WordPress
Monthly
The MonsterInsights - Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration.
Blind SQL injection in APIExperts Square for WooCommerce (WooSquare) plugin versions up to 4.7.1 allows authenticated attackers with low-level privileges to extract sensitive database contents including customer data, order information, and potentially administrative credentials. The vulnerability enables scope escalation from the WordPress application context to the underlying database layer (S:C in CVSS vector), representing a significant data breach risk for WooCommerce stores. Reported by Patchstack, a WordPress vulnerability intelligence provider. No active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting (XSS) in the Continually WordPress plugin versions up to 4.3.1 allows authenticated administrators to inject arbitrary web scripts into admin settings that execute whenever users access affected pages. The vulnerability requires high-privilege administrator access and is limited to multisite WordPress installations or sites with unfiltered_html disabled, resulting in low CVSS impact (4.4) despite network accessibility. No public exploit code or active exploitation has been identified at this time.
Stored Cross-Site Scripting in FastBots plugin for WordPress up to version 1.0.12 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes when any user accesses affected pages. The vulnerability requires high-privilege administrator access and affects only multi-site WordPress installations or single-site installations with the unfiltered_html capability disabled. No public exploit code or active exploitation has been identified at time of analysis.
Authenticated users with Subscriber-level access can bypass PayPal payment verification in the Motors - Car Dealership & Classified Listings WordPress plugin (versions up to 1.4.103) by directly modifying their stm_payment_status user meta field to 'completed', gaining access to paid Dealer membership features without completing any transaction. The vulnerability exists in the stm_save_user_extra_fields() function, which fails to validate permission for sensitive meta field modifications during profile updates. While CVSS 4.3 reflects low severity, the integrity impact is direct-payment systems are completely circumvented for any authenticated user.
Stored Cross-Site Scripting in BJ Lazy Load plugin for WordPress versions up to 1.0.9 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via regex-based HTML attribute manipulation in the `filter_images()` function. The vulnerability exploits improper handling of HTML attribute boundaries during `src` attribute replacement, enabling attackers to promote malicious content from class attribute values into executable DOM attributes. When victims access injected pages, the injected scripts execute in their browsers with the privileges of the compromised site.
Stored Cross-Site Scripting in Scratchblocks for WP plugin for WordPress allows authenticated contributors and above to inject arbitrary JavaScript through the 'element' attribute of the 'scratchblocks' shortcode due to insufficient input sanitization and output escaping. The vulnerability affects all versions up to 1.0.1 and enables malicious scripts to execute in the browsers of all users viewing affected pages, with cross-site scope impact.
Time-based blind SQL injection in the Eight Day Week Print Workflow WordPress plugin (versions up to 1.2.6) via the 'title' parameter in the pp-get-articles AJAX action allows authenticated attackers with Subscriber-level access to extract sensitive database information. The vulnerability stems from insufficient escaping and lack of prepared statement usage, enabling attackers to append arbitrary SQL queries to extract confidential data with high confidentiality impact.
Reflected Cross-Site Scripting (XSS) in WP Google Maps Integration plugin for WordPress versions up to 1.2 allows unauthenticated attackers to inject arbitrary web scripts via the `page` parameter due to insufficient input sanitization and output escaping. Exploitation requires tricking an administrator into clicking a malicious link, but successful attacks can hijack admin sessions, modify site content, or steal credentials with medium attack complexity and limited immediate confidentiality and integrity impact.
Cross-Site Request Forgery (CSRF) in the Skysa Text Ticker App plugin for WordPress affects all versions up to 1.4, allowing unauthenticated attackers to modify plugin settings including scrolling message text and URLs by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the SkysaApps_Admin_AppPage function, enabling attackers to alter ticker content without authentication but requiring user interaction via social engineering.
Stored Cross-Site Scripting in Credits Shortcode WordPress plugin up to version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via the 'link' attribute of the credits shortcode, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes. CVSS 6.4 reflects moderate risk with network vector and limited scope impact, though real-world risk depends on site contributor population and user awareness.
Cross-Site Request Forgery in WooCommerce Minimum Weight plugin for WordPress up to version 3.0.1 allows unauthenticated attackers to modify minimum order weight settings by tricking site administrators into clicking malicious links or visiting attacker-controlled pages. The vulnerability stems from missing nonce verification in the settings update handler, enabling forged POST requests to alter critical e-commerce configuration without admin consent. No public exploit code or active exploitation has been identified at time of analysis.
Unauthenticated attackers can cancel arbitrary bookings in the Smart Appointment & Booking WordPress plugin versions up to 1.0.8 due to a logic flaw in nonce validation that uses AND instead of OR, combined with a missing capability check in the saab_cancel_booking() function. By supplying any value for the security parameter and a predictable booking ID, attackers can modify or delete booking records without authentication or user interaction.
Unauthenticated attackers can modify critical payment gateway settings in the iPOSpays Gateways WC WordPress plugin through an exposed REST API endpoint lacking authorization checks, enabling them to overwrite live API keys, secret keys, and payment tokens. Affected versions up to 1.3.7 permit unrestricted access to the /wp-json/ipospays/v1/save_settings endpoint due to a permission_callback set to '__return_true' with no nonce verification, allowing complete compromise of payment processing credentials without authentication. This is a high-integrity attack vector against e-commerce sites using the plugin.
Authenticated attackers with Subscriber-level WordPress access can overwrite the Coinbase Commerce API key in versions up to 1.1.2 of the Coinbase Commerce for Contact Form 7 WordPress plugin due to missing capability checks and nonce verification in the save_settings() function. The vulnerability allows privilege escalation and potential compromise of payment processing by replacing the legitimate API key with an attacker-controlled value via a crafted POST request to /wp-admin/admin-post, affecting all WordPress sites running this plugin with that version or earlier.
Stored cross-site scripting in the Advanced Social Media Icons WordPress plugin through version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with execution occurring whenever any user views an affected page. The vulnerability affects all installations of the plugin up to and including version 1.2 and requires only Contributor-level WordPress access to exploit, making it a significant risk for multi-author sites.
Stored Cross-Site Scripting in Voyage Plus WordPress plugin versions up to 1.0.6 allows authenticated contributors and above to inject malicious scripts via the 'class' attribute of the 'post-content' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages, enabling credential theft, session hijacking, or malware distribution. No public exploit code or active KEV listing identified at time of analysis, but the vulnerability requires only contributor-level access and no user interaction, making it practical for insider threats or compromised contributor accounts.
Stored Cross-Site Scripting in Next Date WordPress plugin (all versions up to 1.0) allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'default' shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis.
Cross-Site Request Forgery in the Zawgyi Embed WordPress plugin versions up to 2.1.1 allows unauthenticated attackers to modify the plugin's zawgyi_forceCSS setting by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the zawgyi_adminpage function, enabling attackers to submit forged POST requests to the plugin's settings page without the administrator's knowledge.
Cross-Site Request Forgery (CSRF) in Tm - WordPress Redirection plugin for WordPress versions up to 1.2 allows unauthenticated attackers to update plugin settings and inject malicious web scripts by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation on sensitive functions, enabling attackers to forge requests that execute administrative actions without the admin's explicit consent. CVSS score is 6.1 with network attack vector and low complexity, though exploitation requires user interaction (tricking administrator). No public exploit code or active exploitation has been identified at the time of analysis.
Forms Rb plugin for WordPress versions up to 1.1.9 contains an authorization bypass vulnerability allowing authenticated contributors and above to read, modify, and delete form submission records and configuration belonging to forms they do not own. The vulnerability stems from insufficient authorization checks in API endpoints (CWE-862), affecting all installations with the plugin active. CVSS score of 4.3 reflects low attack complexity and network accessibility, though impact is limited to integrity and information disclosure within WordPress administrative contexts.
SQL injection in the AIWU AI Chatbot WordPress plugin (versions ≤1.4.17) allows remote unauthenticated attackers to extract sensitive database contents via the getListForTbl() function due to unsanitized user input in SQL queries. Partial mitigation exists in version 1.4.11+ through administrator-only nonce protection, but the underlying SQL injection vulnerability persists. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact. Wordfence provides detailed vulnerable code references across multiple plugin files including controller.php, req.php, and model.php. No evidence of active exploitation (not in CISA KEV) at time of analysis.
SP Blog Designer plugin for WordPress versions up to 1.0.0 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'design' attribute of the wpsbd_post_carousel shortcode, resulting in stored cross-site scripting (XSS) that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode handling. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Quick Table plugin for WordPress allows authenticated contributors and above to inject malicious scripts via the 'style' attribute of the 'qtbl' shortcode, which execute when any user views the affected page. The vulnerability affects all versions up to 1.0.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at time of analysis.
Stored XSS in LifePress WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in administrator contexts when viewing the plugin's settings page. The vulnerability affects all versions through 2.2.2 and stems from a publicly-accessible AJAX endpoint (lp_update_mds) that lacks both nonce verification and capability checks, combined with improper input sanitization of the 'n' parameter. The CVSS score of 7.2 reflects network-based exploitation requiring no authentication or user interaction, with changed scope enabling cross-context attacks. EPSS and KEV data not available; exploitation probability depends on attacker knowledge of the specific AJAX action endpoint.
Unauthenticated remote code execution in GWD Connect WordPress plugin versions up to 2.9 allows attackers to execute arbitrary PHP code on unregistered installations via the update_agent action in standalone agent endpoints (gwd-backup.php and gwd-logs.php) when the API key is not configured. The vulnerability exploits a missing authorization check that occurs only when the authentication key has not been set up, affecting default installations. No public exploit code or active exploitation has been confirmed at this time.
Reflected Cross-Site Scripting in AzonPost WordPress plugin versions up to 1.3 allows unauthenticated attackers to inject arbitrary JavaScript via the `editpos_hidden` parameter, executing in the browsers of administrators who click malicious links. The vulnerability stems from insufficient input sanitization and output escaping, requiring user interaction but affecting all versions of the plugin without requiring authentication or special configuration.
Slek Gateway for WooCommerce plugin version 1.0 exposes merchant API credentials (slek_key and slek_secret) to unauthenticated attackers through client-side HTML forms and plaintext GET parameters. An attacker who places an order on an affected WooCommerce store can extract the merchant's secret credentials by inspecting the HTML source or using browser developer tools on the order-pay page before JavaScript auto-submission occurs, compromising the merchant's Slek payment processing account.
Stored Cross-Site Scripting (XSS) in WP SEO Structured Data Schema plugin for WordPress versions up to 2.8.1 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the `_kcseo_ative_tab` parameter, which executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's metadata handling. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in the Bootstrap Shortcode plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the `box` shortcode, executing malicious scripts whenever users view affected pages. The vulnerability exists in all versions up to 1.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at this time.
Cross-Site Request Forgery in WP-Redirection plugin for WordPress versions up to 1.0.3 allows unauthenticated attackers to trick logged-in administrators into modifying redirection rules by clicking a crafted link, enabling unauthorized creation, modification, or deletion of URL redirects without consent. The vulnerability stems from missing nonce validation in the admin settings form handler, affecting all installations running vulnerable versions.
Stored Cross-Site Scripting in Fancy Image Show plugin for WordPress up to version 9.1 allows authenticated contributors and above to inject arbitrary JavaScript via the `fancy-img-show` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, affecting site integrity and potentially compromising administrative accounts. No public exploit code or active exploitation has been confirmed at time of analysis.
Authenticated attackers with Subscriber-level access can modify arbitrary WordPress post content, metadata, author assignment, and post type through missing authorization checks in the Rate Star Review Vote AJAX handler, allowing full post content takeover via the 'rating_id' parameter when the 'form' parameter is set to 'update'. The vulnerability affects all versions up to 1.6.4 and requires only basic user authentication (not administrator privileges), making it exploitable by any registered site user.
Reflected Cross-Site Scripting in Pricing Tables for WP plugin allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter. The vulnerability affects all versions up to 1.1.0 due to insufficient input sanitization and output escaping. Exploitation requires social engineering (e.g., tricking an administrator into clicking a malicious link), but no public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in Shortcodely WordPress plugin versions up to 1.0.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'widget_area' parameter, with scripts executing whenever users access affected pages. The vulnerability stems from insufficient input sanitization and output escaping, affecting all installations with vulnerable plugin versions active. CVSS 6.4 reflects the cross-site scope and information disclosure potential, though exploitation requires authenticated contributor-level access.
Unauthenticated attackers can delete any classroom record in the HEL Online Classroom WordPress plugin (versions up to 1.0.3) via a REST API endpoint that bypasses all WordPress authentication checks through a permission_callback set to '__return_true', resulting in permanent data loss. The vulnerability affects the plugin's core functionality and requires only network access with no user interaction, though the CVSS score of 5.3 reflects limited confidentiality impact (integrity modification only, no information disclosure).
Remote code execution in the Custom css-js-php WordPress plugin versions up to 2.0.7 allows unauthenticated attackers to execute arbitrary PHP code on the server through SQL injection chained with PHP eval(). The plugin fails to sanitize user input before passing it to SQL queries, with query results subsequently executed via eval(). EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, and no public exploit code has been identified at time of analysis, though the technical barrier is low (CVSS AC:L/PR:N).
WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4,. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated attackers can bypass REST API authentication in the Logtivity plugin (versions up to 3.3.6) via a logic flaw in the verifyAuthorization method, allowing direct access to the /wp-json/logtivity/v1/options endpoint and disclosure of sensitive configuration including the logtivity_site_api_key. This key can be leveraged to impersonate the affected WordPress site in API calls to the Logtivity service. CVSS 5.3 (low confidentiality impact) reflects information disclosure severity; no active exploitation in CISA KEV at time of analysis.
LatePoint plugin for WordPress versions up to 5.5.0 allows unauthenticated attackers to perform account takeover of non-super-admin WordPress users by exploiting a weak password recovery mechanism in the guest booking flow. The vulnerability chains two flaws: the plugin's save_connected_wordpress_user() function updates WordPress user emails via wp_update_user() without ownership verification, and the guest booking flow permits email overwrites through phone-based customer merging without authentication. Attackers can overwrite a target user's email address and then trigger WordPress's standard password reset to gain full account access. No public exploit code has been identified at time of analysis, but exploitation requires only that the plugin be configured with WordPress user integration enabled, phone-based contact merging enabled, and customer authentication disabled.
Stored cross-site scripting in Sky Addons plugin for WordPress (versions up to 3.3.2) allows authenticated attackers with Author-level access to inject arbitrary JavaScript via the REST API that persists in the `sky-custom-scripts` post type and executes on all frontend pages for every site visitor. The vulnerability stems from insufficient input sanitization on the `sky_script_content` meta field combined with lack of output escaping during frontend rendering. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires only Author-level privileges and standard REST API access, making it a practical threat in multi-user WordPress environments.
Stored Cross-Site Scripting (XSS) in the NMR Strava Activities WordPress plugin through version 1.0.14 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the `strava_nmr_connect` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, compromising session security and enabling account takeover or malware distribution. A vendor patch addressing the vulnerability is available in version 1.0.15.
Stored Cross-Site Scripting in E2Pdf - Export Pdf Tool for WordPress plugin versions up to 1.32.17 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'id' attribute of the e2pdf-download shortcode, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping on shortcode attributes, enabling persistent script injection with moderate confidentiality and integrity impact across site scopes.
Stored Cross-Site Scripting in Auto Affiliate Links for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into administrator statistics pages through an unprotected AJAX endpoint. The vulnerability stems from missing input sanitization on the 'url' parameter in aal_url_stats_save_action() combined with direct output of stored values in aal_display_clicks() without escaping. Attackers can exploit a publicly exposed nonce and the wp_ajax_nopriv_ hook to store malicious payloads that execute when administrators view click statistics, potentially leading to session hijacking, privilege escalation, or site compromise. Wordfence reported this vulnerability affecting versions through 6.8.8, with a patch released in version 6.8.8.1.
PHP object injection in User Frontend plugin for WordPress versions up to 4.3.1 allows authenticated attackers with Subscriber-level access or above to achieve remote code execution via unsafe deserialization of the wpuf_files parameter during form submission. The vulnerability chains input validation failures during form processing with unconditional use of maybe_unserialize() when rendering post content, enabling attackers to inject malicious PHP objects that can execute arbitrary code, delete files, or trigger other attacks through available Property-Oriented Programming (POP) chains. Wordfence disclosed detailed code references showing the vulnerable data flow across multiple plugin files including wpuf-functions.php, FieldableTrait.php, and Frontend_Form_Ajax.php, with both trunk and version 4.2.10 code paths exhibiting the flaw.
Unauthenticated attackers can exploit SQL injection in OttoKit: All-in-One Automation Platform WordPress plugin versions before 1.1.23 due to improper input sanitization in SQL statement construction. The vulnerability allows remote attackers to extract sensitive data and modify database contents without authentication, though integrity impact is limited. Publicly available exploit code exists, and a patch has been released by the vendor.
Authorization bypass in YITH WooCommerce Wishlist through version 4.12.0 allows unauthenticated remote attackers to modify wishlist data via user-controlled object references, exploiting improper access control validation. The vulnerability enables integrity attacks against wishlist functionality without requiring authentication or user interaction, affecting all WordPress installations using the vulnerable plugin.
Arbitrary file deletion in WP-Optimize plugin versions ≤4.5.2 allows authenticated attackers with Author-level privileges to delete critical server files including wp-config.php, enabling remote code execution. The vulnerability exploits insufficient path validation in the unscheduled_original_file_deletion function combined with the non-protected 'original-file' meta key that Authors can manipulate via WordPress's Edit Media form or REST API. Wordfence discovered this CWE-22 path traversal flaw affecting the popular WordPress optimization plugin used on hundreds of thousands of sites.
Remote code execution in Slider Revolution for WordPress versions 7.0.0 through 7.0.10 allows authenticated attackers with subscriber-level privileges to upload executable files via insufficient file type validation in '_get_media_url' and '_check_file_path' functions. A partial patch in 7.0.10 was insufficient, requiring upgrade to 7.0.11 for complete remediation. With CVSS 8.8 (High) and low privilege requirements (subscriber accounts are commonly available or easily created), this represents significant risk for WordPress installations using affected versions, though no active exploitation has been confirmed via CISA KEV at time of analysis.
Unauthenticated SQL injection in BetterDocs Pro for WordPress allows remote attackers to extract sensitive database contents when the Encyclopedia feature is enabled. The vulnerability affects all versions up to 3.7.0 through unsanitized 'limit' parameters in two AJAX endpoints. With CVSS 7.5 (High severity) and network-based unauthenticated attack vector, this presents significant risk to sites using the Encyclopedia feature, though no active exploitation (KEV) or public POC has been identified at time of analysis. EPSS data not available for risk calibration.
Forminator Forms plugin for WordPress versions up to 1.53.0 allows authenticated subscribers to configure scheduled exports without authorization checks, enabling attackers to exfiltrate all form submissions by redirecting them to attacker-controlled email addresses. The vulnerability exists in the listen_for_saving_export_schedule() function which lacks the capability verification present in the parallel listen_for_csv_export() function, creating a direct authorization bypass for authenticated low-privilege users to access sensitive data collection and delivery mechanisms.
Appointment Booking Calendar plugin for WordPress up to version 1.6.10.6 allows unauthenticated attackers to view, delete, and modify arbitrary appointments due to missing authorization checks in REST API endpoints. The plugin exposes a site-wide public nonce through an unauthenticated endpoint (/wp-json/ssa/v1/embed-inner), and the appointment deletion and modification endpoints (/wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk) accept requests with this public nonce even when standard WordPress nonce validation fails, bypassing authorization entirely. Attackers can enumerate and delete appointment records, disclose sensitive booking data, and disrupt services without any authentication.
Missing authorization in Forminator Forms for WordPress (versions up to 1.51.1) allows authenticated users with subscriber-level access or restricted Forminator roles to perform sensitive module-management actions including export, delete, clone, and bulk status changes by bypassing capability checks. The vulnerability exists because the `processRequest()` method validates only a nonce without verifying the `manage_forminator_modules` capability, and fires during the `admin_menu` hook before WordPress enforces page-level permission checks. This enables attackers to export complete form configurations including credentials and conditional logic, delete submissions, or manipulate published modules.
SQL injection in Gravity Bookings Premium for WordPress (≤2.5.9) allows unauthenticated remote attackers to extract sensitive database information including user credentials, customer data, and booking records. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity, enabling widespread exploitation. Reported by Wordfence security research; no CISA KEV listing or public exploit code identified at time of analysis, but the trivial exploitation requirements (network accessible, no auth, no user interaction) make this a high-priority patching target for WordPress sites using this booking plugin.
Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript via the 'first_name' parameter in appointment booking forms, affecting all versions through 5.5.0. The injected scripts persist in the database and execute whenever administrators or other users view booking records, potentially enabling session hijacking, privilege escalation, or further attacks against site administrators. The CVSS vector indicates network-accessible exploitation with no authentication required and changed scope, enabling attacks beyond the vulnerable component. EPSS score not provided; no confirmation of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
Stored cross-site scripting (XSS) in LatePoint WordPress booking plugin (versions ≤5.5.0) allows unauthenticated attackers to inject malicious scripts via the 'booking_form_page_url' parameter that execute when administrators view activity logs. The vulnerability exploits a design flaw where the latepoint_order_intent_created action hook writes unsanitized input to the database before Stripe Connect validation occurs, meaning no functional payment integration is required for exploitation. Wordfence reported this issue with source code references demonstrating the flawed input handling in activities_controller.php and activities_helper.php. CVSS 7.2 with scope change (S:C) reflects potential for attackers to pivot from stored XSS to administrative session hijacking.
Stored cross-site scripting in LatePoint calendar booking plugin for WordPress versions up to 5.5.0 allows authenticated customers to inject malicious scripts via unsanitized profile fields (first name, last name, phone, notes) that execute in administrators' browsers when notification templates are previewed. Exploitation requires customer-level access and admin interaction to preview a notification template, but achieves code execution in a high-privilege context (administrator or agent browser session) with scope change from single user to multiple users.
Stored Cross-Site Scripting in SliceWP Affiliates plugin for WordPress (versions up to 1.2.7) allows authenticated contributors and above to inject arbitrary JavaScript via unsanitized shortcode attributes in the 'slicewp_affiliate_url' shortcode. The injected scripts execute in the browsers of all users accessing the affected page, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified, but the vulnerability is straightforward to exploit given the low attack complexity and requires only contributor-level WordPress access.
Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.
Authenticated subscribers can create arbitrary database tables in WordPress installations running Ninja Tables plugin version 5.2.6 and earlier via missing authorization checks on the createFluentCartTable function. This allows low-privileged users to pollute the database and cause resource exhaustion without requiring administrative access, affecting any site where subscribers have plugin interaction permissions.
Missing authorization in All-in-One WP Migration Unlimited Extension for WordPress versions up to 2.83 allows authenticated subscribers to create scheduled export jobs without capability verification, enabling attackers to exfiltrate full site backups by redirecting notifications to attacker-controlled email addresses and leveraging exposed backup filenames for download. This results in complete site data disclosure including sensitive information accessible to low-privilege authenticated users.
Unauthenticated attackers can retrieve PIX payment QR code images for arbitrary WooCommerce orders via the unprotected 'mp_pix_image' API endpoint in Mercado Pago payments for WooCommerce plugin versions up to 8.7.11, exposing sensitive merchant data including PIX keys, transaction amounts, merchant identity, and Mercado Pago transaction references. The vulnerability requires no authentication, user interaction, or special configuration, and exploits a missing capability check in the WordPress REST API handler. No public exploit code or active exploitation has been confirmed at the time of analysis.
SQL injection in WeePie Cookie Allow plugin for WordPress versions ≤3.4.11 allows remote unauthenticated attackers to extract sensitive database contents via the 'consent' parameter. The vulnerability stems from insufficient SQL query preparation and parameter escaping, enabling attackers to append malicious SQL queries to existing database operations. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis.
Remote code execution in Betheme WordPress theme versions up to 28.4 allows authenticated attackers with author-level privileges to upload malicious PHP files disguised as icon packs. The upload_icons() function extracts user-controlled ZIP files into public directories without validating extracted content, enabling arbitrary code execution. This vulnerability requires only author-level WordPress credentials (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), making it readily exploitable by compromised or malicious site contributors. No public exploit code or CISA KEV listing identified at time of analysis.
Arbitrary file deletion via path traversal in Betheme WordPress theme version 28.4 and earlier allows authenticated contributors and above to delete arbitrary files on the server by manipulating the mfn-icon-upload parameter in the upload_icons() function. The vulnerability requires valid WordPress account credentials at contributor level or higher but exploits an unconstrained filesystem move operation to bypass upload directory restrictions. No public exploit code or active KEV listing identified at analysis time.
WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The User Registration & Membership plugin for WordPress versions up to 5.1.4 allows authenticated attackers with Contributor-level access to append shortcode content to arbitrary pages without authorization due to a missing capability check in the embed_form_action() AJAX function. This enables privilege escalation where lower-privileged users can inject content into posts and pages owned by other users or administrators, potentially defacing sites or injecting malicious content.
Unauthenticated SQL injection in Form Maker by 10Web plugin allows remote attackers to extract sensitive database contents including user credentials, form submissions, and WordPress configuration data. The vulnerability affects all versions through 1.15.42 and requires no special configuration - any WordPress site running the plugin with default settings is exploitable. CVSS 7.5 (High) reflects network-based unauthenticated access with high confidentiality impact. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. Patch available in version 1.15.43 per Trac changeset 3518461.
Path Traversal in Forminator Forms plugin allows unauthenticated remote attackers to read arbitrary files from WordPress servers, potentially exposing database credentials, configuration files, and sensitive user data. Exploitation requires a publicly accessible form with File Upload field and specific 'Save and Continue' behavior settings enabled. CVSS 7.5 (High) with network vector and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, suggesting limited active exploitation despite high theoretical severity.
Forminator plugin for WordPress versions up to 1.52.0 allows unauthenticated attackers to bypass payment authorization by reusing previously succeeded Stripe PaymentIntent identifiers, enabling submission of high-value paid forms at no cost or reduced cost through payment bypass. The vulnerability affects the public payment processing flow where the plugin fails to verify that the attacker owns or is authorized to use a supplied PaymentIntent, making it possible to complete forms without proper payment validation.
GenerateBlocks plugin for WordPress up to version 2.2.0 fails to verify object-level authorization on the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint, allowing authenticated Contributor-level users to extract sensitive information from arbitrary posts including author email addresses and post meta values through crafted dynamic tag payloads. The vulnerability checks only for edit_posts capability but does not verify access to specific posts, exposing confidential data across the entire site to low-privilege authenticated users.
ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.
The MonsterInsights - Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration.
Blind SQL injection in APIExperts Square for WooCommerce (WooSquare) plugin versions up to 4.7.1 allows authenticated attackers with low-level privileges to extract sensitive database contents including customer data, order information, and potentially administrative credentials. The vulnerability enables scope escalation from the WordPress application context to the underlying database layer (S:C in CVSS vector), representing a significant data breach risk for WooCommerce stores. Reported by Patchstack, a WordPress vulnerability intelligence provider. No active exploitation confirmed in CISA KEV at time of analysis.
Stored cross-site scripting (XSS) in the Continually WordPress plugin versions up to 4.3.1 allows authenticated administrators to inject arbitrary web scripts into admin settings that execute whenever users access affected pages. The vulnerability requires high-privilege administrator access and is limited to multisite WordPress installations or sites with unfiltered_html disabled, resulting in low CVSS impact (4.4) despite network accessibility. No public exploit code or active exploitation has been identified at this time.
Stored Cross-Site Scripting in FastBots plugin for WordPress up to version 1.0.12 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes when any user accesses affected pages. The vulnerability requires high-privilege administrator access and affects only multi-site WordPress installations or single-site installations with the unfiltered_html capability disabled. No public exploit code or active exploitation has been identified at time of analysis.
Authenticated users with Subscriber-level access can bypass PayPal payment verification in the Motors - Car Dealership & Classified Listings WordPress plugin (versions up to 1.4.103) by directly modifying their stm_payment_status user meta field to 'completed', gaining access to paid Dealer membership features without completing any transaction. The vulnerability exists in the stm_save_user_extra_fields() function, which fails to validate permission for sensitive meta field modifications during profile updates. While CVSS 4.3 reflects low severity, the integrity impact is direct-payment systems are completely circumvented for any authenticated user.
Stored Cross-Site Scripting in BJ Lazy Load plugin for WordPress versions up to 1.0.9 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via regex-based HTML attribute manipulation in the `filter_images()` function. The vulnerability exploits improper handling of HTML attribute boundaries during `src` attribute replacement, enabling attackers to promote malicious content from class attribute values into executable DOM attributes. When victims access injected pages, the injected scripts execute in their browsers with the privileges of the compromised site.
Stored Cross-Site Scripting in Scratchblocks for WP plugin for WordPress allows authenticated contributors and above to inject arbitrary JavaScript through the 'element' attribute of the 'scratchblocks' shortcode due to insufficient input sanitization and output escaping. The vulnerability affects all versions up to 1.0.1 and enables malicious scripts to execute in the browsers of all users viewing affected pages, with cross-site scope impact.
Time-based blind SQL injection in the Eight Day Week Print Workflow WordPress plugin (versions up to 1.2.6) via the 'title' parameter in the pp-get-articles AJAX action allows authenticated attackers with Subscriber-level access to extract sensitive database information. The vulnerability stems from insufficient escaping and lack of prepared statement usage, enabling attackers to append arbitrary SQL queries to extract confidential data with high confidentiality impact.
Reflected Cross-Site Scripting (XSS) in WP Google Maps Integration plugin for WordPress versions up to 1.2 allows unauthenticated attackers to inject arbitrary web scripts via the `page` parameter due to insufficient input sanitization and output escaping. Exploitation requires tricking an administrator into clicking a malicious link, but successful attacks can hijack admin sessions, modify site content, or steal credentials with medium attack complexity and limited immediate confidentiality and integrity impact.
Cross-Site Request Forgery (CSRF) in the Skysa Text Ticker App plugin for WordPress affects all versions up to 1.4, allowing unauthenticated attackers to modify plugin settings including scrolling message text and URLs by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the SkysaApps_Admin_AppPage function, enabling attackers to alter ticker content without authentication but requiring user interaction via social engineering.
Stored Cross-Site Scripting in Credits Shortcode WordPress plugin up to version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via the 'link' attribute of the credits shortcode, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes. CVSS 6.4 reflects moderate risk with network vector and limited scope impact, though real-world risk depends on site contributor population and user awareness.
Cross-Site Request Forgery in WooCommerce Minimum Weight plugin for WordPress up to version 3.0.1 allows unauthenticated attackers to modify minimum order weight settings by tricking site administrators into clicking malicious links or visiting attacker-controlled pages. The vulnerability stems from missing nonce verification in the settings update handler, enabling forged POST requests to alter critical e-commerce configuration without admin consent. No public exploit code or active exploitation has been identified at time of analysis.
Unauthenticated attackers can cancel arbitrary bookings in the Smart Appointment & Booking WordPress plugin versions up to 1.0.8 due to a logic flaw in nonce validation that uses AND instead of OR, combined with a missing capability check in the saab_cancel_booking() function. By supplying any value for the security parameter and a predictable booking ID, attackers can modify or delete booking records without authentication or user interaction.
Unauthenticated attackers can modify critical payment gateway settings in the iPOSpays Gateways WC WordPress plugin through an exposed REST API endpoint lacking authorization checks, enabling them to overwrite live API keys, secret keys, and payment tokens. Affected versions up to 1.3.7 permit unrestricted access to the /wp-json/ipospays/v1/save_settings endpoint due to a permission_callback set to '__return_true' with no nonce verification, allowing complete compromise of payment processing credentials without authentication. This is a high-integrity attack vector against e-commerce sites using the plugin.
Authenticated attackers with Subscriber-level WordPress access can overwrite the Coinbase Commerce API key in versions up to 1.1.2 of the Coinbase Commerce for Contact Form 7 WordPress plugin due to missing capability checks and nonce verification in the save_settings() function. The vulnerability allows privilege escalation and potential compromise of payment processing by replacing the legitimate API key with an attacker-controlled value via a crafted POST request to /wp-admin/admin-post, affecting all WordPress sites running this plugin with that version or earlier.
Stored cross-site scripting in the Advanced Social Media Icons WordPress plugin through version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with execution occurring whenever any user views an affected page. The vulnerability affects all installations of the plugin up to and including version 1.2 and requires only Contributor-level WordPress access to exploit, making it a significant risk for multi-author sites.
Stored Cross-Site Scripting in Voyage Plus WordPress plugin versions up to 1.0.6 allows authenticated contributors and above to inject malicious scripts via the 'class' attribute of the 'post-content' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages, enabling credential theft, session hijacking, or malware distribution. No public exploit code or active KEV listing identified at time of analysis, but the vulnerability requires only contributor-level access and no user interaction, making it practical for insider threats or compromised contributor accounts.
Stored Cross-Site Scripting in Next Date WordPress plugin (all versions up to 1.0) allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'default' shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis.
Cross-Site Request Forgery in the Zawgyi Embed WordPress plugin versions up to 2.1.1 allows unauthenticated attackers to modify the plugin's zawgyi_forceCSS setting by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the zawgyi_adminpage function, enabling attackers to submit forged POST requests to the plugin's settings page without the administrator's knowledge.
Cross-Site Request Forgery (CSRF) in Tm - WordPress Redirection plugin for WordPress versions up to 1.2 allows unauthenticated attackers to update plugin settings and inject malicious web scripts by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation on sensitive functions, enabling attackers to forge requests that execute administrative actions without the admin's explicit consent. CVSS score is 6.1 with network attack vector and low complexity, though exploitation requires user interaction (tricking administrator). No public exploit code or active exploitation has been identified at the time of analysis.
Forms Rb plugin for WordPress versions up to 1.1.9 contains an authorization bypass vulnerability allowing authenticated contributors and above to read, modify, and delete form submission records and configuration belonging to forms they do not own. The vulnerability stems from insufficient authorization checks in API endpoints (CWE-862), affecting all installations with the plugin active. CVSS score of 4.3 reflects low attack complexity and network accessibility, though impact is limited to integrity and information disclosure within WordPress administrative contexts.
SQL injection in the AIWU AI Chatbot WordPress plugin (versions ≤1.4.17) allows remote unauthenticated attackers to extract sensitive database contents via the getListForTbl() function due to unsanitized user input in SQL queries. Partial mitigation exists in version 1.4.11+ through administrator-only nonce protection, but the underlying SQL injection vulnerability persists. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact. Wordfence provides detailed vulnerable code references across multiple plugin files including controller.php, req.php, and model.php. No evidence of active exploitation (not in CISA KEV) at time of analysis.
SP Blog Designer plugin for WordPress versions up to 1.0.0 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'design' attribute of the wpsbd_post_carousel shortcode, resulting in stored cross-site scripting (XSS) that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode handling. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Quick Table plugin for WordPress allows authenticated contributors and above to inject malicious scripts via the 'style' attribute of the 'qtbl' shortcode, which execute when any user views the affected page. The vulnerability affects all versions up to 1.0.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at time of analysis.
Stored XSS in LifePress WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in administrator contexts when viewing the plugin's settings page. The vulnerability affects all versions through 2.2.2 and stems from a publicly-accessible AJAX endpoint (lp_update_mds) that lacks both nonce verification and capability checks, combined with improper input sanitization of the 'n' parameter. The CVSS score of 7.2 reflects network-based exploitation requiring no authentication or user interaction, with changed scope enabling cross-context attacks. EPSS and KEV data not available; exploitation probability depends on attacker knowledge of the specific AJAX action endpoint.
Unauthenticated remote code execution in GWD Connect WordPress plugin versions up to 2.9 allows attackers to execute arbitrary PHP code on unregistered installations via the update_agent action in standalone agent endpoints (gwd-backup.php and gwd-logs.php) when the API key is not configured. The vulnerability exploits a missing authorization check that occurs only when the authentication key has not been set up, affecting default installations. No public exploit code or active exploitation has been confirmed at this time.
Reflected Cross-Site Scripting in AzonPost WordPress plugin versions up to 1.3 allows unauthenticated attackers to inject arbitrary JavaScript via the `editpos_hidden` parameter, executing in the browsers of administrators who click malicious links. The vulnerability stems from insufficient input sanitization and output escaping, requiring user interaction but affecting all versions of the plugin without requiring authentication or special configuration.
Slek Gateway for WooCommerce plugin version 1.0 exposes merchant API credentials (slek_key and slek_secret) to unauthenticated attackers through client-side HTML forms and plaintext GET parameters. An attacker who places an order on an affected WooCommerce store can extract the merchant's secret credentials by inspecting the HTML source or using browser developer tools on the order-pay page before JavaScript auto-submission occurs, compromising the merchant's Slek payment processing account.
Stored Cross-Site Scripting (XSS) in WP SEO Structured Data Schema plugin for WordPress versions up to 2.8.1 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the `_kcseo_ative_tab` parameter, which executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's metadata handling. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in the Bootstrap Shortcode plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the `box` shortcode, executing malicious scripts whenever users view affected pages. The vulnerability exists in all versions up to 1.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at this time.
Cross-Site Request Forgery in WP-Redirection plugin for WordPress versions up to 1.0.3 allows unauthenticated attackers to trick logged-in administrators into modifying redirection rules by clicking a crafted link, enabling unauthorized creation, modification, or deletion of URL redirects without consent. The vulnerability stems from missing nonce validation in the admin settings form handler, affecting all installations running vulnerable versions.
Stored Cross-Site Scripting in Fancy Image Show plugin for WordPress up to version 9.1 allows authenticated contributors and above to inject arbitrary JavaScript via the `fancy-img-show` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, affecting site integrity and potentially compromising administrative accounts. No public exploit code or active exploitation has been confirmed at time of analysis.
Authenticated attackers with Subscriber-level access can modify arbitrary WordPress post content, metadata, author assignment, and post type through missing authorization checks in the Rate Star Review Vote AJAX handler, allowing full post content takeover via the 'rating_id' parameter when the 'form' parameter is set to 'update'. The vulnerability affects all versions up to 1.6.4 and requires only basic user authentication (not administrator privileges), making it exploitable by any registered site user.
Reflected Cross-Site Scripting in Pricing Tables for WP plugin allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter. The vulnerability affects all versions up to 1.1.0 due to insufficient input sanitization and output escaping. Exploitation requires social engineering (e.g., tricking an administrator into clicking a malicious link), but no public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in Shortcodely WordPress plugin versions up to 1.0.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'widget_area' parameter, with scripts executing whenever users access affected pages. The vulnerability stems from insufficient input sanitization and output escaping, affecting all installations with vulnerable plugin versions active. CVSS 6.4 reflects the cross-site scope and information disclosure potential, though exploitation requires authenticated contributor-level access.
Unauthenticated attackers can delete any classroom record in the HEL Online Classroom WordPress plugin (versions up to 1.0.3) via a REST API endpoint that bypasses all WordPress authentication checks through a permission_callback set to '__return_true', resulting in permanent data loss. The vulnerability affects the plugin's core functionality and requires only network access with no user interaction, though the CVSS score of 5.3 reflects limited confidentiality impact (integrity modification only, no information disclosure).
Remote code execution in the Custom css-js-php WordPress plugin versions up to 2.0.7 allows unauthenticated attackers to execute arbitrary PHP code on the server through SQL injection chained with PHP eval(). The plugin fails to sanitize user input before passing it to SQL queries, with query results subsequently executed via eval(). EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, and no public exploit code has been identified at time of analysis, though the technical barrier is low (CVSS AC:L/PR:N).
WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4,. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated attackers can bypass REST API authentication in the Logtivity plugin (versions up to 3.3.6) via a logic flaw in the verifyAuthorization method, allowing direct access to the /wp-json/logtivity/v1/options endpoint and disclosure of sensitive configuration including the logtivity_site_api_key. This key can be leveraged to impersonate the affected WordPress site in API calls to the Logtivity service. CVSS 5.3 (low confidentiality impact) reflects information disclosure severity; no active exploitation in CISA KEV at time of analysis.
LatePoint plugin for WordPress versions up to 5.5.0 allows unauthenticated attackers to perform account takeover of non-super-admin WordPress users by exploiting a weak password recovery mechanism in the guest booking flow. The vulnerability chains two flaws: the plugin's save_connected_wordpress_user() function updates WordPress user emails via wp_update_user() without ownership verification, and the guest booking flow permits email overwrites through phone-based customer merging without authentication. Attackers can overwrite a target user's email address and then trigger WordPress's standard password reset to gain full account access. No public exploit code has been identified at time of analysis, but exploitation requires only that the plugin be configured with WordPress user integration enabled, phone-based contact merging enabled, and customer authentication disabled.
Stored cross-site scripting in Sky Addons plugin for WordPress (versions up to 3.3.2) allows authenticated attackers with Author-level access to inject arbitrary JavaScript via the REST API that persists in the `sky-custom-scripts` post type and executes on all frontend pages for every site visitor. The vulnerability stems from insufficient input sanitization on the `sky_script_content` meta field combined with lack of output escaping during frontend rendering. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires only Author-level privileges and standard REST API access, making it a practical threat in multi-user WordPress environments.
Stored Cross-Site Scripting (XSS) in the NMR Strava Activities WordPress plugin through version 1.0.14 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the `strava_nmr_connect` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, compromising session security and enabling account takeover or malware distribution. A vendor patch addressing the vulnerability is available in version 1.0.15.
Stored Cross-Site Scripting in E2Pdf - Export Pdf Tool for WordPress plugin versions up to 1.32.17 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'id' attribute of the e2pdf-download shortcode, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping on shortcode attributes, enabling persistent script injection with moderate confidentiality and integrity impact across site scopes.
Stored Cross-Site Scripting in Auto Affiliate Links for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into administrator statistics pages through an unprotected AJAX endpoint. The vulnerability stems from missing input sanitization on the 'url' parameter in aal_url_stats_save_action() combined with direct output of stored values in aal_display_clicks() without escaping. Attackers can exploit a publicly exposed nonce and the wp_ajax_nopriv_ hook to store malicious payloads that execute when administrators view click statistics, potentially leading to session hijacking, privilege escalation, or site compromise. Wordfence reported this vulnerability affecting versions through 6.8.8, with a patch released in version 6.8.8.1.
PHP object injection in User Frontend plugin for WordPress versions up to 4.3.1 allows authenticated attackers with Subscriber-level access or above to achieve remote code execution via unsafe deserialization of the wpuf_files parameter during form submission. The vulnerability chains input validation failures during form processing with unconditional use of maybe_unserialize() when rendering post content, enabling attackers to inject malicious PHP objects that can execute arbitrary code, delete files, or trigger other attacks through available Property-Oriented Programming (POP) chains. Wordfence disclosed detailed code references showing the vulnerable data flow across multiple plugin files including wpuf-functions.php, FieldableTrait.php, and Frontend_Form_Ajax.php, with both trunk and version 4.2.10 code paths exhibiting the flaw.
Unauthenticated attackers can exploit SQL injection in OttoKit: All-in-One Automation Platform WordPress plugin versions before 1.1.23 due to improper input sanitization in SQL statement construction. The vulnerability allows remote attackers to extract sensitive data and modify database contents without authentication, though integrity impact is limited. Publicly available exploit code exists, and a patch has been released by the vendor.
Authorization bypass in YITH WooCommerce Wishlist through version 4.12.0 allows unauthenticated remote attackers to modify wishlist data via user-controlled object references, exploiting improper access control validation. The vulnerability enables integrity attacks against wishlist functionality without requiring authentication or user interaction, affecting all WordPress installations using the vulnerable plugin.
Arbitrary file deletion in WP-Optimize plugin versions ≤4.5.2 allows authenticated attackers with Author-level privileges to delete critical server files including wp-config.php, enabling remote code execution. The vulnerability exploits insufficient path validation in the unscheduled_original_file_deletion function combined with the non-protected 'original-file' meta key that Authors can manipulate via WordPress's Edit Media form or REST API. Wordfence discovered this CWE-22 path traversal flaw affecting the popular WordPress optimization plugin used on hundreds of thousands of sites.
Remote code execution in Slider Revolution for WordPress versions 7.0.0 through 7.0.10 allows authenticated attackers with subscriber-level privileges to upload executable files via insufficient file type validation in '_get_media_url' and '_check_file_path' functions. A partial patch in 7.0.10 was insufficient, requiring upgrade to 7.0.11 for complete remediation. With CVSS 8.8 (High) and low privilege requirements (subscriber accounts are commonly available or easily created), this represents significant risk for WordPress installations using affected versions, though no active exploitation has been confirmed via CISA KEV at time of analysis.
Unauthenticated SQL injection in BetterDocs Pro for WordPress allows remote attackers to extract sensitive database contents when the Encyclopedia feature is enabled. The vulnerability affects all versions up to 3.7.0 through unsanitized 'limit' parameters in two AJAX endpoints. With CVSS 7.5 (High severity) and network-based unauthenticated attack vector, this presents significant risk to sites using the Encyclopedia feature, though no active exploitation (KEV) or public POC has been identified at time of analysis. EPSS data not available for risk calibration.
Forminator Forms plugin for WordPress versions up to 1.53.0 allows authenticated subscribers to configure scheduled exports without authorization checks, enabling attackers to exfiltrate all form submissions by redirecting them to attacker-controlled email addresses. The vulnerability exists in the listen_for_saving_export_schedule() function which lacks the capability verification present in the parallel listen_for_csv_export() function, creating a direct authorization bypass for authenticated low-privilege users to access sensitive data collection and delivery mechanisms.
Appointment Booking Calendar plugin for WordPress up to version 1.6.10.6 allows unauthenticated attackers to view, delete, and modify arbitrary appointments due to missing authorization checks in REST API endpoints. The plugin exposes a site-wide public nonce through an unauthenticated endpoint (/wp-json/ssa/v1/embed-inner), and the appointment deletion and modification endpoints (/wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk) accept requests with this public nonce even when standard WordPress nonce validation fails, bypassing authorization entirely. Attackers can enumerate and delete appointment records, disclose sensitive booking data, and disrupt services without any authentication.
Missing authorization in Forminator Forms for WordPress (versions up to 1.51.1) allows authenticated users with subscriber-level access or restricted Forminator roles to perform sensitive module-management actions including export, delete, clone, and bulk status changes by bypassing capability checks. The vulnerability exists because the `processRequest()` method validates only a nonce without verifying the `manage_forminator_modules` capability, and fires during the `admin_menu` hook before WordPress enforces page-level permission checks. This enables attackers to export complete form configurations including credentials and conditional logic, delete submissions, or manipulate published modules.
SQL injection in Gravity Bookings Premium for WordPress (≤2.5.9) allows unauthenticated remote attackers to extract sensitive database information including user credentials, customer data, and booking records. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity, enabling widespread exploitation. Reported by Wordfence security research; no CISA KEV listing or public exploit code identified at time of analysis, but the trivial exploitation requirements (network accessible, no auth, no user interaction) make this a high-priority patching target for WordPress sites using this booking plugin.
Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript via the 'first_name' parameter in appointment booking forms, affecting all versions through 5.5.0. The injected scripts persist in the database and execute whenever administrators or other users view booking records, potentially enabling session hijacking, privilege escalation, or further attacks against site administrators. The CVSS vector indicates network-accessible exploitation with no authentication required and changed scope, enabling attacks beyond the vulnerable component. EPSS score not provided; no confirmation of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
Stored cross-site scripting (XSS) in LatePoint WordPress booking plugin (versions ≤5.5.0) allows unauthenticated attackers to inject malicious scripts via the 'booking_form_page_url' parameter that execute when administrators view activity logs. The vulnerability exploits a design flaw where the latepoint_order_intent_created action hook writes unsanitized input to the database before Stripe Connect validation occurs, meaning no functional payment integration is required for exploitation. Wordfence reported this issue with source code references demonstrating the flawed input handling in activities_controller.php and activities_helper.php. CVSS 7.2 with scope change (S:C) reflects potential for attackers to pivot from stored XSS to administrative session hijacking.
Stored cross-site scripting in LatePoint calendar booking plugin for WordPress versions up to 5.5.0 allows authenticated customers to inject malicious scripts via unsanitized profile fields (first name, last name, phone, notes) that execute in administrators' browsers when notification templates are previewed. Exploitation requires customer-level access and admin interaction to preview a notification template, but achieves code execution in a high-privilege context (administrator or agent browser session) with scope change from single user to multiple users.
Stored Cross-Site Scripting in SliceWP Affiliates plugin for WordPress (versions up to 1.2.7) allows authenticated contributors and above to inject arbitrary JavaScript via unsanitized shortcode attributes in the 'slicewp_affiliate_url' shortcode. The injected scripts execute in the browsers of all users accessing the affected page, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified, but the vulnerability is straightforward to exploit given the low attack complexity and requires only contributor-level WordPress access.
Fluent Forms plugin for WordPress up to version 6.2.1 allows authenticated administrators to read arbitrary files readable by the web server through path traversal in the getAttachments() method of EmailNotificationActions. The vulnerability stems from insufficient validation of file-upload URLs in admin notification configurations, permitting attackers to supply traversal sequences like <upload_baseurl>/../../<target> to access sensitive files such as wp-config.php containing database credentials and authentication salts. While unauthenticated users can trigger email notifications, the exploit requires administrator-level access to configure the malicious notification attachment.
Authenticated subscribers can create arbitrary database tables in WordPress installations running Ninja Tables plugin version 5.2.6 and earlier via missing authorization checks on the createFluentCartTable function. This allows low-privileged users to pollute the database and cause resource exhaustion without requiring administrative access, affecting any site where subscribers have plugin interaction permissions.
Missing authorization in All-in-One WP Migration Unlimited Extension for WordPress versions up to 2.83 allows authenticated subscribers to create scheduled export jobs without capability verification, enabling attackers to exfiltrate full site backups by redirecting notifications to attacker-controlled email addresses and leveraging exposed backup filenames for download. This results in complete site data disclosure including sensitive information accessible to low-privilege authenticated users.
Unauthenticated attackers can retrieve PIX payment QR code images for arbitrary WooCommerce orders via the unprotected 'mp_pix_image' API endpoint in Mercado Pago payments for WooCommerce plugin versions up to 8.7.11, exposing sensitive merchant data including PIX keys, transaction amounts, merchant identity, and Mercado Pago transaction references. The vulnerability requires no authentication, user interaction, or special configuration, and exploits a missing capability check in the WordPress REST API handler. No public exploit code or active exploitation has been confirmed at the time of analysis.
SQL injection in WeePie Cookie Allow plugin for WordPress versions ≤3.4.11 allows remote unauthenticated attackers to extract sensitive database contents via the 'consent' parameter. The vulnerability stems from insufficient SQL query preparation and parameter escaping, enabling attackers to append malicious SQL queries to existing database operations. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis.
Remote code execution in Betheme WordPress theme versions up to 28.4 allows authenticated attackers with author-level privileges to upload malicious PHP files disguised as icon packs. The upload_icons() function extracts user-controlled ZIP files into public directories without validating extracted content, enabling arbitrary code execution. This vulnerability requires only author-level WordPress credentials (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), making it readily exploitable by compromised or malicious site contributors. No public exploit code or CISA KEV listing identified at time of analysis.
Arbitrary file deletion via path traversal in Betheme WordPress theme version 28.4 and earlier allows authenticated contributors and above to delete arbitrary files on the server by manipulating the mfn-icon-upload parameter in the upload_icons() function. The vulnerability requires valid WordPress account credentials at contributor level or higher but exploits an unconstrained filesystem move operation to bypass upload directory restrictions. No public exploit code or active KEV listing identified at analysis time.
WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The User Registration & Membership plugin for WordPress versions up to 5.1.4 allows authenticated attackers with Contributor-level access to append shortcode content to arbitrary pages without authorization due to a missing capability check in the embed_form_action() AJAX function. This enables privilege escalation where lower-privileged users can inject content into posts and pages owned by other users or administrators, potentially defacing sites or injecting malicious content.
Unauthenticated SQL injection in Form Maker by 10Web plugin allows remote attackers to extract sensitive database contents including user credentials, form submissions, and WordPress configuration data. The vulnerability affects all versions through 1.15.42 and requires no special configuration - any WordPress site running the plugin with default settings is exploitable. CVSS 7.5 (High) reflects network-based unauthenticated access with high confidentiality impact. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. Patch available in version 1.15.43 per Trac changeset 3518461.
Path Traversal in Forminator Forms plugin allows unauthenticated remote attackers to read arbitrary files from WordPress servers, potentially exposing database credentials, configuration files, and sensitive user data. Exploitation requires a publicly accessible form with File Upload field and specific 'Save and Continue' behavior settings enabled. CVSS 7.5 (High) with network vector and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, suggesting limited active exploitation despite high theoretical severity.
Forminator plugin for WordPress versions up to 1.52.0 allows unauthenticated attackers to bypass payment authorization by reusing previously succeeded Stripe PaymentIntent identifiers, enabling submission of high-value paid forms at no cost or reduced cost through payment bypass. The vulnerability affects the public payment processing flow where the plugin fails to verify that the attacker owns or is authorized to use a supplied PaymentIntent, making it possible to complete forms without proper payment validation.
GenerateBlocks plugin for WordPress up to version 2.2.0 fails to verify object-level authorization on the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint, allowing authenticated Contributor-level users to extract sensitive information from arbitrary posts including author email addresses and post meta values through crafted dynamic tag payloads. The vulnerability checks only for edit_posts capability but does not verify access to specific posts, exposing confidential data across the entire site to low-privilege authenticated users.
ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.