WordPress
Monthly
Stored cross-site scripting in the WP DSGVO Tools WordPress plugin through version 3.1.36 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via the 'lw_content_block' shortcode due to improper input sanitization. When visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.
Melapress Role Editor (WordPress plugin) versions up to 1.1.1. is affected by incorrect authorization (CVSS 8.8).
The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. [CVSS 7.3 HIGH]
Unauthenticated attackers can upload arbitrary files through the KiviCare plugin for WordPress versions up to 3.6.15 due to missing authorization checks in the file upload function. This allows adversaries to host malicious content, phishing pages, or other attack payloads on vulnerable sites without authentication. No patch is currently available for this medium-severity vulnerability.
The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]
An issue with WordPress directory names in WebPros WordPress Toolkit versions up to 6.9.1 is affected by path traversal (CVSS 8.8).
Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator is affected by missing authorization (CVSS 4.3).
WP Job Portal has an authorization bypass through user-controlled keys allowing attackers to access other users' job applications and employer data.
YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote is affected by missing authorization (CVSS 5.3).
storeapps Stock Manager for WooCommerce woocommerce-stock-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).
Inadequate access control in WP Recipe Maker versions 10.2.4 and earlier allows authenticated users to bypass authorization checks and perform unauthorized actions. An attacker with low-level WordPress credentials could exploit this vulnerability to gain elevated privileges and modify sensitive recipe data without proper permissions.
WP MapIt plugin for WordPress through version 3.0.3 contains an authorization bypass that allows authenticated users to modify content they should not have access to. An attacker with user-level privileges can exploit misconfigured access controls to perform unauthorized actions, though the impact is limited to integrity violations without affecting confidentiality or availability.
WebAppick CTX Feed webappick-product-feed-for-woocommerce is affected by missing authorization (CVSS 5.3).
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by cross-site request forgery (csrf) (CVSS 5.4).
AA-Team Wordpress Movies Bulk Importer movies importer is affected by cross-site request forgery (csrf) (CVSS 4.3).
SmartDataSoft Electrician - Electrical Service WordPress electrician is affected by server-side request forgery (ssrf) (CVSS 5.4).
Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 7.3 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]
FmeAddons Registration & Login with Mobile Phone Number for WooCommerce has a missing authorization vulnerability allowing unauthenticated access to protected functionality.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection.This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. [CVSS 8.5 HIGH]
XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar is affected by php remote file inclusion (CVSS 8.1).
Miion WordPress theme by zozothemes has an unrestricted file upload vulnerability allowing unauthenticated web shell deployment and server compromise.
Blogzee WordPress theme by blazethemes has an unrestricted file upload vulnerability — the fourth blazethemes product affected by the same shared vulnerable upload component.
Blogistic WordPress theme by blazethemes has an unrestricted file upload vulnerability enabling attackers to deploy web shells for persistent server access.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. [CVSS 7.1 HIGH]
codisto Omnichannel for WooCommerce codistoconnect is affected by cross-site scripting (xss) (CVSS 7.1).
Order Listener for WooCommerce has a missing authorization vulnerability enabling unauthenticated access to order data and administrative functions.
Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce is affected by missing authorization (CVSS 6.5).
cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo is affected by missing authorization (CVSS 6.5).
GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. [CVSS 7.1 HIGH]
Real Homes CRM WordPress plugin has an unrestricted file upload allowing web shell deployment for persistent remote code execution.
Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8. [CVSS 6.5 MEDIUM]
MailerLite WordPress plugin has a SQL injection vulnerability enabling attackers to extract sensitive data from the WordPress database.
Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1. [CVSS 4.3 MEDIUM]
Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.5. [CVSS 8.8 HIGH]
News Event WordPress theme by blazethemes has an unrestricted file upload allowing web shell deployment and remote code execution.
Blogmatic WordPress theme by blazethemes has an unrestricted file upload vulnerability allowing attackers to upload web shells for persistent server access.
adamlabs WordPress Photo Gallery photo-gallery-portfolio is affected by cross-site scripting (xss) (CVSS 6.1).
WP Learn SQL Injection allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database, exposing all stored data.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. [CVSS 8.8 HIGH]
LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel is affected by cross-site scripting (xss) (CVSS 6.1).
LA-Studio Element Kit for Elementor WordPress plugin allows unauthenticated admin user creation, enabling complete WordPress site takeover.
The Photo Gallery by 10Web plugin for WordPress versions up to 1.8.36 lacks proper authentication checks on its comment deletion function, allowing unauthenticated attackers to delete arbitrary image comments from the Pro version. This integrity vulnerability (CVSS 5.3) requires no user interaction and can be exploited remotely, though no patch is currently available. The impact is limited to comment data manipulation, but affects all unpatched installations of the plugin.
GuardTourService contains a vulnerability that allows attackers to potentially execute code with elevated system privileges (CVSS 7.8).
Academy LMS WordPress plugin has a privilege escalation vulnerability allowing unauthenticated users to bypass access controls and gain elevated privileges on WordPress sites.
PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.
Stored cross-site scripting in FlatPM - Ad Manager plugin for WordPress up to version 3.2.2 allows authenticated contributors and higher-privileged users to inject malicious scripts through the rank_math_description field due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing affected pages, potentially enabling credential theft, session hijacking, or other client-side attacks. No patch is currently available for this vulnerability.
Stored XSS in WordPress Head Meta Data plugin (versions up to 20251118) allows authenticated contributors and above to inject malicious scripts into post metadata that execute when users visit affected pages, due to inadequate input sanitization. An attacker with contributor-level access can exploit insufficient output escaping to persistently compromise page content across all site visitors. No patch is currently available for this vulnerability.
NotificationX plugin for WordPress versions up to 3.1.11 lacks proper authorization checks on REST API endpoints, allowing authenticated users with Contributor-level permissions to reset analytics data for any campaign regardless of ownership. This capability bypass enables low-privileged attackers to tamper with campaign analytics across the WordPress installation. The vulnerability affects WordPress deployments using the affected plugin versions, with no patch currently available.
Tutor LMS plugin for WordPress through version 3.9.4 fails to validate user permissions on the delete_existing_user_photo function, allowing authenticated subscribers and higher-privileged users to delete arbitrary attachments. This integrity and availability vulnerability requires an active WordPress account but no elevated privileges, making it exploitable by low-level users to disrupt site content.
The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]
The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. [CVSS 8.8 HIGH]
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. [CVSS 5.4 MEDIUM]
Advanced Custom Fields: Extended plugin for WordPress has a privilege escalation vulnerability allowing unauthenticated users to gain admin access in all versions up to the latest.
Stored XSS in the Viet contact WordPress plugin versions up to 1.3.2 allows authenticated administrators to inject malicious scripts into admin settings due to inadequate input sanitization and output escaping. The injected scripts execute when other users access affected pages, impacting multi-site WordPress installations and sites with unfiltered_html disabled. Exploitation requires administrator-level access and no patch is currently available.
Stored XSS in WP Hello Bar plugin up to version 1.02 allows authenticated administrators to inject malicious scripts through the 'digit_one' and 'digit_two' parameters due to inadequate input validation. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available.
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. [CVSS 6.5 MEDIUM]
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. [CVSS 8.1 HIGH]
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. [CVSS 5.3 MEDIUM]
The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. [CVSS 5.3 MEDIUM]
The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. [CVSS 5.3 MEDIUM]
The Newsletter WordPress plugin through version 9.1.0 contains a cross-site request forgery vulnerability in the hook_newsletter_action() function due to insufficient nonce validation, allowing unauthenticated attackers to unsubscribe legitimate users if they can trick a logged-in administrator into clicking a malicious link. This attack requires user interaction but poses a direct integrity risk to newsletter subscriber lists. No patch is currently available.
The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. [CVSS 5.3 MEDIUM]
Image Photo Gallery Final Tiles Grid (WordPress plugin) versions up to 3.6.9. is affected by missing authorization (CVSS 5.4).
SQL injection in Koko Analytics for WordPress prior to version 2.1.3 allows unauthenticated attackers to inject malicious SQL through the public tracking endpoint, which gets stored unescaped and executed when administrators export and reimport analytics data. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary SQL commands including database manipulation and potential data destruction. The vulnerability affects WordPress installations using vulnerable versions of the Koko Analytics plugin and requires administrator interaction with a malicious export file to fully exploit.
Stored XSS in the Integrate Dynamics 365 CRM WordPress plugin through version 1.1.1 allows authenticated administrators to inject malicious scripts into plugin settings due to inadequate input sanitization. An attacker with admin privileges can execute arbitrary JavaScript that runs whenever users access affected pages. No patch is currently available.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/che...
The WooCommerce mobile phone registration plugin has an authentication bypass vulnerability allowing unauthenticated attackers to log in as any user, including administrators, with EPSS 0.42%.
Demo Importer Plus (WordPress plugin) is affected by improper restriction of xml external entity reference (CVSS 7.5).
All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 5.3).
Stored cross-site scripting in the Team Section Block plugin for WordPress through version 2.0.0 allows authenticated contributors and above to inject malicious scripts into pages by manipulating social network link URLs due to improper input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. An unpatched WordPress installation with this plugin poses a persistent attack vector for authenticated users with lower privilege levels.
The Spin Wheel WordPress plugin through version 2.1.0 fails to validate prize selection on the server side, allowing unauthenticated attackers to manipulate the 'prize_index' parameter and arbitrarily select high-value prizes. This input validation flaw enables attackers to bypass the intended randomization mechanism and consistently win premium rewards. No patch is currently available for affected installations.
The CM E-Mail Blacklist plugin for WordPress through version 1.6.2 contains a stored XSS vulnerability in the 'black_email' parameter due to inadequate input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript that executes for all users accessing affected pages, though exploitation is limited to multi-site installations or those with unfiltered_html disabled. No patch is currently available.
The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. [CVSS 5.3 MEDIUM]
User Registration Using Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 5.3).
Phrase TMS Integration for WordPress (WordPress plugin) is affected by missing authorization (CVSS 4.3).
Authenticated attackers with Subscriber-level privileges can upload malicious signatures to arbitrary orders in the RepairBuddy WordPress plugin (versions up to 4.1116) due to missing capability checks, allowing them to modify order metadata and trigger unauthorized status changes. The vulnerability stems from insufficient access controls on the signature upload handler and requires only basic user authentication to exploit. Patch availability is not currently provided for this integrity-impacting vulnerability.
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. [CVSS 2.2 LOW]
The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, p...
The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. [CVSS 6.5 MEDIUM]
The RegistrationMagic WordPress plugin up to version 6.0 allows unauthenticated privilege escalation, enabling attackers to create admin accounts and take over WordPress sites.
The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. [CVSS 4.4 MEDIUM]
The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. [CVSS 6.5 MEDIUM]
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing...
Stored cross-site scripting in the WP DSGVO Tools WordPress plugin through version 3.1.36 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via the 'lw_content_block' shortcode due to improper input sanitization. When visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.
Melapress Role Editor (WordPress plugin) versions up to 1.1.1. is affected by incorrect authorization (CVSS 8.8).
The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. [CVSS 7.3 HIGH]
Unauthenticated attackers can upload arbitrary files through the KiviCare plugin for WordPress versions up to 3.6.15 due to missing authorization checks in the file upload function. This allows adversaries to host malicious content, phishing pages, or other attack payloads on vulnerable sites without authentication. No patch is currently available for this medium-severity vulnerability.
The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]
An issue with WordPress directory names in WebPros WordPress Toolkit versions up to 6.9.1 is affected by path traversal (CVSS 8.8).
Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator is affected by missing authorization (CVSS 4.3).
WP Job Portal has an authorization bypass through user-controlled keys allowing attackers to access other users' job applications and employer data.
YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote is affected by missing authorization (CVSS 5.3).
storeapps Stock Manager for WooCommerce woocommerce-stock-manager is affected by cross-site request forgery (csrf) (CVSS 5.4).
Inadequate access control in WP Recipe Maker versions 10.2.4 and earlier allows authenticated users to bypass authorization checks and perform unauthorized actions. An attacker with low-level WordPress credentials could exploit this vulnerability to gain elevated privileges and modify sensitive recipe data without proper permissions.
WP MapIt plugin for WordPress through version 3.0.3 contains an authorization bypass that allows authenticated users to modify content they should not have access to. An attacker with user-level privileges can exploit misconfigured access controls to perform unauthorized actions, though the impact is limited to integrity violations without affecting confidentiality or availability.
WebAppick CTX Feed webappick-product-feed-for-woocommerce is affected by missing authorization (CVSS 5.3).
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by cross-site request forgery (csrf) (CVSS 5.4).
AA-Team Wordpress Movies Bulk Importer movies importer is affected by cross-site request forgery (csrf) (CVSS 4.3).
SmartDataSoft Electrician - Electrical Service WordPress electrician is affected by server-side request forgery (ssrf) (CVSS 5.4).
Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 7.3 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]
FmeAddons Registration & Login with Mobile Phone Number for WooCommerce has a missing authorization vulnerability allowing unauthenticated access to protected functionality.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection.This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. [CVSS 8.5 HIGH]
XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar is affected by php remote file inclusion (CVSS 8.1).
Miion WordPress theme by zozothemes has an unrestricted file upload vulnerability allowing unauthenticated web shell deployment and server compromise.
Blogzee WordPress theme by blazethemes has an unrestricted file upload vulnerability — the fourth blazethemes product affected by the same shared vulnerable upload component.
Blogistic WordPress theme by blazethemes has an unrestricted file upload vulnerability enabling attackers to deploy web shells for persistent server access.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. [CVSS 7.1 HIGH]
codisto Omnichannel for WooCommerce codistoconnect is affected by cross-site scripting (xss) (CVSS 7.1).
Order Listener for WooCommerce has a missing authorization vulnerability enabling unauthenticated access to order data and administrative functions.
Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce is affected by missing authorization (CVSS 6.5).
cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo is affected by missing authorization (CVSS 6.5).
GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. [CVSS 7.1 HIGH]
Real Homes CRM WordPress plugin has an unrestricted file upload allowing web shell deployment for persistent remote code execution.
Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8. [CVSS 6.5 MEDIUM]
MailerLite WordPress plugin has a SQL injection vulnerability enabling attackers to extract sensitive data from the WordPress database.
Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1. [CVSS 4.3 MEDIUM]
Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.5. [CVSS 8.8 HIGH]
News Event WordPress theme by blazethemes has an unrestricted file upload allowing web shell deployment and remote code execution.
Blogmatic WordPress theme by blazethemes has an unrestricted file upload vulnerability allowing attackers to upload web shells for persistent server access.
adamlabs WordPress Photo Gallery photo-gallery-portfolio is affected by cross-site scripting (xss) (CVSS 6.1).
WP Learn SQL Injection allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database, exposing all stored data.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. [CVSS 8.8 HIGH]
LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel is affected by cross-site scripting (xss) (CVSS 6.1).
LA-Studio Element Kit for Elementor WordPress plugin allows unauthenticated admin user creation, enabling complete WordPress site takeover.
The Photo Gallery by 10Web plugin for WordPress versions up to 1.8.36 lacks proper authentication checks on its comment deletion function, allowing unauthenticated attackers to delete arbitrary image comments from the Pro version. This integrity vulnerability (CVSS 5.3) requires no user interaction and can be exploited remotely, though no patch is currently available. The impact is limited to comment data manipulation, but affects all unpatched installations of the plugin.
GuardTourService contains a vulnerability that allows attackers to potentially execute code with elevated system privileges (CVSS 7.8).
Academy LMS WordPress plugin has a privilege escalation vulnerability allowing unauthenticated users to bypass access controls and gain elevated privileges on WordPress sites.
PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.
Stored cross-site scripting in FlatPM - Ad Manager plugin for WordPress up to version 3.2.2 allows authenticated contributors and higher-privileged users to inject malicious scripts through the rank_math_description field due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing affected pages, potentially enabling credential theft, session hijacking, or other client-side attacks. No patch is currently available for this vulnerability.
Stored XSS in WordPress Head Meta Data plugin (versions up to 20251118) allows authenticated contributors and above to inject malicious scripts into post metadata that execute when users visit affected pages, due to inadequate input sanitization. An attacker with contributor-level access can exploit insufficient output escaping to persistently compromise page content across all site visitors. No patch is currently available for this vulnerability.
NotificationX plugin for WordPress versions up to 3.1.11 lacks proper authorization checks on REST API endpoints, allowing authenticated users with Contributor-level permissions to reset analytics data for any campaign regardless of ownership. This capability bypass enables low-privileged attackers to tamper with campaign analytics across the WordPress installation. The vulnerability affects WordPress deployments using the affected plugin versions, with no patch currently available.
Tutor LMS plugin for WordPress through version 3.9.4 fails to validate user permissions on the delete_existing_user_photo function, allowing authenticated subscribers and higher-privileged users to delete arbitrary attachments. This integrity and availability vulnerability requires an active WordPress account but no elevated privileges, making it exploitable by low-level users to disrupt site content.
The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]
The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. [CVSS 8.8 HIGH]
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. [CVSS 5.4 MEDIUM]
Advanced Custom Fields: Extended plugin for WordPress has a privilege escalation vulnerability allowing unauthenticated users to gain admin access in all versions up to the latest.
Stored XSS in the Viet contact WordPress plugin versions up to 1.3.2 allows authenticated administrators to inject malicious scripts into admin settings due to inadequate input sanitization and output escaping. The injected scripts execute when other users access affected pages, impacting multi-site WordPress installations and sites with unfiltered_html disabled. Exploitation requires administrator-level access and no patch is currently available.
Stored XSS in WP Hello Bar plugin up to version 1.02 allows authenticated administrators to inject malicious scripts through the 'digit_one' and 'digit_two' parameters due to inadequate input validation. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available.
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. [CVSS 6.5 MEDIUM]
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. [CVSS 8.1 HIGH]
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. [CVSS 5.3 MEDIUM]
The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. [CVSS 5.3 MEDIUM]
The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. [CVSS 5.3 MEDIUM]
The Newsletter WordPress plugin through version 9.1.0 contains a cross-site request forgery vulnerability in the hook_newsletter_action() function due to insufficient nonce validation, allowing unauthenticated attackers to unsubscribe legitimate users if they can trick a logged-in administrator into clicking a malicious link. This attack requires user interaction but poses a direct integrity risk to newsletter subscriber lists. No patch is currently available.
The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. [CVSS 5.3 MEDIUM]
Image Photo Gallery Final Tiles Grid (WordPress plugin) versions up to 3.6.9. is affected by missing authorization (CVSS 5.4).
SQL injection in Koko Analytics for WordPress prior to version 2.1.3 allows unauthenticated attackers to inject malicious SQL through the public tracking endpoint, which gets stored unescaped and executed when administrators export and reimport analytics data. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary SQL commands including database manipulation and potential data destruction. The vulnerability affects WordPress installations using vulnerable versions of the Koko Analytics plugin and requires administrator interaction with a malicious export file to fully exploit.
Stored XSS in the Integrate Dynamics 365 CRM WordPress plugin through version 1.1.1 allows authenticated administrators to inject malicious scripts into plugin settings due to inadequate input sanitization. An attacker with admin privileges can execute arbitrary JavaScript that runs whenever users access affected pages. No patch is currently available.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/che...
The WooCommerce mobile phone registration plugin has an authentication bypass vulnerability allowing unauthenticated attackers to log in as any user, including administrators, with EPSS 0.42%.
Demo Importer Plus (WordPress plugin) is affected by improper restriction of xml external entity reference (CVSS 7.5).
All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 5.3).
Stored cross-site scripting in the Team Section Block plugin for WordPress through version 2.0.0 allows authenticated contributors and above to inject malicious scripts into pages by manipulating social network link URLs due to improper input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. An unpatched WordPress installation with this plugin poses a persistent attack vector for authenticated users with lower privilege levels.
The Spin Wheel WordPress plugin through version 2.1.0 fails to validate prize selection on the server side, allowing unauthenticated attackers to manipulate the 'prize_index' parameter and arbitrarily select high-value prizes. This input validation flaw enables attackers to bypass the intended randomization mechanism and consistently win premium rewards. No patch is currently available for affected installations.
The CM E-Mail Blacklist plugin for WordPress through version 1.6.2 contains a stored XSS vulnerability in the 'black_email' parameter due to inadequate input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript that executes for all users accessing affected pages, though exploitation is limited to multi-site installations or those with unfiltered_html disabled. No patch is currently available.
The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. [CVSS 5.3 MEDIUM]
User Registration Using Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 5.3).
Phrase TMS Integration for WordPress (WordPress plugin) is affected by missing authorization (CVSS 4.3).
Authenticated attackers with Subscriber-level privileges can upload malicious signatures to arbitrary orders in the RepairBuddy WordPress plugin (versions up to 4.1116) due to missing capability checks, allowing them to modify order metadata and trigger unauthorized status changes. The vulnerability stems from insufficient access controls on the signature upload handler and requires only basic user authentication to exploit. Patch availability is not currently provided for this integrity-impacting vulnerability.
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. [CVSS 2.2 LOW]
The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, p...
The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. [CVSS 6.5 MEDIUM]
The RegistrationMagic WordPress plugin up to version 6.0 allows unauthenticated privilege escalation, enabling attackers to create admin accounts and take over WordPress sites.
The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. [CVSS 4.4 MEDIUM]
The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. [CVSS 6.5 MEDIUM]
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing...