WordPress

Quick Contact Form (WordPress plugin) versions up to 8.2.6. is affected by improper input validation (CVSS 5.8).

Feeds for YouTube Pro (WordPress plugin) versions up to 2.6.0 is affected by path traversal (CVSS 5.9).

Quiz Maker Plugin by Opinion Stage Wordpre versions up to 19.6.25 is affected by cross-site scripting (xss).

Omni Secure File versions up to 0.1.14 is affected by unrestricted upload of file with dangerous type.

Restrict Content versions up to 3.2.16 is affected by authorization bypass through user-controlled key (CVSS 8.2).

Essential Addons for Elementor (WordPress plugin) versions up to 6.5.5 is affected by missing authorization (CVSS 5.3).

Stored cross-site scripting in the User Submitted Posts WordPress plugin through version 20260110 allows authenticated Contributor-level users to inject malicious scripts via the 'usp_access' shortcode due to inadequate input sanitization. When other users visit pages containing the injected payload, the attacker's JavaScript executes in their browsers, potentially enabling session hijacking or unauthorized actions. No patch is currently available to remediate this vulnerability.

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via wi...

Unauthorized post deletion in GetGenie for WordPress (versions up to 4.3.0) allows authenticated users with Author-level permissions or higher to delete any post on a site, regardless of authorship, due to insufficient authorization checks. Attackers with basic authenticated access can exploit this to remove content authored by other users without proper privilege verification. No patch is currently available.

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

The Rede Itaú for WooCommerce plugin versions up to 5.1.2 lack proper authentication controls on the clearOrderLogs() function, allowing unauthenticated attackers to remotely delete order log metadata from WooCommerce installations. This missing capability check enables data tampering on affected WordPress sites without requiring user credentials. No patch is currently available for this vulnerability.

Rede Itaú for WooCommerce (WordPress plugin) versions up to 5.1.2. is affected by insufficient verification of data authenticity (CVSS 5.3).

Stored XSS in the Related Posts by Taxonomy WordPress plugin through version 2.7.6 allows contributors and higher-privileged authenticated users to inject malicious scripts into shortcode attributes that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content viewed by site visitors. No patch is currently available.

LEAV Last Email Address Validator (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

The DK PDF - WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. [CVSS 5.0 MEDIUM]

The MailerLite WooCommerce integration plugin for WordPress fails to validate user permissions in its resetIntegration() function, allowing authenticated users with Subscriber-level access to delete critical plugin data including customer cart records and sync histories. Attackers can reset integration settings and drop associated database tables, resulting in complete loss of operational data without administrative authorization. No patch is currently available for versions up to 3.1.3.

WP Recipe Maker (WordPress plugin) versions up to 10.2.2 is affected by information exposure (CVSS 4.3).

The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulner...

and Prevents Security Breache versions up to 21.0.9 is affected by authorization bypass through user-controlled key (CVSS 4.3).

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other u...

The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. [CVSS 4.3 MEDIUM]

All-in-One Video Gallery (WordPress plugin) versions up to 4.5.7. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. [CVSS 6.5 MEDIUM]

Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation.

The AffiliateX - Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. [CVSS 6.4 MEDIUM]

Supreme Modules Lite (WordPress plugin) versions up to 2.5.62. is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. [CVSS 5.3 MEDIUM]

Drag and Drop Multiple File Upload for Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 3.7).

WP-Members Membership Plugin (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 5.4).

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

Stored XSS in the WordPress Short Link plugin through versions 1.0 allows authenticated administrators to inject malicious scripts via the short_link_post_title and short_link_page_title parameters due to insufficient input sanitization. When users access pages containing the injected payload, the arbitrary JavaScript executes in their browsers, potentially compromising their sessions or data. No patch is currently available; mitigation requires disabling or removing the affected plugin.

Stored cross-site scripting in the LinkedIn SC WordPress plugin through version 1.1.9 allows authenticated administrators to inject malicious scripts via insufficiently sanitized plugin settings that execute for all users visiting affected pages. The vulnerability requires high privilege administrator access to exploit and currently lacks an available patch. Attack complexity is high and impact is limited to confidentiality and integrity, with no availability impact.

Electric Studio Download Counter (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

Stored XSS in WMF Mobile Redirector plugin for WordPress up to version 1.2 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all site visitors. The vulnerability stems from inadequate input sanitization and output escaping, enabling privilege abuse by high-level account holders. A patch is not currently available.

Stored XSS in WP Allowed Hosts plugin through 1.0.8 allows authenticated administrators to inject malicious scripts via the 'allowed-hosts' parameter on multi-site WordPress installations or those with disabled unfiltered_html. Affected administrators can execute arbitrary JavaScript that persists and runs for all users accessing injected pages. No patch is currently available.

The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. [CVSS 5.3 MEDIUM]

The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. [CVSS 5.3 MEDIUM]

PayHere Payment Gateway Plugin for WooCommerce (WordPress plugin) versions up to 2.3.9. is affected by missing authorization (CVSS 5.3).

Stopwords for comments (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

SocialChamp with WordPress (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

Perfit WooCommerce (WordPress plugin) versions up to 1.0.1. is affected by missing authorization (CVSS 5.3).

Unauthenticated attackers can retrieve LottieFiles account credentials including API tokens and email addresses from the LottieFiles - Lottie block for Gutenberg WordPress plugin (versions up to 3.0.0) through an exposed REST API endpoint when account sharing is enabled. This information disclosure vulnerability affects site owners who have configured the plugin to share LottieFiles credentials across WordPress users. No patch is currently available.

Stored XSS in the SearchWiz WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts into post titles that execute when other users view search results. The vulnerability stems from improper output escaping using esc_attr() instead of esc_html() when rendering post titles in search functionality. No patch is currently available.

Stored XSS in Real Post Slider Lite WordPress plugin through version 2.4 allows authenticated administrators to inject malicious scripts into plugin settings that execute for other users viewing affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

Flat Shipping Rate by City for WooCommerce (WordPress plugin) is affected by sql injection (CVSS 4.9).

The Responsive Accordion Slider plugin for WordPress up to version 1.2.2 fails to validate user permissions on image metadata modification functions, allowing authenticated contributors and higher-privileged users to alter slider images, titles, descriptions, alt text, and associated links. This capability check bypass affects all installations using the vulnerable plugin versions and requires only valid WordPress login credentials to exploit.

Reflected XSS in WordPress List Site Contributors plugin up to version 1.1.8 allows unauthenteric attackers to inject malicious scripts through the 'alpha' parameter due to inadequate input sanitization. Successful exploitation requires social engineering to trick users into clicking malicious links, potentially compromising user sessions and site integrity. No patch is currently available for this vulnerability.

The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. [CVSS 4.4 MEDIUM]

The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. [CVSS 4.3 MEDIUM]

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

Gotham Block Extra Light (WordPress plugin) versions up to 1.5.0 is affected by path traversal (CVSS 6.5).

Netcash WooCommerce Payment Gateway (WordPress plugin) versions up to 4.1.3. is affected by missing authorization (CVSS 5.3).

WP-CRM System (WordPress plugin) versions up to 3.4.5. is affected by missing authorization (CVSS 5.4).

The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]

The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. [CVSS 7.2 HIGH]

News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.

Crush.pics Image Optimizer - Image Compression and Optimization (WordPress plugin) versions up to 1.8.7. is affected by missing authorization (CVSS 4.3).

The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accou...

The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. [CVSS 4.3 MEDIUM]

The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

Integration Opvius AI for WooCommerce (through 1.3.0) has unauthenticated path traversal allowing arbitrary file download and deletion. No authentication, no nonce verification, no path validation.

The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

CP Image Store with Slideshow (WordPress plugin) versions up to 1.1.9 is affected by incorrect authorization (CVSS 4.3).

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1.

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. [CVSS 5.3 MEDIUM]

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. [CVSS 5.4 MEDIUM]

E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.

Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.

Quiz Maker WordPre versions up to 6.7.0.89 contains a vulnerability that allows attackers to high privilege users such as admin to perform Stored Cross-Site Scripting attack (CVSS 4.8).

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. [CVSS 4.3 MEDIUM]

Shortcodes and extra features for Phlox theme (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

Templately (WordPress plugin) versions up to 3.4.8. is affected by incorrect authorization (CVSS 5.3).

The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. [CVSS 5.4 MEDIUM]

miniOrange OTP Verification and SMS Notification for WooCommerce (WordPress plugin) is affected by missing authorization (CVSS 5.3).

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. [CVSS 4.3 MEDIUM]

WooCommerce Square (WordPress plugin) versions up to 5.1.1 is affected by authorization bypass through user-controlled key (CVSS 7.5).

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget.

WP Page Permalink Extension (WordPress plugin) versions up to 1.5.4. is affected by missing authorization (CVSS 6.5).

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]