term Order wp-term-order is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Email Inquiry & Cart Options for WooCommerce plugin through version 3.4.3 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting improper input neutralization. An attacker with user-level access can craft requests that execute arbitrary JavaScript in victims' browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.
WP FullCalendar through version 1.6 exposes sensitive system information to unauthenticated remote attackers, allowing them to retrieve embedded data without authentication. The vulnerability affects WordPress installations using the vulnerable plugin and requires no user interaction to exploit. No patch is currently available.
Insufficient access control in MyThemeShop WP Subscribe plugin through version 1.2.16 allows authenticated attackers to bypass authorization checks and gain unauthorized access to sensitive information. An attacker with a user account can exploit misconfigured security levels to view data they should not have permission to access. No patch is currently available.
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]
The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]
The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]
The BlockArt Blocks - Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.
Order Minimum/Maximum Amount Limits for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Stored XSS in Ivory Search WordPress plugin up to version 5.5.13 allows administrators to inject malicious scripts into admin settings due to inadequate input sanitization, affecting multi-site installations and those with unfiltered_html disabled. Attackers with admin privileges can execute arbitrary JavaScript that persists and runs for all users accessing affected pages. A patch is not currently available.
Unauthenticated attackers can exploit time-based SQL injection in the VidShop plugin for WordPress (versions up to 1.1.4) through the unescaped 'fields' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to inject malicious SQL commands without authentication. No patch is currently available for this high-severity flaw affecting WooCommerce installations.
Authenticated attackers with Author-level permissions can read, modify, and delete document library entries belonging to other users in the Document Embedder plugin for WordPress through improper access control checks in multiple AJAX handlers. The vulnerability affects all versions up to 2.0.4 and requires no additional user interaction, allowing privilege escalation within the plugin's document management system. No patch is currently available.
RegistrationMagic (WordPress plugin) versions up to 6.0.7.4. is affected by missing authorization (CVSS 5.3).
Unauthenticated attackers can delete arbitrary calendar entries in the Simple Calendar for Elementor WordPress plugin through versions 1.6.6 due to missing authorization checks on an AJAX function that accepts both authenticated and unauthenticated requests. An attacker only needs a valid nonce and the target calendar entry ID to perform the deletion. No patch is currently available for this vulnerability.
The Buy Now Plus plugin for WordPress versions up to 1.0.2 allows authenticated users with Contributor access or higher to execute arbitrary JavaScript in pages through improper sanitization of the 'buynowplus' shortcode attributes. This stored cross-site scripting vulnerability enables attackers to inject malicious scripts that execute whenever visitors view affected pages. No patch is currently available for this vulnerability.
Stored cross-site scripting in Forms Bridge - Infinite integrations plugin for WordPress versions up to 4.2.5 allows authenticated contributors and higher-privilege users to inject malicious scripts through the 'id' shortcode parameter. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this vulnerability.
New User Approve (WordPress plugin) versions up to 3.2.2. is affected by missing authorization (CVSS 7.3).
Unauthenticated attackers can bypass authorization checks in WordPress form plugins (Database for Contact Form 7, WPforms, Elementor forms) through version 1.4.5 to download CSV exports of all form submissions containing sensitive personally identifiable information. The vulnerability exists because the CSV export endpoint lacks proper capability verification and exports complete datasets regardless of user permissions, while an export key is exposed in publicly accessible page source code. This allows attackers to retrieve sensitive data without authentication or proper authorization.
The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Easy Replace Image plugin for WordPress up to version 3.5.2 lacks proper authorization checks on its AJAX image replacement function, allowing authenticated users with Contributor-level privileges to replace arbitrary image attachments with external URLs. This enables attackers to deface sites, conduct phishing attacks, or manipulate content without administrative oversight. No patch is currently available for this medium-severity vulnerability.
The Appointment Hour Booking plugin for WordPress through version 1.5.60 allows administrators to inject persistent JavaScript into the form builder interface through inadequately sanitized field configuration parameters. Exploitation requires high-level authenticated access and affects only multisite installations or those with unfiltered HTML disabled. Injected scripts execute in the context of other users accessing the form builder, enabling credential theft or unauthorized actions.
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]
The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.
Link Invoice Payment for WooCommerce (WordPress plugin) versions up to 2.8.0. is affected by missing authorization (CVSS 5.3).
The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. [CVSS 6.8 MEDIUM]
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin [CVSS 7.1 HIGH]
All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 4.3).
WP Go Maps plugin for WordPress through version 10.0.04 lacks proper capability validation in the processBackgroundAction() function, allowing authenticated Subscriber-level users to modify global map engine settings. This insufficient access control enables low-privileged attackers to alter critical plugin configurations without proper authorization. No patch is currently available for this vulnerability.
Save as PDF Plugin by PDFCrowd (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.1).
Arbitrary file uploads in the Hustle WordPress plugin (versions up to 7.8.9.2) allow authenticated low-privileged users with granted module permissions to bypass file type validation and upload malicious files, potentially enabling remote code execution. An attacker with Subscriber-level access or higher can exploit improper validation in the action_import_module() function if an administrator grants them Hustle module editing capabilities. No patch is currently available, leaving affected WordPress installations vulnerable until an update is released.
WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).
Stored XSS in Meta-box GalleryMeta plugin through WordPress admin settings allows authenticated editors and higher-privileged users to inject malicious scripts that execute for site visitors, affecting only multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in plugin versions up to 3.0.1, with no patch currently available.
Stored XSS in the WordPress Responsive Header plugin through version 1.0 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all users viewing affected pages. This impacts multi-site WordPress installations or those with unfiltered_html disabled, requiring high privilege access and manual user interaction to trigger exploitation. No patch is currently available.
Stored XSS in WordPress Postalicious plugin through version 3.0.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
Friendly Functions for Welcart (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Stored cross-site scripting in the JavaScript Notifier WordPress plugin through version 1.2.8 allows administrators to inject malicious scripts into website pages due to improper input sanitization in plugin settings. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. This requires administrator-level access to exploit but affects all website visitors who view the compromised pages.
Stored XSS in WordPress LeadBI Plugin versions through 1.7 allows authenticated contributors and above to inject malicious scripts through the 'form_id' shortcode parameter due to missing input sanitization, enabling attackers to execute arbitrary code in pages viewed by other users. The vulnerability requires user authentication and currently lacks a vendor patch.
Reflected XSS in WordPress Timeline Event History plugin (versions up to 3.2) allows unauthenticated attackers to inject arbitrary JavaScript through the unvalidated `id` parameter. An attacker can craft a malicious link to execute scripts in a victim's browser if they click it, potentially leading to session hijacking or credential theft. No patch is currently available.
Stored cross-site scripting in CM CSS Columns plugin for WordPress through version 1.2.1 allows authenticated contributors and higher-privileged users to inject malicious scripts via improperly sanitized shortcode attributes. When other users view pages containing the injected content, the malicious scripts execute in their browsers, potentially compromising their accounts or stealing sensitive information. No patch is currently available.
Stored cross-site scripting in the User Submitted Posts WordPress plugin through version 20251210 allows unauthenticated attackers to inject malicious scripts via custom fields due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, potentially compromising user sessions and data. No patch is currently available.
The Meta Box GalleryMeta WordPress plugin through version 3.0.1 fails to enforce proper capability checks on the 'mb_gallery' custom post type, allowing authenticated users with Author-level or higher privileges to create and publish galleries without authorization. This insufficient access control could enable low-privileged attackers to modify gallery content and bypass intended editorial workflows.
The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minu...
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]
Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. [CVSS 4.3 MEDIUM]
The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.
AIKTP plugin for WordPress versions up to 5.0.04 allows authenticated subscribers to retrieve administrator access tokens through an insufficiently protected REST API endpoint, enabling attackers to create posts, upload files, and access private content with admin privileges. The vulnerability stems from missing authorization checks that only verify user login status rather than administrative capabilities. No patch is currently available.
Stored cross-site scripting in WordPress Administrative Shortcodes plugin through version 0.3.4 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via insufficiently sanitized shortcode attributes, executing arbitrary code when other users visit affected pages. The vulnerability requires user interaction and authenticated access but can impact site visitors through persistent payload injection. No patch is currently available.
Stored XSS in the ThemeRuby Multi Authors WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts via unescaped shortcode attributes that execute in other users' browsers. The vulnerability stems from insufficient input sanitization on the 'before' and 'after' parameters, enabling attackers to compromise page content viewed by site visitors. No patch is currently available for this medium-severity vulnerability.
Stored XSS in the Canto Testimonials WordPress plugin through the 'fx' shortcode attribute allows authenticated users with Contributor access or higher to inject malicious scripts that persist in pages and execute for all visitors. The vulnerability stems from inadequate input sanitization and output escaping in versions up to 1.0, requiring an authenticated attacker but no user interaction. No patch is currently available.
WordPress Login Page Editor plugin through version 1.2 lacks CSRF protections on its AJAX settings handler, allowing attackers to modify login page configuration by tricking administrators into visiting malicious links. An unauthenticated attacker can exploit this to alter plugin settings without direct authorization, potentially affecting site security or functionality. No patch is currently available.
Cookie consent for developers (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Set Bulk Post Categories (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Star Review Manager WordPress plugin through version 1.2.2 lacks CSRF protections on its settings page, allowing unauthenticated attackers to modify CSS settings by tricking administrators into clicking a malicious link. Site administrators are at risk of unwanted plugin configuration changes that could alter site appearance or functionality. No patch is currently available for this vulnerability.
The ZT Captcha plugin for WordPress through version 1.0.4 contains a cross-site request forgery vulnerability due to insufficient nonce validation that can be bypassed with an empty token. An unauthenticated attacker can exploit this to modify plugin settings by tricking an administrator into clicking a malicious link. No patch is currently available.
The Alex User Counter WordPress plugin through version 6.0 contains a cross-site request forgery vulnerability in its settings function due to missing nonce validation, allowing unauthenticated attackers to modify plugin configuration if they can socially engineer site administrators into clicking a malicious link. The vulnerability has a low barrier to exploitation since it requires only network access and user interaction, though it cannot directly compromise confidentiality or availability. No patch is currently available for this issue.
Unauthenticated attackers can exploit a Server-Side Request Forgery vulnerability in the WordPress Frontis Blocks plugin (versions up to 1.1.6) through unvalidated URL parameters in the template proxy endpoints to perform arbitrary web requests from the affected server. This allows an attacker to scan internal networks, access local services, or exfiltrate sensitive data without authentication. No patch is currently available.
SQL injection in the WP-ClanWars WordPress plugin through version 2.0.1 allows authenticated administrators to execute arbitrary SQL queries via an unescaped 'orderby' parameter, enabling extraction of sensitive database information. The vulnerability requires high-level administrative privileges and does not allow data modification or system availability impacts. No patch is currently available for this issue.
The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. [CVSS 6.4 MEDIUM]
WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]
Wise Analytics (WordPress plugin) versions up to 1.1.9. is affected by missing authorization (CVSS 5.3).
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]
Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.
VK Google Job Posting Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. [CVSS 6.5 MEDIUM]
The Trusona WordPress plugin version 2.0.0 and earlier contains an authorization bypass that allows authenticated attackers to exploit misconfigured access controls and gain unauthorized information disclosure. An attacker with valid WordPress credentials could leverage this vulnerability to access sensitive data they should not have permission to view. No patch is currently available for this vulnerability.
Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads is affected by missing authorization (CVSS 5.3).
The Bayarcash WooCommerce plugin for WordPress (versions up to 4.3.11) contains an authorization bypass that allows unauthenticated attackers to exploit misconfigured access controls and gain unauthorized information disclosure. An attacker can leverage this missing authorization check over the network without authentication to access sensitive data. This vulnerability affects WordPress installations using the vulnerable plugin versions and has a CVSS score of 5.3.
marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails is affected by cross-site request forgery (csrf) (CVSS 4.7).
Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin contains a security vulnerability (CVSS 5.3).
Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration is affected by missing authorization (CVSS 6.5).
sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce is affected by missing authorization (CVSS 5.3).
WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce is affected by missing authorization (CVSS 5.4).
WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp is affected by missing authorization (CVSS 4.3).
The Ryviu product reviews plugin for WordPress versions 3.1.26 and earlier contains an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improperly configured access controls. This could enable attackers to manipulate product reviews or other protected functionality without proper authentication. No patch is currently available for this vulnerability.
Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers contains a security vulnerability (CVSS 4.3).
John James Jacoby WP Term Order wp-term-order is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Email Inquiry & Cart Options for WooCommerce plugin through version 3.4.3 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting improper input neutralization. An attacker with user-level access can craft requests that execute arbitrary JavaScript in victims' browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.
WP FullCalendar through version 1.6 exposes sensitive system information to unauthenticated remote attackers, allowing them to retrieve embedded data without authentication. The vulnerability affects WordPress installations using the vulnerable plugin and requires no user interaction to exploit. No patch is currently available.
Insufficient access control in MyThemeShop WP Subscribe plugin through version 1.2.16 allows authenticated attackers to bypass authorization checks and gain unauthorized access to sensitive information. An attacker with a user account can exploit misconfigured security levels to view data they should not have permission to access. No patch is currently available.
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]